There is a new information-stealing malware with similarities to Stuxnet, Duqu and Flame, called “Gauss” that can collect information and send the data to its command-and-control servers, said researchers at Kaspersky Lab.
Kaspersky found Gauss on systems in Lebanon, the Palestinian Territories, and Israel. Gauss was also on a limited number of networks in the U.S.; however, the impact to these systems is currently unknown.
Kaspersky’s analysis found Gauss has similarities to Duqu, Flame, and Stuxnet.
The USB device information-stealing module exploits a known “.LNK” vulnerability (CVE-2010-2568), the same vulnerability exploited by Stuxnet. The USB module also includes an encrypted payload that has unknown functionality. Both ICS-CERT and US-CERT are evaluating the malware to understand the full functionality and will report updates as needed.
However, after early reporting and analysis, no evidence exists that Gauss targets industrial control systems (ICS) or U.S. government agencies.
Gauss collects information using various modules and, according to Kaspersky, has the following functionality:
• Injects its own modules into different browsers in order to intercept user sessions and steal passwords, cookies, and browser history,
• Collects information about the computer’s network connections,
• Collects information about processes and folders,
• Collects information about BIOS and CMOS RAM,
• Collects information about local, network and removable drives,
• Infects removable media drives with an information-stealing module in order to steal information from other computers,
• Installs the custom “Palida Narrow” font (purpose unknown),
• Ensures the entire toolkit’s loading and operation, and
• Interacts with the command and control server, sending the information collected to it, and downloading additional modules.
At this time, no specific mitigations are available.
1. Exercise caution when using removable media, including USB drives, in order to prevent the spread of Gauss.
2. Apply Windows Updates to patch CVE-2010-2568.
3. Update antivirus definitions for detection of the Gauss malware.
4. Minimize network exposure for all control system devices. Control system devices should not directly face the Internet.
5. Locate control system networks and remote devices behind firewalls, and isolate them from the business network.
6. When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPN is only as secure as the connected devices.