|
Friday Aug. 10, 2012 3:46 AM (EST+7)
Virus found in Mideast can spy on bank transactions
|
|
|
BOSTON, Aug 9 (Jim Finkle/Reuters) - A new cyber surveillance virus has been found in the Middle East that can spy on banking transactions and steal login information for social networking sites, email and instant messaging, according to a leading computer security firm, Kaspersky Lab.
|
|
|
|
|
|
|
Dubbed Gauss, the virus may also be capable of attacking critical infrastructure and was very likely built in the same laboratories as Stuxnet, the computer worm widely believed to have been used by the United States and Israel to attack Iran's nuclear program, Kaspersky Lab said on Thursday.
The Moscow-based firm said it found Gauss had infected more than 2,500 personal computers, the bulk of them in Lebanon, Israel and the Palestinian territories. Targets included Lebanon's BlomBank, ByblosBank and Credit Libanais, as well as Citigroup Inc's Citibank and eBay's PayPal online payment system.
Officials with the three Lebanese banks said they were unaware of the virus. PayPal spokesman Anuj Nayar said the company was investigating the matter but was not aware of any increase in "rogue activity" as a result of Gauss. A Citibank spokeswoman declined to comment.
Kaspersky Lab would not speculate on who was behind Gauss, but said the virus was connected to Stuxnet and two other related cyber espionage tools, Flame and Duqu. The U.S. Department of Defense declined to comment.
"After looking at Stuxnet, Duqu and Flame, we can say with a high degree of certainty that Gauss comes from the same 'factory' or 'factories,'" Kaspersky on its website. "All these attack toolkits represent the high end of nation-state-sponsored cyber-espionage and cyber war operations."
Kaspersky's findings are likely to fuel a growing international debate over the development and use of cyber weapons and espionage tools. Those discussions were stirred up by the discovery of Flame in May by Kaspersky and others.
Jeffrey Carr, an expert on cyber warfare who runs a small security firm known as Taia Global, said the U.S. government has long monitored Lebanese banks for clues about the activities of militant groups and drug cartels. He said Gauss was likely built by adapting technology deployed in Flame.
"You've got this successful platform. Why not apply it to this investigation into Lebanese banks and whether or not they are involved in money laundering for Hezbollah?" he said.
Several analysts said they were not surprised to hear that most of the Gauss infections were discovered in Lebanon. "Beirut is a hot spot for the clandestine movement of money by states," said a former U.S. intelligence expert on money laundering who asked not to be named.
New York's state banking regulator this week accused Britain's Standard Chartered Plc of violating U.S. anti-money laundering laws by scheming with Iran to hide more than $250 billion of transactions.
Experts said that surveillance viruses like Gauss are perfect tools for government intelligence units to gather information for such investigations, though they did not specifically link Gauss to the Standard Chartered case.
"Espionage happens all the time," said Mikko Hypponen, chief research officer at anti-virus software maker F Secure . "In the old days you had to go where the information was to copy it. Today it is on computers and networks."
HOMAGE TO MATHEMATICIANS
According to Kaspersky Lab, Gauss can also steal Internet browser passwords and other data, and send information about system configurations.
Modules in the virus have internal names that Kaspersky Lab researchers believe were chosen to pay homage to famous mathematicians and philosophers, including Johann Carl Friedrich Gauss, Kurt Godel and Joseph-Louis Lagrange.
Kaspersky Lab said it called the virus Gauss because that is the name of the most important module, which implements its data-stealing capabilities.
One of the firm's top researchers said Gauss also contains a module known as "Godel" that may include a Stuxnet-like weapon for attacking industrial control systems. Stuxnet, discovered in 2010, was used to attack computers that controlled the centrifuges at a uranium enrichment facility in Natanz, Iran.
Roel Schouwenberg, a senior researcher with Kaspersky, said the Godel code may include a similar "warhead."
Godel copies a compressed, encrypted program onto USB drives. That program will only decompress and activate when it comes in contact with a targeted system.
While Kaspersky has yet to fully crack Godel's code, Schouwenberg said he suspects it is a cyber weapon designed to cause physical damage and that its developers went to a lot of trouble to hide its purpose, using an encryption scheme that could take months or even years to unravel.
UN TO ISSUE WARNING
A United Nations agency that advises countries on protecting infrastructure plans to send an alert on the mysterious code.
"We don't know what exactly it does. We can have some ideas. We are going to emphasize this," said Marco Obiso, a cyber security coordinator for the Geneva-based International Telecommunications Union, or ITU.
Kaspersky estimates the total number of victims in the tens of thousands. More than half of the 2,500 found since May were in Lebanon, while only 43 were in the United States.
The U.S. Department of Homeland Security said it was analyzing the potential threat posed by Gauss.
"The department's cyber security analysts are working with organizations that could potentially be affected to detect, mitigate and prevent such threats,' said DHS spokesman Peter Boogaard.
Researchers at Symantec Corp, the biggest maker of security software, have begun analyzing Gauss and said it appeared at first blush to be related to Stuxnet, Duqu and Flame, according to a spokeswoman for the company.
|
|
|
 |
Log in
Add comment
Rules
( 0 )
|
|
|
|
logindive
|
All comments on blogs are pre-moderated. This means
comments are read before publication to check there
is no obvious breach of the Rules below. Users who
repeatedly break the rules will be blocked from
posting on JMCC.org.
If you become aware of content that breaches these
Rules, please report the abuse using the link on
each blog post.
|
| Rules |
|
Any posting of any message or content by users to
JMCC.org is subject to the following rules.
|
1. Postings must not:
|
a) contain material that is defamatory, abusive,
threatening, obscene, racially or sexually
offensive, in breach of copyright, trademarks or
other intellectual property rights, sexually
explicit or homophobic or in breach of privacy or
confidentiality or which encourages or condones any
illegal or criminal activity or is in any way
unlawful or inappropriate; |
|
b) contain swearing or inappropriate user names; |
|
c) constitute advertising or virus propagation,
provide weblinks that amount to advertising or which
are inappropriate or constitute spamming or
flooding; |
|
d) impersonate any person or entity; |
|
e) solicit or exchange personal information - for
example do not give out your email address, home
address, work place or telephone number or arrange
to meet anyone; |
|
f) be misleading or inaccurate or portray anyone in
a false light; or |
|
g) contain material that is copied or that you do
not own. |
2. You are responsible for liability and any legal
action arising from your posting. You indemnify us
against all losses, claims, damages and expenses
(including the cost of defending or settling any
claim or damages), whether foreseeable or
unforeseeable, suffered or incurred directly or
indirectly arising from your posting.
3. Please be aware that it is possible to trace
internet activity to a specific computer.
4. By submitting a posting to JMCC.org, you grant us
a worldwide royalty free license to use your content
in perpetuity and at our discretion in any media now
known or hereafter developed and you now give us all
waivers (including waivers of moral rights) and
consents to do so.
5. We may refuse to publish and/or remove any
content at any time for any reason at our sole
discretion. If you breach these Rules we may also
prohibit you from submitting further postings to
JMCC.org.
6. We are not responsible or liable for any posting
or for its accuracy.
|
|
|
|
|
Iranian President Mahmoud Ahmadinejad tours a nuclear enrichment facility in central Iran, November 2011. (Reuters)
|
|
|
|
|
|
|
To subscribe to free newsletter submit your email |
|
|
|
|
|
|
|
|
|
|
|