Peaceful Civilian
ELITE MEMBER
- Joined
- Oct 18, 2011
- Messages
- 12,098
- Reaction score
- 8
- Country
- Location
Security experts said on Thursday that they had discovered what they believed was the fourth state-sponsored computer virus to surface in the Middle East in the last three years.
The virus appears to have been written by the same programmers who designed Flame, the powerful data-mining computer virus that was found to be spying on computers in Iran last May. The latest virus has been detected on 2,500 computers, the majority of them in Lebanon, but researchers estimate the total number of infections could number in the tens of thousands.
Researchers at Kaspersky Lab, the Moscow-based computer security firm that first reported the virus, said it stole information from computers, notably log-in credentials for bank accounts. This is something more typically found in malicious programs used by profit-seeking cybercriminals, and has not been seen in a state-sponsored computer virus.
The virus, which researchers have nicknamed Gauss after a name found in its code, targets accounts at several of Lebanons largest banks including the Bank of Beirut, BlomBank, ByblosBank, Credit Libanais and FransaBank, along with Citibank and PayPal. Researchers said it also hijacked account information for social networks, e-mail and instant messaging accounts.
We have never seen any malware target such a specific range of banks, Costin Raiu, Kaspersky Labs director of global research and analysis, said in an interview. Generally cybercriminals target as many banks as possible to maximize financial profit, but this is a very focused cyberespionage campaign targeting certain users of online banking systems.
Kasperskys researchers said they first encountered Gauss while analyzing the Flame virus last June. Flame is a reconnaissance tool that could grab images of users computer screens, record e-mails and instant-messaging chats, turn on microphones remotely and monitor keystrokes and network traffic. It could infect a device even if it was not connected to the Internet, through a USB stick or by looking for Bluetooth-enabled devices nearby or Internet-connected devices in a local network.
Kasperskys researchers said they were confident Gauss was made by the same programmers as Flame because it was built on the same architectural platform, the two share similar code, they were written in the same C++ developer language and they use similar means to infect computers that are not connected to the Internet.
The programmers behind Flame and Gauss are different from those who wrote Doqu and Stuxnet, the two other state-sponsored computer viruses to surface in recent years, the researchers say. Doqu and Stuxnet spied on and eventually set back Irans nuclear program in 2010, when a cyberattack spun centrifuges at Irans Natanz nuclear plant out of control.
But Kasperskys researchers maintain that all four viruses were commissioned by the same state-sponsored entity.
There is absolutely no doubt that Gauss and Flame were printed by the same factories. And an early version of Stuxnet used a module from Flame, which shows they are connected. Stuxnet was created by a nation-state it simply could not have been designed without nation-state supportwhich means Flame and Gauss were created with nation-state support as well, Mr. Raiu said.
Kaspersky Lab has declined to say which nation-states are behind the attacks, but The New York Times reported in June, based on interviews with officials in several countries, that Stuxnet was jointly developed by the United States and Israel as part of a broader American campaign code-named Olympic Games that started under the Bush administration and accelerated under President Obama. Members of the Obama administration estimate that Stuxnet set back Irans nuclear program as much as two years.
Beyond Kaspersky Lab, however, security experts said it was a stretch to assume a nation-state was behind Gauss, or that it belonged to the same campaign.
Its a fairly large leap, in terms of deductive reasoning, to assume that because they share a common architectural platform, this variant is also state-sponsored, said Will Gragido, who heads the advanced threat intelligence team at RSA, the security firm, and has studied Flame but has not yet encountered the Gauss malware.
State-sponsored actors do not go after bank accounts. Thats not to say they couldnt, but its incongruent with traditional nation-state behavior. Its possible the code was made available underground and repurposed or reused by cybercriminals. It would be a stretch to say a state-sponsored element was targeting a banking environment.
But Kaspersky researchers said Gauss was designed with a sophisticated level of encryption that would require the skills and resources typically reserved for nation-states. In addition to a data-stealing component, researchers say Gauss contains an unknown cyber warhead that looks for a very specific computer system that is not connected to the Internet and installs itself only if it encounters the system.
Its done in such a clever way that security researchers cannot analyze it because they dont know the decryption key that unlocks the true purpose of that program, Mr. Riau said. Until we crack that code, there is no way to tell what the encrypted payload is after.
Because the component targets computer systems that are not connected to the Internet, Mr. Riau said they could narrow down the list of targets to high-security banks, hospitals, military and police installations. He said Kaspersky did not know the identities of the targets.
Kaspersky detected Gauss on 2,500 computer systems in 25 countries, 1,660 of them in Lebanon. Another 482 were in Israel and 261 in Palestine.
According to clues in its code, Kaspersky says it believes Gauss was first created in mid-2011 and deployed that August or September. Like Flame, Gauss is modular, which lets its creators swap out components and change up its workings. Where Flames architects demonstrated a penchant for American movie characters one of Flames functions was named Beetlejuice Gausss authors preferred mathematicians. Its primary module appears to have been named after Johann Carl Friedrich Gauss. Other modules appear to have been named after Kurt Godel, Joseph-Louis LeGrange and Brook Taylor.
Kaspersky said it was still working to understand what data Gauss siphoned from infected machines. Its command and control servers went dormant last month.
But the biggest mystery, security researchers say, is how many similar computer viruses remain at large. In studying Doqu and Stuxnet, Kaspersky said it encountered evidence of at least three other viruses built on the same platform small bricks of other viruses that were not used in Doqu or Stuxnet.
