Malware analysis

Gauss: Between technology and politics

Dimitar Kostadinov
May 7, 2013 by
Dimitar Kostadinov

Introduction

The purpose of this work is to present the reader research of the Gauss malware platform as one of the ultimate nation-state cyber exploitation toolkit. Like every sensible human creation, Gauss has certain characteristics and purpose. Therefore, the research is divided into two major parts:

Become a certified reverse engineer!

Become a certified reverse engineer!

Get live, hands-on malware analysis training from anywhere, and become a Certified Reverse Engineering Analyst.

Firs part, Gauss—tech facts, gives more information about some interesting features immanent in Gauss, as well as what connects or distinguishes it from other similar malware.

Second part, Political history relevant to Gauss cyber exploitation, transfers the reader to the Middle East world of politics, drawing the curtains to reveal the possible reasons behind the cyber exploitation attack against banking business in Lebanon.

Finally, the comprehensive conclusion serves as a thoughtful assimilation of the facts set forth in both parts.

I. Gauss – tech facts

The Gauss malware consists of several modules, but the really curious thing is that some of them are named after mathematicians: Gauss, Gödel, Lagrange, Taylor. Since the Gauss module functions as a collecting tool of valuable pieces of information, the entire platform receives that name (Kaspersky, 2012).

Mothership (wmiqry32.dll, wmiqry32.dll)

The mothership, as the main module often is referred to, is there to establish communication with the C & C server and load additional modulus (McAfee, 2012). Its size is a little over 200 Kb.

Interestingly, the Gauss C2 infrastructure used a technique familiar to IT community as DNS balancing a.k.a. Round-Robin DNS. This technique is generally used to even the load caused by massive traffic to a website, which in turn demonstrates that Gauss was capable of handling a lot of data (RT, 2012).

The Gauss module (WINSHELL.OCX)

The "Gauss" (WINSHELL.OCX) is the most important module in the malware because it is responsible for the data stealing. As a part of its task, the module embeds browser extensions and collects browsing data from the targeted computer. While loading, it searches to inject itself into Explorer.exe and build up log files to store passwords, cookies and other data (McAfee, 2012).

The Gödel module (DSKAPI.OCX)

Maybe the most interesting module of Gauss is "Gödel". The main functions of the Gödel module are launching malicious files using .LNK exploit, infecting removable drives, eradication of any security related processes existing in the system (McAfee, 2012).

Roel Schouwenber, Kaspersky researcher, opines that the "Gödel" may contain a Stuxnet-like "warhead" capable of inflicting damage to control systems involved in operating, maintaining, or controlling critical national infrastructure.

USB infection capabilities

As underscored above, Gödel can infect removable drives, however, in a "more intelligent" fashion, placing the gathered information in a hidden file on USB drives (Fitzpatrick, 2012). The data stealing component exploits the identical .LNK (CVE-2010-2568) vulnerability which has been previously taken advantage of by Stuxnet and Flame.

In addition, the infection files have a "30" flag TTL (time to live) feature, which means that every time the payload is executed the flag number decreases. When the TTL count reaches 0, "the data stealing payload cleans itself from the USB stick", virtually "disinfecting" the drive ("GReAT" Kaspersky Lab Expert, 2012).

Furthermore, the USB attack might be difficult to spot and for another reason. According to Symantec, some sections of the payload binary that penetrates USB devices are very well encrypted.

Encryption & Mysterious payload

Speaking of which, some parts of "Gödel's" encryption are extremely sophisticated. In contrast with Stuxnet, Duqu, and Flame, the decryption key is not at disposal in the malware since it has been used a solid RC4 cipher.
Moreover, the decryption process takes place on the infected system via dynamic computing of a decryption key.

The module remains dormant up until the moment it is successfully decrypted (Bencsáth, Pék, Buttyán, and

Félegyházi, 2012).

Gauss possesses a 64-bit payload, which is facilitated by Firefox-compatible browser plugins created to monitor and steal credentials from some Lebanese banks: Blom Bank, Byblos Bank, Bank of Beirut, Fransa Bank, Credit Libanais, and EBLF ("GReAT" Kaspersky Lab Expert, 2012). Curiously, several of the major banks are omitted.

In addition, it scans for cookies having the following strings: paypal, visa, mastercard, eurocard, citibank, americanexpress, amazon, ebay, maktoob, facebook, yahoo, hotmail, gmail) (RT, 2012).

