Gauss Trojan
August 10, 2012The Trojan goes by the name Gauss.
The Russian IT security firm Kaspersky Lab discovered it in June and has only just now declared it "a new cyber threat targeting users in the Middle East."
But the server used to store data collected by Gauss has been shut down.
It is thought to have become active in September 2011. It has stolen browser passwords, online banking account credentials, browser histories and cookies from thousands of bank users' computers.
Kaspersky Lab says Gauss has targeted the details of customers of several Lebanese banks, including the Bank of Beirut.
It has also targeted users of Citibank and the online payment system PayPal.
"The online banking Trojan functionality found in Gauss is a unique characteristic that was not found in any previously known cyber-weapons," said Kaspersky Lab in a statement.
Stealing data, not money
"Gauss targets multiple users in select countries to steal a large amount of data with a specific focus on banking and financial information," says Alexander Gostev, a chief security expert at Kaspersky Lab.
Some media have called Gauss "a banking Trojan."
But Toralv Dirro, a security strategist at McAfee Labs, says the term is misleading.
"It's not a banking Trojan," says Dirro, "the aim of a banking Trojan is to get into the accounts of users to steal money. But Gauss is much more complex than that."
Kaspersky Lab says Gauss was designed for espionage.
"I think it's plausible," Dirro says. "It's very flexible and consists of several modules, and that's not typical for a banking Trojan."
Gauss is similar to another recent Trojan - Flame.
The Flame malware was discovered earlier this year and mainly infected machines in Iran. Some say it was designed to spy on the country's nuclear program. The United States and Israel are suspected of being responsible for Flame.
Another early malware called Stuxnet tried to attack Iran's nuclear centrifuges. Gauss and Stuxnet also share characteristics.
But Gauss seems to have focused exclusively on banks.
"A typical banking Trojan would target either very few banks or a long list of them," says Dirro of McAfee Labs. He says Swiss international banks would be on the list if criminals had been behind Gauss.
Server shutdown
Information seems to be more important than money to the creators of Gauss.
By stealing cookies they can see which person was on which website at what time.
And by spying on bank accounts they can see exactly how much money moved from one person, or company, to another.
But how they will use the data is unclear at present.
Gauss is dormant now. And as a Trojan the malware has no way of multiplying and spreading itself like a virus.
"The Trojan is still stealing information but it has no master to talk to," says Dirro.
The controlling server that Gauss was communicating with was switched off shortly after its discovery - probably by its creators.
But users of the German IT specialist website heise.de have been speculating about how the malware could switch to another server and whether it could start sending data again.