What we have here is only the smaller pieces of a much bigger puzzle, Mr. Raiu said.
Researchers Find Possible State-Sponsored Virus in Mideast - NYTimes.com
The virus appears to have been written by the same programmers who designed Flame, the powerful data-mining computer virus that was found to be spying on computers in Iran last May. The latest virus has been detected on 2,500 computers, the majority of them in Lebanon, but researchers estimate the total number of infections could number in the tens of thousands.
Researchers at Kaspersky Lab, the Moscow-based computer security firm that first reported the virus, said it stole information from computers, notably log-in credentials for bank accounts. This is something more typically found in malicious programs used by profit-seeking cybercriminals, and has not been seen in a state-sponsored computer virus.
The virus, which researchers have nicknamed Gauss after a name found in its code, targets accounts at several of Lebanons largest banks including the Bank of Beirut, BlomBank, ByblosBank, Credit Libanais and FransaBank, along with Citibank and PayPal. Researchers said it also hijacked account information for social networks, e-mail and instant messaging accounts.
We have never seen any malware target such a specific range of banks, Costin Raiu, Kaspersky Labs director of global research and analysis, said in an interview. Generally cybercriminals target as many banks as possible to maximize financial profit, but this is a very focused cyberespionage campaign targeting certain users of online banking systems.
Kasperskys researchers said they first encountered Gauss while analyzing the Flame virus last June. Flame is a reconnaissance tool that could grab images of users computer screens, record e-mails and instant-messaging chats, turn on microphones remotely and monitor keystrokes and network traffic. It could infect a device even if it was not connected to the Internet, through a USB stick or by looking for Bluetooth-enabled devices nearby or Internet-connected devices in a local network.
Kasperskys researchers said they were confident Gauss was made by the same programmers as Flame because it was built on the same architectural platform, the two share similar code, they were written in the same C++ developer language and they use similar means to infect computers that are not connected to the Internet.
The programmers behind Flame and Gauss are different from those who wrote Doqu and Stuxnet, the two other state-sponsored computer viruses to surface in recent years, the researchers say. Doqu and Stuxnet spied on and eventually set back Irans nuclear program in 2010, when a cyberattack spun centrifuges at Irans Natanz nuclear plant out of control.
But Kasperskys researchers maintain that all four viruses were commissioned by the same state-sponsored entity.
There is absolutely no doubt that Gauss and Flame were printed by the same factories. And an early version of Stuxnet used a module from Flame, which shows they are connected. Stuxnet was created by a nation-state it simply could not have been designed without nation-state supportwhich means Flame and Gauss were created with nation-state support as well, Mr. Raiu said.
Kaspersky Lab has declined to say which nation-states are behind the attacks, but The New York Times reported in June, based on interviews with officials in several countries, that Stuxnet was jointly developed by the United States and Israel as part of a broader American campaign code-named Olympic Games that started under the Bush administration and accelerated under President Obama. Members of the Obama administration estimate that Stuxnet set back Irans nuclear program as much as two years.
Beyond Kaspersky Lab, however, security experts said it was a stretch to assume a nation-state was behind Gauss, or that it belonged to the same campaign.
Its a fairly large leap, in terms of deductive reasoning, to assume that because they share a common architectural platform, this variant is also state-sponsored, said Will Gragido, who heads the advanced threat intelligence team at RSA, the security firm, and has studied Flame but has not yet encountered the Gauss malware.
State-sponsored actors do not go after bank accounts. Thats not to say they couldnt, but its incongruent with traditional nation-state behavior. Its possible the code was made available underground and repurposed or reused by cybercriminals. It would be a stretch to say a state-sponsored element was targeting a banking environment.
But Kaspersky researchers said Gauss was designed with a sophisticated level of encryption that would require the skills and resources typically reserved for nation-states. In addition to a data-stealing component, researchers say Gauss contains an unknown cyber warhead that looks for a very specific computer system that is not connected to the Internet and installs itself only if it encounters the system.
Its done in such a clever way that security researchers cannot analyze it because they dont know the decryption key that unlocks the true purpose of that program, Mr. Riau said. Until we crack that code, there is no way to tell what the encrypted payload is after.
Because the component targets computer systems that are not connected to the Internet, Mr. Riau said they could narrow down the list of targets to high-security banks, hospitals, military and police installations. He said Kaspersky did not know the identities of the targets.
Kaspersky detected Gauss on 2,500 computer systems in 25 countries, 1,660 of them in Lebanon. Another 482 were in Israel and 261 in Palestine.
According to clues in its code, Kaspersky says it believes Gauss was first created in mid-2011 and deployed that August or September. Like Flame, Gauss is modular, which lets its creators swap out components and change up its workings. Where Flames architects demonstrated a penchant for American movie characters one of Flames functions was named Beetlejuice Gausss authors preferred mathematicians. Its primary module appears to have been named after Johann Carl Friedrich Gauss. Other modules appear to have been named after Kurt Godel, Joseph-Louis LeGrange and Brook Taylor.
Kaspersky said it was still working to understand what data Gauss siphoned from infected machines. Its command and control servers went dormant last month.
But the biggest mystery, security researchers say, is how many similar computer viruses remain at large. In studying Doqu and Stuxnet, Kaspersky said it encountered evidence of at least three other viruses built on the same platform small bricks of other viruses that were not used in Doqu or Stuxnet.
What we have here is only the smaller pieces of a much bigger puzzle, Mr. Raiu said.
Researchers Find Possible State-Sponsored Virus in Mideast - NYTimes.com
