Researchers on Thursday revealed the name of new kind of malicious software that they recently discovered. Named Gauss, this malware seems to have descended from the same state-sponsored program that is also known for producing viruses such as Stuxnet and Flame.
The researchers believe that this malware shares the same features as of earlier identified viruses that were meant for computers attached to Iran’s nuclear program. This new software, Gauss is designed particularly to lift information such as customer data from banks as well as PayPal and Citibank in Lebanon.
It is believed that earlier detected viruses, Stuxnet and Flame were developed by the United States and Israel.
Gauss malware was discovered while researchers were looking for variants of Flame. The name, Gauss comes from the main module in the program, which seems to be named for German mathematician Carl Friedrich Gauss. Other portions of the program are also named for famous mathematicians. The program began circulating as early as September.
So far, Kasperksy Lab, the Russian cybersecurity firm has found about 2,500 infections but believes there may be tens of thousands worldwide. Along with finding the malware in Lebanon, researchers found it in Israel and the Palestinian territories.
How Gauss is transmitted from computer to computer stays unclear. As the virus can’t spread on its own, it has not yet affected as many computers as Stuxnet. What this virus can do is download monitoring software onto portable USB drives to gather information from uninfected machines. This gives Gauss the chance to profile computers that are not connected to the Internet.
It is also believed that Gauss was designed only for surveillance. It wasn’t made to cause physical damage, unlike Stuxnet, which destroyed centrifuges in the middle of Iran’s nuclear program. But researchers still have to crack sections of Gauss’s code that could hide destructive capabilities.
Researchers said there is a module in Gauss that installs a font under the curious name of “Paladi Narrow.” That file does not contain malicious code, but there is an assumption that its name hints at a destructive payload.