USB stick Gauss

Looks like the Gauss virus is giving researchers at Kaspersky Lab a hard time. The security firm is reaching out to the community for anyone who can help decrypt the malware’s payload.

“The purpose and functions of the encrypted payload currently remain a mystery,” said Aleks Gostev, the chief security expert of Kaspersky’s global research and analysis team in a statement. “The use of cryptography and the precautions the authors have used to hide this payload indicate its targets are high profile.”

Gauss was discovered by Kaspersky earlier this month. The virus attacks computers in the Middle East, specifically looking for access information to banks in Lebanon. These banks include Bank of Beirut, EBLF, BlomBank, ByblosBank, FransaBank, and Credit Libanais. The only non-Lebanese entities that it targets are include Citibank and PayPal. The virus has direct ties to Flame, and is also related to Stuxnet and Duqu.

Other than stealing financial information, the virus also steals browser passwords, system configurations, cookies, and more. Like Stuxnet, it can also be passed from computer to computer by infecting USB drives.

Kaspersky explained that the payload lives in this “USB data-stealing module,” which looks for a specific folder in Program Files that starts with an extended character, such as Arabic or Hebrew. If it discovers the folder, and well as some other system requirements, it will decrypt and infect the computer with its payload.

“The size of the payload is also a concern,” Gostev said, “It’s big enough to contain coding that could be used for cybersabotage, similar to Stuxnet’s SCADA code. Decrypting the payload will provide a better understanding of its overall objective and the nature of this threat.”

Kaspersky originally discovered the malware in June, but has had difficulty deciphering details about Gauss. The main reason is that the hackers who created Gauss shut down its command and control servers before Kaspersky was able to track back to them.

Researchers believe the virus has infected more than 2,500 computers thus far.

USB stick image via osde8info/Flickr