Apparently, the payload executes itself on specific machines which match certain configuration pattern, thus unlocking the encryption. This functionality, along with all fore-mentioned features, reveals the highly targeted approach which the malware utilize (RT, 2012).

The mystery of the "Palida Narrow" custom font

The Lagrange (WINDIG.OCX) module has for a purpose the installation of fonts on the targeted system (McAfee, 2012). The exact purpose of the Palida font is unknown to date. Nevertheless, there are some good suggestions:

  1. Although highly unlikely, the Gauss might use the font for printed material
  2. The font might tamper with characters on web pages aiming at hiding alerts
  3. It might have for a purpose to check for completion of installation (RT, 2012)
  4. It might be inserted to set a backdoor, exploiting vulnerability of the system. In the past, fonts have been used for such purposes, for example the True Type font DDL exploited by Duqu.
  5. Lastly, the Palida font might be used for a remote detection, marking the infected computers.

Indeed, given the sensitive, highly targeted nature of the attack, the last version seems the most plausible (Syversen, 2013).

In the end, what is Gauss?

Analysts consider Gauss a highly targeted malware for a number of reasons. First, it is based on the Flame platform, another targeted virus. Actually, the former was discovered during ongoing research of the latter. Generally speaking, Flame is a complex nation-state malware platform used primarily for cyber exploitation. Second, Gauss does not self-replicate freely, affecting computer systems indiscriminately. Third, Lebanon is the main victim with more than 1660 PCs infected. Just for reference, Israel and Palestine follow with 483 and 261 accordingly. Fourth, unlike other viruses, Gauss does not attack hundreds of financial institutions. In fact, it only targets banks (Kaspersky, 2012).

Taking all of these facts into account, one can come up logically with the following conclusion about Gauss: Gauss is a highly targeted, fine-tuned, nation-state malware, bearing some resemblance to Flame, having for a purpose cyber exploitation of banking institutions in the Middle East, mainly Lebanese banks.

II. Political history relevant to Gauss cyber exploitation

This part is subdivided into periods of time which might be of matter for the motives behind the release of Gauss. In this regard, below is set a plane timeline graphic displaying some of the prominent events; right after that the topic is further elaborated on.


1. Lebanese Canadian Bank blacklisted by U.S. government

On February 17, 2011 The U.S. Department of the Treasury finds that the Lebanese Canadian Bank SAL (LCB) is a financial institution of primary money laundering concern under Section 311 of the USA PATRIOT Act.

Firstly, a narcotics trafficking and money laundering scheme is linked to LCB. According to the Treasury, LCB "has been used extensively by persons associated with an international drug trafficking and money laundering network to move hundreds of millions of dollars monthly in cash proceeds from illicit drug sales into the formal financial system (2011, par.4)." As the part of the scheme included money laundering with used cars purchased in the United States, the "measures to be imposed on the institution under Section 311, is a necessary first step to prevent LCB from facilitating money laundering or other financial crime through the U.S. financial system (Office of the Federal Register, 2011, p.9406)."

Secondly, LCB is found to have connection to Hezbollah. The U.S. Government possess information accusing LCB managers of providing banking services to Hezbollah members. For Hezbollah is considered as a Foreign Terrorist Organization and a Specially Designated Global Terrorist, the LCB is to be blacklisted. On the other hand, Europe does not pertain to these designations and "many member states maintain some form of relations with the movement (The European Council on Foreign Relations, 2013, par.22)."

It should be noted that the whole story received a full media coverage as late as December 2011.

2. Syria sanctions and Lebanese banks

In March 2011, Syria is thrown into a civil war between Assad ruling family and opposition forces fighting against the current regime. Not long after the first atrocities, UN Security Council, as well as several other prominent international institutions like EU, and many Western governments, has imposed numerous of sanctions on the Syrian government. Similarly to the Libyan civil war, some of the measures aim at freezing assets and cutting of international dealings of any kind with the Assad's government. Because Lebanon and Syria are neighbour countries, the Lebanese banks are important door leading to the outside financial world. In the beginning, Lebanon was criticized for the slow implementation of the sanctions against Syria, and also Iran. However, under the incentive to keep their international relations intact, hereby stability and prosperity, the Lebanese banks "have been quietly implementing multilateral sanctions (Epstein & Saeed, 2012, par. 15)."

