Categories: SecurityWorkspace

Kaspersky And CrySys Offer Gauss Detection Tools

The security community’s fightback against the state-sponsored cyber-spying tool Gauss has begun.

Security experts at Kaspersky Lab and the Laboratory of Cryptography and System Security (CrySys) in Hungary, have come out with free online detection tools designed to help users determine whether their computers are infected with the Gauss virus.

Font Detection

Both tools are predicated on determining whether a font – dubbed Palida Narrow – is found in the PC. The mysterious Palida Narrow font is particular to the Gauss malware, though Kaspersky researchers are unsure whether the font plays any role in the tool’s work.

“This font was used during the Gauss cyber-attack,” a Kaspersky security expert said in an 10 August post on the company’s SecureList blog. “Although we don’t currently understand exactly why the attackers have installed this font, it could serve as an indicator of Gauss activity on your system.”

CrySys was first to offer an online detection tool to sniff out the Palida Narrow font, which the Gauss malware leaves on infected PCs. Kaspersky took a similar approach, but added an iframe window that uses JavaScript to determine whether the font is on a system. Kaspersky’s expert said the iframe approach simplifies the search by not requiring any server interaction.

Kaspersky’s tool can be found on its SecureList blog. CrySys’ detection tool can be found on its Website.

Kaspersky and other Web security firms have said their antivirus software tools can detect and remove Gauss from systems. In a blog post 10 August, security vendor F-Secure noted that Gauss will not install itself onto a system if antivirus software is present, and apparently also will not install if started on Microsoft Windows 7 SP 1.

CrySys was the research organisation that discovered Duqu, the data-stealing worm that security experts believe is closely related to Stuxnet, another nation-sponsored exploit apparently designed to attack Iran’s nuclear facilities and equipment. In June, Kaspersky experts said they had found direct links between Stuxnet and Flame.

State Action

The cyber-espionage tools – Duqu, Flame, Stuxnet and now Gauss – have been aimed at government and business organisations in the Middle East, though there has been a spillover effect to other parts of the world. Given their targets and the sophistication of the malware, speculation has grown that at least some of these computer viruses have been created by Israel or the United States, or both, to slow down Iran’s nuclear ambitions and to help keep track of terrorist groups in the region.

Whereas Flame and Stuxnet appeared to be aimed at Iranian agencies, the data-stealing Gauss virus seems to be targeting banks and other financial institutions in the Middle East, with speculation about the possibility that it could be part of a larger effort to track money associated with terrorist groups. Kaspersky estimates that 2,500 computers have been infected by Gauss.

There’s little doubt that Gauss is part of a larger state-sponsored cyber-espionage effort, according to a Kaspersky security expert.

“There is enough evidence that this is closely related to Flame and Stuxnet, which are nation-state-sponsored attacks,” the expert said in an 9 August post on the SecureList blog. “We have evidence that Gauss was created by the same ‘factory’ (or factories) that produced Stuxnet, Duqu and Flame. By looking at Flame, Gauss, Stuxnet and Duqu, we can draw [a] ‘big picture’ of the relationship between them.”

Kaspersky CEO Eugene Kaspersky has become increasingly outspoken against what he calls a growing trend of state-sponsored “cyber-terrorism,” and has called on countries to fight against it. He noted that a growing number of countries are developing the technological capabilities to launch sophisticated cyber-attacks, and an escalation of such attacks could be dangerous to everyone.

“These ideas are spreading too fast,” Kaspersky said during a conference in Israel in June. “That cyber-boomerang may get back to you.”

Malware Escalation?

Other security experts also expect this trend to continue.

“It is clear that the gloves are off when it comes to nation-state sponsored malware,” Michael Sutton, vice president of security research at Zscaler ThreatLabZ, said about Gauss in an email sent to eWEEK. “While this has been ongoing for some time, the activities are now far more public and researchers are actively looking for samples, with the ability to ‘follow the breadcrumbs’ and tie together samples with a similar origin. We can only expect this activity to escalate with malware such as Stuxnet having succeeded by accomplishing a task that could have put individuals in harm’s way, had the mission been carried out with traditional means.”

Are you a security guru? Try our quiz!

Jeffrey Burt

Jeffrey Burt is a senior editor for eWEEK and contributor to TechWeekEurope

Recent Posts

Huawei Asks Judge To Dismiss Charges In US Federal Case

Huawei asks judge to dismiss many charges in US controversial federal case that dates back…

10 hours ago

Japan To Invest $65bn In Chip Industry

Japan announces $65bn in subsidies and other incentives to boost production of advanced chips and…

10 hours ago

FTX Sues Binance Over Alleged $1.8bn Fraud

Bankrupt FTX sues former rival Binance for allegedly fraudulent transfer of $1.8bn weeks before crypto…

11 hours ago

Amazon Developing Smart Glasses For Delivery Drivers

Amazon reportedly developing smart glasses to provide delivery drivers with step-by-step instructions for last mile…

12 hours ago

Australian States Support Social Media Ban For Under-16s

Australian states and territories unanimously support social media ban for youths under 16, amidst growing…

12 hours ago

US Orders TSMC To Halt AI Chip Sales To China

US Commerce Department orders Taiwan's TSMC to halt sales of advanced AI accelerators to mainland…

13 hours ago