New 'Gauss' virus found by Russia's Kaspersky Lab (Update)

Employees of Kaspersky Lab work in 2011
Employees of Kaspersky Lab work in 2011. A new "state-sponsored" cyber surveillance virus dubbed "Gauss" has stolen passwords and key data from thousands of bank users in the Middle East, the top IT security firm Kaspersky Lab said Thursday.

A new computer virus tied to some of the most sophisticated cyberweapons thus-far discovered has been found circulating in the Middle East, a Moscow-based computer security company said Thursday. If a link were confirmed, the find would expand the electronic arsenal reportedly deployed by the U.S. and Israel against their rivals in the region.

Kaspersky Lab ZAO said in a statement that the new virus, dubbed "Gauss," was aimed at stealing financial information from customers of a series of Lebanese banks.

The firm said that similarities in coding, structure, and operation meant it could say "with a high degree of certainty" that Gauss was related to "Flame," a sophisticated piece of spyware which prompted an Internet blackout across Iran's oil industry in April, and to "Stuxnet," an infrastructure-wrecking worm whose discovery revolutionized the cybersecurity field.

The statement acknowledged that much remained unclear about the virus's capabilities — including its ultimate purpose. Kaspersky said that the virus's command-and-control servers were shut down last month, meaning that, for the time being, "the malware is in a dormant state."

Kaspersky outlined several similarities which Gauss shared with Flame, a program which was recently-discovered vacuuming information from computers in Iran. So powerful was the spyware that in late April Iranian officials briefly disconnected the entire country's oil industry — including the Oil Ministry, energy rigs, and the strategic Khark Island oil terminal — in a bid to contain Flame's data theft.

Flame in turn has been linked to Stuxnet, an ambitious program aimed at sabotaging uranium enrichment at Iranian nuclear facilities. Stuxnet's discovery in 2010 was of particular interest to cybersecurity professionals because it interfered with the action of German-made centrifuges — the most high-profile example to date of a computer virus causing physical havoc at an industrial facility.

Recent reports in The New York Times and The Washington Post have tied both Flame and Stuxnet to a secret U.S.-Israeli program aimed at destabilizing Iran's atomic energy program, which many Western countries believe is a cover for the development of nuclear weapons.

It isn't exactly clear how Gauss would fit in to such a program, and Kaspersky acknowledged that stealing money from banks didn't seem like an activity state-backed actors were likely to be engaged in.

Other anti-virus firms were still digesting Gauss's code Thursday.

"People are definitely getting excited about it because of the supposed connection to Flame and Stuxnet," Chris Astacio, of San Diego-based Websense, said in telephone interview. "But without looking at the binary (the raw code of the virus) we can't really comment."

Kaspersky said it was working with the International Telecommunication Union to notify those affected by the infection.

A call and an email to the Geneva-based organization were not immediately returned.

More information:
Kaspersky's Q & A on Gauss:

Kaspersky's analysis of the virus:

Copyright 2012 The Associated Press. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.

Citation: New 'Gauss' virus found by Russia's Kaspersky Lab (Update) (2012, August 9) retrieved 29 September 2023 from
This document is subject to copyright. Apart from any fair dealing for the purpose of private study or research, no part may be reproduced without the written permission. The content is provided for information purposes only.

Explore further

Malware hunter Kaspersky warns of cyber war dangers


Feedback to editors