Gauss malware is the successor of Flame malware that was detected in May 2012, while analyzing the Flame malware Kaspersky discovered Gauss, a nation state sponsored banking Trojan which carries a warhead of unknown designation.
Besides stealing various kinds of data from infected Windows machines, it also includes an unknown, encrypted payload which is activated on certain specific system configurations.According to Kaspersky, the malware installs Palida Narrow font (purpose unknown) on affected systems and with this we can detect whether your system is infected with this new malware or not.
What is Gauss? Where does the name come from?
Gauss is a complex cyber-espionage toolkit created by the same actors behind the Flame malware platform. It is highly modular and supports new functions which can be deployed remotely by the operators in the form of plugins.
Gauss is a project developed in 2011-2012 along the same lines as the Flame project. The malware has been actively distributed in the Middle East for at least the past 10 months. The largest number of Gauss infections has been recorded in Lebanon, in contrast to Flame, which spread primarily in Iran.
Functionally, Gauss is designed to collect as much information about infected systems as possible, as well as to steal credentials for various banking systems and social network, email and IM accounts. The Gauss code includes commands to intercept data required to work with several Lebanese banks – for instance, Bank of Beirut, Byblos Bank, and Fransabank.
Curiously, several Gauss modules are named after famous mathematicians. The platform includes modules that go by the names “Gauss”, “Lagrange”, “Godel”, “Tailor”, “Kurt” (in an apparent reference to Godel).
Gauss is designed to collect information and send the data collected to its command-and-control servers. Information is collected using various modules, each of which has its own unique functionality:
1. Injecting its own modules into different browsers in order to intercept user sessions and steal passwords, cookies and browser history.
2.Collecting information about the computer’s network connections.
3. Collecting information about processes and folders.
4. Collecting information about BIOS, CMOS RAM.
5.Collecting information about local, network and removable drives.
6. Infecting USB drives with a spy module in order to steal information from other computers.
7. Installing the custom Palida Narrow font (purpose unknown).
8.Ensuring the entire toolkit’s loading and operation.
9. Interacting with the command and control server, sending the information collected to it,
downloading additional modules.
How to Detect & Remove Gauss Malware?
1.Online detection of Gauss via browser:
The quick and easy way to check for the presence of Gauss component is visting http://gauss.crysys.hu webpage on your browser.
A well-known Hungarian research lab, known as CrySyS introduced a web-based method to check whether Palida Narrow font is installed on your computer. So visit http://gauss.crysys.hu and check whether your system is affected or not.
2.Remove Gauss with the help of Kaspersky Virus Removal tool
In case your system is infected with Gauss, then use free Kaspersky Virus Removal Tool to remove the malware and clean your PC. Alternatively you can download and use BitDefender Gauss Removal tool over here(32 -bit & 64-bit).