Cyberweapon targets Middle East bank accounts

  @DavidGoldmanCNN August 9, 2012: 12:12 PM ET
Kaspersky Lab discovered and publicized Gauss, a cyberweapon targeting banks accounts in the Middle East

Code from the Gauss virus, a new cyberweapon that attacks bank accounts.

NEW YORK (CNNMoney)

A new cyberweapon that secretly steals bank account information from its victims was exposed on Thursday.

The sophisticated malware, discovered by Internet security company Kaspersky Labs, has been capturing online bank account login credentials from its victims since September 2011. There's no evidence it's been used to steal any money. The virus instead appears to be a spy interested in tracking funds: It collects banking login information, sends it back to a server, and quickly self-destructs.

Dubbed "Gauss," a name taken from some of the unique file names in its code, the malware appears to be a cyber-espionage weapon designed by a country to target and track specific individuals. It's not known yet who created it, but Gauss shares many of the same code and characteristics of other famous state-sponsored cyberweapons, including Stuxnet, Duqu and Flame.

Those viruses are widely believed to have been developed by the U.S. government. But unlike Stuxnet and Flame, which targeted an Iranian nuclear facility and spied on Iran's government officials, Gauss seems to have primarily gone after people in Lebanon.

Of the 2,500 or so discovered instances of Gauss across the world, about 1,660 of them were found in Lebanon. The virus is specifically designed to target customers of Lebanese banks, as well as Citibank (C, Fortune 500) and eBay's (EBAY, Fortune 500) PayPal, which are widely used in Lebanon.

Kaspersky also found 483 instances of Gauss in Israel and 261 in the Palestinian territories. Only 43 Gauss instances were found to be in the United States, and just a handful were discovered in other parts of the world.

When certain regions are specifically targeted, that's a telltale marker that a piece of malware has been created by a government. Viruses developed by financially motivated criminals are designed to target as many people as possible.

Related story: The cyber Cold War is raging

Another sign that a government is behind the attack: Gauss doesn't self-propagate. Kaspersky couldn't figure out how it got onto the targeted systems in the first place. Gauss destroys itself once it has done the damage -- more evidence that this is no ordinary computer virus.

Gauss is likely the first state-sponsored cyberweapon to specifically target bank accounts, Kaspersky said. Though most malware goes after financial information in one form or another, that's not something government-sponsored cyber attackers have typically been interested in.

Gauss's goal isn't known, but its activation date might be a hint: It launched on September 1, 2011, the same date that cyber-espionage weapon Duqu was publicly discovered. Vitaly Kamlyuk, a senior antivirus expert at Kaspersky Lab, said that it's possible that after Duqu was found, the developers just took out another arrow from their quiver.

"We don't know if Gauss took the place of Duqu, but it's a strong possibility," he said.

Kasperky labs found Gauss in May, when it was commissioned by the United Nations' International Telecommunication Union to look for malicious applications similar to the potent Flame virus discovered earlier this year. Like Flame, Duqu and Stuxnet, Gauss is written in a computer language called "C," and it shares a similar structure and code base. The biggest tip-off: Gauss and Flame both contain the exact same line "?Avnxsys_uwip@@".

Gauss is even "more intelligent" than Flame, Kamlyuk thinks. It exploits a vulnerability found in Microsoft (MSFT, Fortune 500) Windows to break into a user's browser. Even if a user shuts off Windows' "auto-run" feature, Gauss will start up when the computer boots and go on the attack.

One Gauss function remains a mystery: It's got an encrypted payload Kasperky hasn't cracked.

"The payload is run by infected USB sticks and is designed to surgically target a certain system (or systems) which have a specific program installed," the company wrote in its analysis. "One can only speculate on the purpose of this mysterious payload."

The company has called on cryptography experts to try to crack the code.

"This is a cyberweapon, and we don't know hot it could be used," said Kamlyuk. "It could be used to cause a big disaster."

Gauss was uncovered just months after Flame's discovery. Brace for more: Now that researchers know what to look for, Kamlyuk said he expects analysts to find many additional pieces of Gauss-like state-sponsored malware out in the wild. To top of page



Join the Conversation

Market indexes are shown in real time, except for the DJIA, which is delayed by two minutes. All times are ET. Disclaimer LIBOR Warning: Neither BBA Enterprises Limited, nor the BBA LIBOR Contributor Banks, nor Reuters, can be held liable for any irregularity or inaccuracy of BBA LIBOR. Disclaimer. Morningstar: © 2014 Morningstar, Inc. All Rights Reserved. Disclaimer The Dow Jones IndexesSM are proprietary to and distributed by Dow Jones & Company, Inc. and have been licensed for use. All content of the Dow Jones IndexesSM © 2014 is proprietary to Dow Jones & Company, Inc. Chicago Mercantile Association. The market data is the property of Chicago Mercantile Exchange Inc. and its licensors. All rights reserved. FactSet Research Systems Inc. 2014. All rights reserved. Most stock quote data provided by BATS.