Kaspersky said that the hackers who formed Gauss shut down its power and control servers before the firm could track them down. And this is the main reason why the firm has problems decoding details about the virus.
In a statement, Aleks Gostev, chief security expert, Kaspersky global research and analysis team reveals that the idea and purpose of Gauss stays a mystery for the researchers. He further stated that the cryptography and precautions used by the authors to hide the payload of this malware can mean that it plans to target high profile users.
Gostev also explained that in order to understand the virus, it is mandatory to decrypt Gauss. He also revealed the fact that the payload of Gauss contains coding that could be used for cyber-sabotage, like Stuxnet’s SCADA code.
The destructive malware, Gauss, which was discovered by Kaspersky earlier this month, aimed to spy on banking passwords and transactions of computers in the Middle East, specifically in Lebanon. The banks that the virus attacked include Bank of Beirut, EBLF, BlomBank, ByblosBank, FransaBank, and Credit Libanais. The malware also targets Citibank and PayPal, which are the only non-Lebanese banks.
The virus is believed to be directly related to Flame, and is also said to be a descendant of Stuxnet and Duqu.
Gauss malware is directed to steal financial information, browser passwords, system configurations, cookies, and more. And just like Stuxnet, this virus can also be passed from computer to computer by infecting USB drives.
Researchers at Kaspersky clarified that the payload of Gauss stays in the USB data-stealing module. This payload, they said, is always on a lookout for a particular folder in Program Files, which begins with an extended character, such as Arabic or Hebrew. Once a folder is discovered along with other system requirements, Gauss uses its payload to decrypt and infect the computer.
So far, Gauss malware is believed to have infected more than 2,500 computers.