Gauss Hits Lebanon & Tech Today Supports Lebanese Banks
Again and again, Tech Today predicts a security hit before it was spread. The issue was mentioned on TV show.
Security experts have uncovered a new computer virus designed to steal information from banks in the Middle East and thought to be the fourth in a family of state-backed cyber attacks, built for espionage and sabotage, The Telegraph reported lately.
Named Gauss after an apparent reference to a German mathematician contained in its code, the virus has infected thousands of computers, mainly in Lebanon, according to the Russian security firm Kaspersky Lab and other American companies such as CA. Knowing that Tech Today is a channel partner of CA in Lebanon.
Tech Today followed the issue with top security analysts from CA.
CA answered some questions that were raised:
Which Total Defense product is able to detect the virus?
All products. Detection and cure added to e36 & e37, AV & AMS.
- Is r8.1 able to detect it and protect the systems ?
- Which signature is able to detect the virus ?
e36 signatures v8947, e37 AV signatures v10026, e37 AMS signatures v5928.
- Do we have something official that attest what we say?
The Win32/Gauss worm appeared in the wild during the last weekend, and immediately caught by TD Research.
Written in C# language and consists number of components, each is DLL placed in system directory: devwiz.ocx,dskapi.ocx,lanhlp32.ocx,mcdmn.ocx,smdk.ocx,windig.ocx, winshell.ocx,wbem\wmiqry32.ocx,wbem\wmihlp32.ocx and others that could be uploaded hacker’s server.
What’s amazing is that if an antivirus or monitoring application from the worm’s list is found on the machine, the worm does not infect the system.
The worm installs browser helper object that collects information about Firefox passwords and cookies related to credit card credentials and billing sites. Moreover, it collects various information about BIOS and network settings.
The collected data is sent to hacker’s servers at: <domain>/userhome.php?sid=<SID>
The worm replicates by copying itself to removable USB drives. It places its infection module dskapi.ocx and a Link file that exploits system feature that runs the DLL automatically.
The worm uses registry key ‘SOFTWARE\Microsoft\Windows\CurrentVersion\Reliability ShutdownInterval’ to verify that it is installed and to store configuration.
To get back to our main topic, Gauss it is designed to spy on customers of the Lebanese banks BlomBank, ByblosBank and Credit Libanais, analysis showed. Citibank and PayPal customers have also been targeted, Kaspersky Lab said.
The virus might be connected to Stuxnet and two other related cyber espionage tools, Flame and Duqu, The Guardian notes. The US department of defence declined to comment.
“After looking at Stuxnet, Duqu and Flame, we can say with a high degree of certainty that Gauss comes from the same ‘factory’ or ‘factories,’” Kaspersky on its Web site.
“All these attack toolkits represent the high-end of nation-state-sponsored cyber-espionage and cyber war operations.”
Jeffrey Carr, an expert on cyber-warfare who runs security firm Taia Global, said the US government has long monitored Lebanese banks for clues about the activities of militant groups and drug cartels. He said Gauss was likely built by adapting technology deployed in Flame.
Several analysts said they were not surprised to hear that most of the Gauss infections were discovered in Lebanon, NBC News.com states.
Why didn’t the banks take into consideration the tech today’s warning? It is such a good question to ask.
We leave the above mentioned question for you to answer it.
Sources: CA; ITWEB; NBC; The Telegragh; Kaspersky; Tech Today Show.