3. In August-September 2011, as claimed by Kaspersky, the Gauss virus is released.


4. On March 20, 2012 David Cohen, a U.S. Treasury Under Secretary, visits Beirut in order to ensure that Lebanon abide by the punitive measures imposed on Syria and Iran. Presumably, the focus is to be set on the banking sector.


5. The Wall Street Journal reported that the U.S. administration continues to scrutinize the Lebanon financial system out of suspicion that is exploited by Hezbollah, Syria, and Iran to fund their activities (Rubenfeld, 2012).

6. The accusations against Lebanese banking system are deprived of credibility

In a Daily Star article, the Secretary General of the Association of Lebanese Banks, Makram Sader states that the allegations continuously propagated by some prestigious U.S. newspapers, involving more Lebanese banks in money laundering in support of terrorist are "not substantiated by their authors" and this campaign would discredit the reputation of Lebanese banking sector.

Moreover, he opines that the banks in question comply with the U.N. Security Council resolutions and refuse to perform any services to Syrian or Iranian banks. In conclusion, Sader points out: "If the U.S. authorities had any kind of evidence against any Lebanese bank it would not have hesitated to place the name of this bank on the black list (Habib, 2012, par.17)."

7. In July, 2012 – Gauss is discovered by Kaspersky Lab

8. Money seizure from rogue Lebanese bank

About month later, U.S. authorities seized $150 million held in escrow account at the Banque Libano Francaise SAL. The sum is part of the purchase price of the already sold Lebanese Canadian Bank related to Hezbollah money laundering.

"Why Lebanese banks?" Conclusion

Banking sector in Lebanon is both strong and sensitive. Security breaches always bring about negative popularity which may reflect on the overall stability of the Lebanese banks. This in turn may further contribute to the political turmoil going on in the region. The stringent adherence to "Banking Secrecy Law", bringing corruption to minimum, along with the lack of IT security awareness, poses the cyber means as a suitable alternative for acquiring substantial amounts of intelligence under the counter (Moophz, 2012).

This comprehensive review of the significant events in the Middle East preceding Gauss' emergence up until its discovery was set out in timeline for a reason. Self-evidently, the situation in this region is very complicated. After the Libya and Egypt, Syria is torn by internal struggles, drawing international attention to what could be safe to say described as a humanitarian crisis. This resulted in stringent sanctions that have been imposed on the ruling Syrian government and financial system. A wide array of international dealings in the banking sector have been cut off. Nevertheless, many expressed concern that Lebanese banks do not show the due diligence as regards to the compliance with these sanctions.

On the other hand, Hezbollah group continues to be a thorn in the flesh of Israeli and US authorities. For a long time the Palestinian-based organization, subsidized also by Iran and Syria, is considered a terrorist group which means that if any other organization or institution is found somehow related, it will be more or less treated on a par with them or at least as an accomplice. The Lebanese Canadian Bank case merely affirms this fact.

In the context of these explanations, the rhetorical question posed by Jeffrey Carr, cyber warfare expert for Taia Global security firm, makes some sense: "You've got this successful platform (the advanced nation-state malware). Why not apply it to this investigation into Lebanese banks and whether or not they are involved in money laundering for Hezbollah (Reuters, 2012)?"

On top of everything, Iran has been gradually advancing with its nuclear agenda, a precondition for further straining the tension with the local rival Israel and its most trusted ally USA. The Stuxnet worm managed to set back the nuclear weapon production for a while. Flame malware is related to Stuxnet and it is widely speculated that both toolkits were ordered by US and Israel to impair Iran's nuclear program.

Hence, given the fact that Stuxnet is related to Flame, Flame is related to Gauss, we can concur with Kaspersky's Lab logical conclusion that "Gauss comes from the same 'factory' or 'factories'(GReAT" Kaspersky Lab Expert, 2012, par.29)." And if we take into account the period in which Gauss is active and the political situation in Middle East, we would have a good perception of why the Lebanese banks are targeted by Gauss, a sophisticated tool for nation-state-sponsored cyber exploitation.

