Gauss: Researchers release detection tools

After announcing the discovery of a new malicious software that targets financial data, researchers have created new, Web-based tools that let anyone check if they’ve been infected.

The new malware, Gauss, shows ties to previous state-sponsored viruses Flame and Stuxnet, but targets financial data. Those viruses were aimed at computers tied to Iran’s nuclear program; Gauss is primarily found in Lebanon.

Two groups — Russian-based Kaspersky Labs, which first published information on Gauss and Flame, and the Hungarian research lab Crysys — are detecting the malware by looking for a font that shows up on infected machines called Palida Narrow.

Roel Schouwenberg, senior researcher at Kaspersky Labs, said that researchers still don’t know why Gauss’s creators included the font file.

He said there has been some speculation that the font’s name could be a play on the words “Paladin Arrow,” a weapons reference that would hint at destructive capabilities. Thus far, Gauss appears to have only been used for surveillance, but there are parts of the virus’s code that may hide further capabilities.

Whatever the reason for the font file, Schouwenberg said, it is acting as a convenient infection marker.

“We checked the code, there’s nothing in there,” he said. “It’s strange that they would go to the extent of building a font file.”

Kaspersky Labs has found around 2,500 occurrences of Gauss, which has been circulating since the fall of 2011.

Related stories:

Newly discovered malware linked to Stuxnet, Flame

U.S., Israel developed Flame computer virus to slow Iranian nuclear efforts, officials say

Newly identified computer virus, used for spying, is 20 times size of Stuxnet