The discovery of a variant of from the same family that brought us Flame (and Stuxnet and Duqu), this one focused on Lebanese banks is the latest in a still developing series of disclosures. The revelation of the first-ever banking Trojan of this high-powered pedigree may just be the tip of the iceberg. Here’s what we know and what we don’t know.
What we don’t know yet and may never know is how exactly how the payload propagated and what it did, as it shut down its command and control servers in July 2012 as Kaspersky (and perhaps others) started snooping around. What we do know is that the infection was spread by infected USB sticks, but there is no evidence that any kind of worm was employed. This indicates that the targets were very specific. The USB infected the target system,but is not known if the USB simply loaded the ShellHW, which continued the download, or if it used other methods. All the systems Kaspersky has studied were already installed, so they cannot ascertain the dropper file and the original infection vector.
We do know that the payload, which is encrypted and not yet available, .LNK exploit for CVE-2010-2568 vulnerability, which is similar to the one used in Stuxnet but more effective. Note that is not zero day. So, if the USB detected any of a number of antimalware products, it terminated the mission. The module masks without using a driver and does not infect the system, using a spy module saved on the USB drive.
We know it:
- It injects modules into various browsers to intercept session and steal cookies, passwords and browser history.
- It collects information about the computer’s network connections; processes and folders; about BIOS and CMOS; about local, network and removable drives
- Infecting USB drives with a module to steal information about other computers
- Ensures the toolkit is loaded and operational
- Controls communications with the command and control server
It also, for reasons unknown for now, installs the custom font Palida Narrow.
Around 2,500 have been encountered thus far, with the highest concentration in Lebanon (1,600), Israel (483) and the Palestinian Territory (261), with a smattering in the U.S. and other countries. It should be noted that these are only cases discovered on Kaspersky customers. There are doubtless thousands more.
The Gauss code shell (winshell.ocx) contains commands that work with Lebanese banks, including Bank of Beirut, Byblos Bank and Fransabank.
Kaspersky has established proof of kinship with Flame, including numerous common or near common files, subroutines, initialization functions that are near identical, and string decryption strings which while not identical are very similar.
After loading additional files, it tries to acquire the privileges as explorer.exe. It copies all stolen files to the ~shw.tmp file. It uses a simple GET and POST request-response over https.
Kaspersky identified several command and control servers, which point to false domains, such as a hotel in Portugal. On June 29, two of the domain servers shifted to a new IP address. The servers shut down July 13.
Some of the servers used DNS balancing, probably for load-balancing. This indicates that the traffic at its peak was tremendous.
What was the Gauss network up to? It is pretty clear that some nation (and it’s a pretty good guess which one was “following the money,” possibly involved with terrorist or related activity. The relatively few PCs in the U.S. (at least as far as Kaspersky knows), points to tracking the activities of people within the U.S. The discovery of a banking Trojan tracking activity around Lebanese accounts indicates it may just be the beginning.