Reference List

Bencsáth, B., Pék, G., Buttyán, L., Félegyházi, M, (2012). The Cousins of Stuxnet: Duqu, Flame, and Gauss. Future Internet,4, 971-1003.

doi:10.3390/fi4040971

Epstein, M. & Saeed, A. (2012). 'Smart' sanctions take toll on Syria. Retrieved on 18/03/2013 from http://www.ft.com/intl/cms/s/0/9faf8274-d0bf-11e1-8d1d-00144feabdc0.html#axzz2NucxWXkX

European Council on Foreign Relations (2012). Lebanon: Containing spillover from Syria. Retrieved on 18/03/2013 from http://ecfr.eu/content/entry/lebanon_containing_spillover_from_syria

Fitzpatrick, A. (2012). Meet the 'Gauss' Virus, Stuxnet and Flame's New Cousin. Retrieved on 18/03/2013 from http://mashable.com/2012/08/09/gauss-virus/


"GReAT" Kaspersky Lab Expert, (2012). Gauss: Nation-state cyber-surveillance meets banking Trojan. Retrieved on 18/03/ 2013 from


http://www.securelist.com/en/blog/208193767/Gauss_Nation_state_cyber_surveillance_meets_banking_Trojan

Habib, O. (2012). No proof Lebanese banks linked to terrorist financing: Sader. Retrieved on 18/03/2013 from http://www.dailystar.com.lb/Business/Lebanon/2012/Jul-04/179295-no-proof-lebanese-banks-linked-to-terrorist-financing-sader.ashx#ixzz2Nd2TGU9T

Kaspersky Lab, (2012). Gauss: Abnormal Distribution. Retrieved on 18/03/2013 from http://www.securelist.com/en/downloads/vlpdfs/kaspersky-lab-gauss.pdf

McAfee Labs, (2012). McAfee Labs Threat Advisory PWS-Gauss. Retreived on 18/03/2013 from https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/23000/PD23950/en_US/Threat_Advisory_PWS-Gauss.pdf

Moophz (2012). Gauss the malware—An electromagnetic cyber espionage tool. Retrieved on 18/03/2013 from http://moophz.com/article/gauss-malware-electromagnetic-cyber-espionnage-tool

Become a certified reverse engineer!

Become a certified reverse engineer!

Get live, hands-on malware analysis training from anywhere, and become a Certified Reverse Engineering Analyst.

Office of the Federal Register (2011). Federal Register, Volume 76, Number 33. Retrieved on 18/03/2013 from
http://digital.library.unt.edu/ark:/67531/metadc52208/m1/201/


Reuters, (2012). Virus found in Mideast can spy on bank transactions. Retrieved on 18/03/2013 from http://ca.reuters.com/article/technologyNews/idCABRE8780NJ20120809?pageNumber=1&virtualBrandChannel=0


RT, (2012). Stuxnet, Flame...Gauss: New spy virus found in Middle East. Retreived on 18/03/2012 from http://rt.com/news/gauss-virus-stuxnet-flame-276/


Rubenfeld, S. (2012). US probes Lebanese banking operations. Retrieved on 18/03/2013 from http://blogs.wsj.com/corruption-currents/2012/04/30/us-probes-lebanese-banking-operations/


Syversen, J. (2013). Cyber-espionage tool – Gauss. Retrieved on 18/03/2013 from http://cyber-son.blogspot.com/2013/02/cyber-espionage-tool-example-gauss.html


U.S. Department of Treasury, (2011). Treasury Identifies Lebanese Canadian Bank Sal as a "Primary Money Laundering Concern". Retieved on 18/03/2013 from http://www.treasury.gov/press-center/press-releases/pages/tg1057.aspx
Dimitar Kostadinov
Dimitar Kostadinov

Dimitar Kostadinov applied for a 6-year Master’s program in Bulgarian and European Law at the University of Ruse, and was enrolled in 2002 following high school. He obtained a Master degree in 2009. From 2008-2012, Dimitar held a job as data entry & research for the American company Law Seminars International and its Bulgarian-Slovenian business partner DATA LAB. In 2011, he was admitted Law and Politics of International Security to Vrije Universiteit Amsterdam, the Netherlands, graduating in August of 2012. Dimitar also holds an LL.M. diploma in Intellectual Property Rights & ICT Law from KU Leuven (Brussels, Belgium). Besides legal studies, he is particularly interested in Internet of Things, Big Data, privacy & data protection, electronic contracts, electronic business, electronic media, telecoms, and cybercrime. Dimitar attended the 6th Annual Internet of Things European summit organized by Forum Europe in Brussels.