Joint Security Awareness Report (JSAR-12-222-01)
Gauss Information-Stealing Malware
All information products included in http://ics-cert.us-cert.gov are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see http://www.us-cert.gov/tlp/.
On August 9, 2012, Kaspersky Lab released a reporta on a new information-stealing malware they have named "Gauss." According to the report, Gauss is designed to collect information and send the data to its command-and-control servers.
Kaspersky has detected Gauss predominantly on systems in Lebanon, the Palestinian Territories, and Israel. Gauss has also been detected on a limited number of networks in the U.S.; however, the impact to these systems is currently unknown. Based on initial reporting and analysis of Gauss, no evidence exists that Gauss targets industrial control systems (ICS) or U.S. government agencies.
According to Kaspersky, information is collected by Gauss using various modules and has the following functionality:
- injecting its own modules into different browsers in order to intercept user sessions and steal passwords, cookies, and browser history,
- collecting information about the computer’s network connections,
- collecting information about processes and folders,
- collecting information about BIOS and CMOS RAM,
- collecting information about local, network and removable drives,
- infecting removable media drives with an information-stealing module in order to steal information from other computers,
- installing the custom "Palida Narrow" font (purpose unknown),
- ensuring the entire toolkit’s loading and operation, and
- interacting with the command and control server, sending the information collected to it, and downloading additional modules.
Kaspersky’s analysis indicates that Gauss has a number of similarities to Duqu, Flame, and Stuxnet. The USB device information-stealing module exploits a known ".LNK" vulnerability (CVE-2010-2568), the same vulnerability exploited by Stuxnet. According to the report, the USB module also includes an encrypted payload that has unknown functionality. Both ICS-CERT and US-CERT are evaluating the malware to understand the full functionality and will report updates as needed.
At this time, no specific mitigations are available; however, several indicators associated with Gauss have been published in Kaspersky’s report. Organizations should consider taking defensive measures using the available indicators where practical.
In addition to leveraging the available indicators for defensive purposes, ICS-CERT and US-CERT encourage organizations to:
- Exercise caution when using removable media, including USB drives, in order to prevent the spread of Gauss.a
- Apply Windows Updates to patch CVE-2010-2568.
- Update antivirus definitions for detection of the Gauss malware.
- Minimize network exposure for all control system devices. Control system devices should not directly face the Internet.b
- Locate control system networks and remote devices behind firewalls, and isolate them from the business network.
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPN is only as secure as the connected devices.
ICS-CERT and US-CERT remind organizations to perform proper impact analysis and risk assessment prior to taking defensive measures.
ICS-CERT recommends that organizations review the ICS-CERT Technical Information Paper ICS-TIP-12-146-01 Cyber Intrusion Mitigation Strategies for high-level strategies that can improve overall visibility of a cyber intrusion and aid in recovery efforts should an incident occur.
The Control Systems Security Program (CSSP) also provides a recommended practices section for control systems on the US-CERT Web site. Several recommended practices are available for reading or download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
Organizations that observe any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT and US-CERT for tracking and correlation against other incidents.
- a. Using Caution with USB Drives, http://www.us-cert.gov/cas/tips/ST08-001.html, Web site last accessed August 9, 2012.
- b. ICS-CERT ALERT, http://ics-cert.us-cert.gov/alerts/ICS-ALERT-11-343-01, Web site last accessed August 9, 2012.
For any questions related to this report, please contact the NCCIC at:
Toll Free: 1-888-282-0870
The NCCIC continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product.