When Stuxnet was found infecting hundreds of thousands of computers worldwide, it was only a matter of time until researchers unraveled its complex code to determine its true intent. Today, analysts are up against a similar challenge. But they’re finding considerably less success taking apart the Stuxnet cousin known as Gauss. A novel scheme encrypting one of its main engines has so far defied attempts to crack it, generating intrigue and raising speculation that it may deliver a warhead that’s more destructive than anything the world has seen before.
Gauss generated headlines almost immediately after its discovery was documented last year by researchers from Russia-based antivirus provider Kaspersky Lab. State-of-the-art coding techniques that surreptitiously extracted sensitive data from thousands of Middle Eastern computers were worthy of a James Bond or Mission Impossible movie. Adding to the intrigue, code signatures showed Gauss was spawned from the same developers responsible for Stuxnet, the powerful computer worm reportedly unleashed by the US and Israeli governments to disrupt Iran’s nuclear program. Gauss also had links to the highly advanced Flame and Duqu espionage trojans.
Gauss contains module names paying homage to the German mathematicians and scientists Johann Carl Friedrich Gauss, Kurt Friedrich Gödel, and Joseph-Louis Lagrange. Its noteworthy features only start there. Gauss has the ability to steal funds and monitor data from clients of several Lebanese banks, making it the first publicly known nation-state sponsored banking trojan. It’s also programmed to collect a dizzying array of information about the computers it infects…
The encrypted payload in the Gödel module is by no means the only mystery surrounding Gauss. Researchers still don’t know how the malware takes hold of target computers in the first place or how it spreads from one machine to another. They’re also at a loss to explain why Gauss installs a custom font known as “Palida Narrow” and corresponding registry values on infected machines. >continue<