A map showing where infections of the sophisticated Gauss malware were found.
In the past two days researchers have unmasked two sophisticated cyber-espionage tools created by nation sates. And some experts now say there’s evidence criminals are adopting techniques learned from such tools.
On Wednesday, computer security company Rapid7 researcher Claudio Guarnieri shared new details of the workings of FinFisher, a piece of malware sold by UK contractor Gamma Group to government agencies.
FinFisher can turn on webcams, record keystrokes, intercept Skype calls and take over a computer. Gamma Group have said that it is sold only to governments but little was known about its use. Guarnieri reverse engineered FinFisher’s remote control system to reveal that it is used in a wide range of countries, raising fears that it may be in use by governments with less-than-perfect human rights records, and maybe by private parties, too. He found FinFisher servers at work in Australia, Czech Republic, United Arab Emirates, Ethiopia, Estonia, Indonesia, Latvia, Mongolia, Qatar, and the United States.
Guarnieri’s post describes it as “frankly embarrassing” that he could so easily break the command and control system used to operate FinFisher. Although what he found didn’t constitute firm evidence the tool has leaked outside government hands, his post concludes:
[O]nce any malware is used in the wild, it’s typically only a matter of time before it gets used for nefarious purposes […] As we’ve seen countless times before, and will certainly see again, it’s impossible to keep this kind of thing under control in the long term.
On Thursday, researchers at antivirus company Kaspersky announced their own discovery:
Gauss is a complex, nation-state sponsored cyber-espionage toolkit designed to steal sensitive data, with a specific focus on browser passwords, online banking account credentials, cookies, and specific configurations of infected machines.
They found Gauss thanks to its similarity with Flame, a piece of government-backed spyware discovered in May this year and described as “the most complex malware ever found.” Flame was a kind of multi-purpose data thief, able to send all kinds of data back to its operator. Its newly-described cousin Gauss is more specialized, and concerned with stealing online banking credentials. The tool is most capable at targeting Lebanese banks, but can also grab credentials for Citibank and PayPal accounts. Kaspersky estimate that Gauss has infected some 2,500 computers, mostly in Lebanon, compared to just 700 for Flame. They estimate that Gauss has been operating since September 2011, and became “dormant”, waiting for new orders, last month after Kaspersky found it.
Speaking to the New York Times, a security expert from RSA questions Kaspersky’s claim that a state must have created Gauss:
“State-sponsored actors do not go after bank accounts. That’s not to say they couldn’t, but it’s incongruent with traditional nation-state behavior. It’s possible the code was made available underground and repurposed or reused by cybercriminals.”
That raises more worrying prospect for those Web users not part of the intelligence community – that sophisticated tools such as Stuxnet and Flame are teaching criminals new tricks. Kaspersky and other antivirus software has now been updated to detect Flame and Gauss, but modified versions could get around that. In the offline world, secret military technology usually stays secret. But things are different today. As one expert put it to me last month (see “The Antivirus Era is Over”):
“Never have so many billions of dollars of defense technology flowed into the public domain.”