Gauss – The Stuxnet Prequel

If you haven’t heard Kaspersky has discovered yet another suspected nation-state sponsored piece of malware floating around. “Gauss,” apparently in homage to famed German mathematician Johann Carl Friedrich Gauss, seems mostly to have been another recon tool for Stuxnet. This trait puts it in the same category as Flame however Guess appears much less sophisticated. The types of data Gauss has been programmed to collect include technical details about an infected host’s network connections, processes and folders, BIOS, CMOS, RAM, and local and removable drives.

Like Stuxnet, Duqu, and Flame targets mostly focus on the Middle East with the top three countries being Lebanon, Israel, and Palestine. Some of Gauss’s other interesting characteristics include infection via USB, installation of the Palida Narrow font, and targeting of user bank data (e.g., Citibank, PayPal, and several Lebanese institutions). The ecosystem includes five C&C servers that are currently offline, meaning that Gauss is most likely in a dormant state. Gauss also carries a mysterious encrypted payload that researchers have yet to unlock. Those interested in helping with decryption can email Kapersky’s research team at [email protected].


Researchers have uncovered yet another state-sponsored computer espionage operation that uses state-of-the-art software to extract a wealth of sensitive data from thousands of machines located mostly in the Middle East.

“Gauss,” as Kaspersky Lab researchers have dubbed the malware, was devised by the same “factory” or “factories” responsible for the Stuxnet worm used to disrupt Iran’s nuclear program, as well as the Flame and Duqu Trojans. Some researchers say the latter two malware titles may have provided the reconnaissance needed for operations such as Stuxnet. Gauss is known to have infected 2,500 computers connected to Kaspersky’s cloud-based security system, and researchers with the firm say tens of thousands of additional machines may also be affected. The highest concentration of attacks are found in Lebanon, followed by Israel and the Palestinian territories.

“The discovery of Gauss indicates that there are probably many other related cyber-espionage malware in operation,” Kaspersky researchers wrote in a 48-page report published Thursday morning (a condensed blog post is here). “The current tensions in the Middle East are just signs of the intensity of these ongoing cyber-war and cyber-espionage campaigns.”

Continued here.

For all the details check out the summary blog post from Kaspersky or the complete 48-page report [PDF]. You might also want to check out this post from that describes several ways of detecting and removing Gauss. One of these methods is to just check for the Palida Narrow font. Of course we don’t think many of us in the US will have to worry about this based on the geographic target profile.

Update 8/12/12: Added a link to CNET’s removal post.


So what do you think of this whole Gauss deal? Are these supposed state-sponsored pieces of malware even newsworthy anymore? Let us know in the comments below. Today’s post pic is from See ya!

8 comments for “Gauss – The Stuxnet Prequel

  1. August 9, 2012 at 11:03 pm

    Gauss – The Stuxnet Prequel: If you haven’t heard Kaspersky has discovered yet another suspected nation-state…

  2. August 10, 2012 at 2:37 am

    #NoVABloggers Gauss – The Stuxnet Prequel

  3. August 10, 2012 at 3:16 am

    #NOVABLOGGER: Gauss – The Stuxnet Prequel

  4. August 10, 2012 at 3:58 am

    Gauss – The #Stuxnet Prequel: [] If you haven’t heard Kaspersky has discovered yet another…

  5. August 10, 2012 at 8:43 am

    BLOGGED: Gauss – The Stuxnet Prequel //Fr last night.

  6. August 12, 2012 at 4:37 pm

    Updated Gauss post w/ link 2 resource 4 detecting/removing. Altho most in US shouldn’t have much 2 worry a/b.

  7. September 29, 2017 at 9:48 pm

    Hello,I check your new stuff named “Gauss – The Stuxnet Prequel – NovaInfosec” daily.Your writing style is witty, keep it up! And you can look our website about love spells.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.