Pages

09 August 2012

Cyberwar: A Gaussian Flame Sweeping Through Middle Eastern Banks

Computer malware "Flame" and a new addition "Gauss" have been detected targeting bank accounts at several banks in Lebanon. They appear to be seeking out log-in credentials, which would allow outsiders to spy on account activity -- and even manipulate accounts and account transfers, if desired. It is likely that Lebanese banks are only the tip of the iceberg, however.

Russia's Kasperky labs -- closely tied to Putin's Kremlin -- have been unable to crack the encryption for the Gauss malware.
“When you look at Stuxnet and DuQu, they were obviously single-goal operations. But here I think what you see is a broader operation happening all in one,” says Roel Schouwenberg, senior researcher at Kaspersky Lab.

The researchers don’t know if the attackers used the bank component in Gauss simply to spy on account transactions, or to steal money from targets. But given that the malware was almost certainly created by nation-state actors, its goal is likely not to steal for economic gain, but rather for counterintelligence purposes. Its aim, for instance, might be to monitor and trace the source of funding going to individuals or groups, or to sabotage political or other efforts by draining money from their accounts.

While the banking component adds a new element to state-sponsored malware, the mysterious payload may prove to be the most interesting part of Gauss, since this part of the malware has been carefully encrypted by the attackers and so far remains uncracked by Kaspersky.

The payload appears to be highly targeted against machines that have a specific configuration — a configuration used to generate a key that unlocks the encryption. So far the researchers have been unable to determine what configuration generates the key. They’re asking for assistance from any cryptographers who might be able to help crack the code.

According to Kaspersky, Gauss appears to have been created sometime in mid-2011 and was first deployed in September or October of last year, around the same time that DuQu was uncovered by researchers in Hungary. DuQu was an espionage tool discovered on machines in Iran, Sudan, and other countries around August 2011 and was designed to steal documents and other data from machines. Stuxnet and DuQu appeared to have been built on the same framework, using identical parts and using similar techniques. Flame and Stuxnet also shared a component, and now Flame and Gauss have been found to be using similar code as well.

Kaspersky discovered Gauss only this last June, while looking for variants of Flame.

...Like Flame, Gauss is modular, so that new functionality can be swapped in and out, depending on the needs of the attackers. To date, only a few modules have been uncovered — these are designed to steal browser cookies and passwords, harvest system configuration data including information about the BIOS and CMOS RAM, infect USB sticks, enumerate the content of drives and folders, and to steal banking credentials as well as account information for social networking accounts, e-mail and instant messaging.

Gauss also installs a custom font called Palida Narrow, the purpose of which is not known. The use of a custom font designed by the malware authors is reminiscent of DuQu, which used a font called Dexter fabricated by its creators to exploit victim machines. Kaspersky has found no malicious code in the Palida Narrow font files and has no idea why it’s in the code, though the font contains Western, Baltic and Turkish symbols.

Gauss’s primary module, which Kaspersky refers to as the mother ship, appears to have been named after German mathematician Johann Carl Friedrich Gauss. Other modules of the malware appear to have been named after mathematicians Joseph-Louis Legrange and Kurt Godel. The Gauss module is about 200K in size. With all of the plugins found so far, Gauss measures 2MB, much smaller than the 20MB Flame with all of its modules. Researchers do not yet know yet how the main Gauss module first gets onto systems, but once on a system, it injects into the browser in order to steal cookies and passwords. Another module loads an exploit onto any USB sticks inserted into the system thereafter. The exploit dropped to the USB stick is the same .lnk exploit that Stuxnet used to spread to systems. Microsoft has since patched the .lnk exploit, so it’s unclear if the .lnk module that Gauss uses has been successful in infecting systems. Once an infected USB stick is inserted into another system, it has two roles – to gather configuration information about the system and to deliver the encrypted payload.

The configuration data it collects includes information about the operating system, network interfaces and SQL servers. It stores this data in a hidden file on the USB stick. When the USB stick is later inserted into another system that has the main Gauss module installed on it and that is connected to the internet, that stored configuration data is sent to the attacker’s command-and-control servers. The USB exploit is set to gather data only from 30 machines, after which it deletes itself from the USB stick.

Schoewenberg says the USB module appears to be aimed at bridging an airgap and getting the payload onto systems that are not connected to the internet, as it had been used previously to get Stuxnet onto industrial control systems in Iran that were not connected to the internet. _Wired
More at the linked story above.

More background on Flame

Development timeline linking Stuxnet and Flame

Middle East cyberwar is not all one-sided

Computer network intrusion, data collection, and disruption, are all part of a modern nation's arsenal. Russian and Chinese hackers and info-spies have been among the most malicious and destructive, penetrating the highest levels of governmental networks in Europe, North America, and Oceania.

The reason that Flame, Stuxnet, Duqu, Gauss, etc. are receiving so much media attention is that these infowar tools are the most sophisticated of which the public have been made aware. Thus far.

One thing's not in contention. Kaspersky and Symantec each are convinced that Stuxnet and Flame were built by different teams.

There's little to no similarity between the two pieces of malware.

"Stuxnet and Duqu were created on the same [development] platform, but they have nothing in common with Flame," said Schouwenberg. "There's absolutely nothing in common. Stuxnet/Duqu and Flame use completely different development philosophies." _Source
Clearly the electronic commons has been breached and exposed to anyone clever enough to graze them. The physical commons has, of course, long since been breached.

Members of the Society for Creative Apocalyptology are taught how to avoid the "commons" when necessary. And how to deal with the risks of the commons when necessary.

2 comments:

  1. If Israel is behind this - under what scenario would they crash middle eastern banks?

    ReplyDelete
  2. Who knows? Iran is certainly one nation imminently in danger of being forced back to the dark ages.

    It does look as if the Kremlin-linked Kaspersky is suffering from a type of "virus envy," with regard to Gauss.

    All the Y2K hype may have been a decade or two premature. Information warfare exposes all electronic infrastructure -- civilian, military, government -- to increasingly sophisticated attack.

    ReplyDelete

“During times of universal deceit, telling the truth becomes a revolutionary act” _George Orwell