Researchers said Thursday that they have identified a new kind of malicious software that appears to be the creation of the same state-sponsored program that produced the viruses known as Stuxnet and Flame.
The malware, the researchers said, shares characteristics with the previously identified viruses, which were aimed at computers tied to Iran’s nuclear program. But the new software has been found primarily in Lebanon. It is designed to steal information, including customer data from banks as well as PayPal and Citibank.
“Nation-states want to monitor activity,” said Roel Schouwenberg, senior researcher for Kaspersky Lab, the Russian cybersecurity firm that discovered the new malware and also discovered Flame. “Seeing how the money is flowing in these bank accounts can be very interesting for them.”
Stuxnet and Flame are believed to have been developed by the United States and Israel.
In its analysis, Kaspersky experts stopped short of speculating on who might be behind the new malware, dubbed Gauss, but they said they believe it “was created by the same ‘factory’ which produced Flame. This indicates it is most likely a nation-state sponsored operation.”
Gauss was discovered while researchers were looking for variants of Flame. Its name comes from the main module in the program, which appears to be named for German mathematician Carl Friedrich Gauss. Other portions of the program are also named for prominent mathematicians. The program began circulating as early as September.
So far, Kasperksy has found about 2,500 infections but believes there may be tens of thousands worldwide. In addition to finding the malware in Lebanon, researchers found it in Israel and the Palestinian territories.
It is unclear how Gauss is transmitted from computer to computer. The virus doesn’t appear to have the capability to spread on its own, which might explain why it has not affected as many computers as Stuxnet. But it does download monitoring software onto portable USB drives to collect information from uninfected machines, researchers said. Doing so gives Gauss the opportunity to profile computers that are not connected to the Internet.
It appears Gauss was designed only for surveillance, not to cause physical damage, as is the case with Stuxnet, which destroyed centrifuges at the heart of Iran’s nuclear program. But researchers have yet to crack sections of Gauss’s code that could hide destructive capabilities, Kaspersky said.
Researchers said Gauss includes a module that installs a font under the curious name of “Paladi Narrow.” That file does not appear to contain malicious code, but Schouwenberg said there is speculation that its name hints at a destructive payload.
“It could be ‘Paladin Arrow,’ which would make reference to a knight,” he said, adding that very little is known about the parts of Gauss that remain encrypted.