Gauss Malware – Updated version of Stuxnet

Gauss is a highly complex and sophisticated online banking malware that belongs to the same family as Flame, Duqu and Stuxnet. Gauss seems to be updated version of Stuxnet malware. Similar characteristics of these malwares are as follows:

• Use encryption method (XOR)
• Command and control (C&C) servers
• Use .LNK exploit vulnerability
• Use USB as storage medium for stolen data
• Formulated to steal browser cookies

The primary focus of Gauss is to steal browser passwords, online banking account credentials and machine information of infected systems. Gauss infects 32-bit Windows machines, but it also contains a separate module for USB drives that can collect information from 64-bit Windows systems as well. Gauss has the ability to infect USB thumb drives with a data-stealing component that exploits the same .LNK vulnerability that was targeted by Stuxnet and Flame. Gauss is also capable of disinfecting the drive under certain circumstances and uses removable media to store collected information in a cleverly hidden file.

Additionally, Gauss also installs a font called ‘Palida Narrow’. This font file does not contain any malicious code. However, it can be used as a marker. This means that an attacker can remotely check if a system is infected by checking to see if this font is installed. Gauss uses several other plugins to collect information from the infected computer.

After execution it drops these following files:

• System32devwiz.ocx
• System32dskapi.ocx
• System32lanhlp32.ocx
• System32mcdmn.ocx
• System32smdk.ocx
• System32windig.ocx
• System32winshell.ocx
• Windowsfontspldnrfn.ttf

It modifies/creates the following registry entries:

HKLMSoftwareMicrosoftWindows NTCurrentVersionFonts
Palida Narrow (TrueType) = pldnrfn.ttf

Quick Heal successfully detects the files related to the Gauss malware. It is also recommended to keep your Operating System updated and to apply all the necessary security patches provided by Microsoft.

Ranjeet Menon