The Freeland File
Aerospace & Defense
Global Market Data
Tales from the Trail
Lucy P. Marcus
David Cay Johnston
The Great Debate
Jack & Suzy Welch
Macro & Markets
Lipper Awards 2012
Personal Finance Video
Gu Kailai's trial ends in seven hours, verdict later
Assad replaces fugitive PM, Aleppo rebels pull back
Virus found in Mideast can spy on finance transactions
Mars rover Curiosity sends home first color photo
08 Aug 2012
Exclusive: Justice Ginsburg shrugs off rib injury
08 Aug 2012
Obama urges ”soul searching” on ways to reduce gun violence
Obama’s lead over Romney grows despite voters’ pessimism
Chick-fil-A faces ”kiss-in” protest in gay marriage flap
Our day's top images, in-depth photo essays and offbeat slices of life. See the best of Reuters photography. See more | Photo caption
Battle for Syria
The battle for Syria's biggest city, Aleppo. Slideshow
The worst dryspell in over half a century punishes the Midwest. Slideshow
Virus found in Mideast can spy on finance transactions
Gauss cyber-spying virus infected PCs in Middle East
Analysis & Opinion
Using treatment to prevent HIV
United Nations »
Kaspersky Lab CEO and Co-founder Eugene Kaspersky speaks during the Reuters Global Media and Technology Summit in London in this June 11, 2012, file photo.
Credit: Reuters/Benjamin Beavan/Files
By Jim Finkle
Thu Aug 9, 2012 11:23am EDT
BOSTON (Reuters) - A new cyber surveillance virus has been found in the Middle East that can spy on financial transactions, email and social networking activity, according to a leading computer security firm, Kaspersky Lab.
Dubbed Gauss, the virus may also be capable of attacking critical infrastructure and was built in the same laboratories as Stuxnet, the computer worm widely believed to have been used by the United States and Israel to attack Iran's nuclear program, Kaspersky Lab said on Thursday.
The Moscow-based firm said it found Gauss had infected personal computers in Lebanon, Israel and the Palestinian Territories. It declined to speculate on who was behind the virus but said it was related to Stuxnet and two other cyber espionage tools, Flame and Duqu.
"After looking at Stuxnet, Duqu and Flame, we can say with a high degree of certainty that Gauss comes from the same 'factory' or 'factories,'" Kaspersky Lab said in a posting on its website. "All these attack toolkits represent the high end of nation-state-sponsored cyber-espionage and cyber war operations."
Kaspersky Lab's findings are likely to fuel a growing international debate over the development and use of cyber weapons. Those discussions were stirred up by the discovery of Flame in May by Kaspersky and others. Washington has declined comment on whether it was behind Stuxnet.
According to Kaspersky Lab, Gauss can steal Internet browser passwords and other data, send information about system configurations, steal credentials for accessing banking systems in the Middle East, and hijack login information for social networking sites, email and instant messaging accounts.
Modules in the Gauss virus have internal names that Kaspersky Lab researchers believe were chosen to pay homage to famous mathematicians and philosophers, including Johann Carl Friedrich Gauss, Kurt Godel and Joseph-Louis Lagrange.
Kaspersky Lab said it called the virus Gauss because that is the name of the most important module, which implements its data-stealing capabilities.
One of the firm's top researchers said Gauss also contains a module known as "Godel" that may include a Stuxnet-like weapon for attacking industrial control systems.
Stuxnet, discovered in 2010, attacked via USB drives and was designed to attack computers that controlled the centrifuges at a uranium enrichment facility in Natanz, Iran.
Roel Schouwenberg, a senior researcher with Kaspersky, said the Godel code may include a similar "warhead."
Godel copies a compressed, encrypted program onto USB drives. That program will only decompress and activate when it comes in contact with a targeted system.
While Kaspersky has yet to fully crack Godel's code, Schouwenberg said he suspects it is a cyber weapon designed to cause physical damage and that its developers went to a lot of trouble to hide its purpose, using an encryption scheme that could take months or even years to unravel.
CODE BREAKERS WANTED
He said the prospect that a cyber weapon like Gauss or Stuxnet could attack critical infrastructure keeps him up at night.
"They could do pretty much anything," he said. "A few weeks ago when power went out in and around (Washington) D.C., my first thought was a cyber weapon."
Kaspersky said it is searching for "world-class" cryptographers to help it break the code.
A United Nations agency that advises countries on protecting critical infrastructure plans to send an alert on the mysterious code.
"We are going to, of course, inform member states that there is an unknown payload," said Marco Obiso, a cyber security coordinator for the U.N.'s Geneva-based International Telecommunications Union, or ITU.
"We don't know what exactly it does. We can have some ideas. We are going to emphasize this," he said.
The ITU issued a warning about Flame shortly after the virus was unveiled by Kaspersky in late May. The agency told member nations that Flame could potentially be used to attack critical infrastructure, according to Obiso.
At the time, experts knew only that Flame was a sophisticated espionage tool; they were not certain it could damage computer networks.
Several weeks later, researchers at another security firm, Symantec Corp, confirmed suspicions that Flame was capable of deleting computer data and likely was used to attack Iran in April.
Iran blamed Flame for causing data loss on computers in the country's main oil export terminal and Oil Ministry. Reports of the data losses prompted the ITU to ask Kaspersky to search for a data-wiping virus, which resulted in its discovery of Flame and Gauss.
(Jim Finkle in Boston, editing by Tiffany Wu and John Wallace)
Related Quotes and News
We welcome comments that advance the story through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can flag it to our editors by using the report abuse links. Views expressed in the comments do not represent those of Reuters. For more information on our comment policy, see http://blogs.reuters.com/fulldisclosure/2010/09/27/toward-a-more-thoughtful-conversation-on-stories/
Back to top
New York Legal
Support & Contact
Connect with Reuters
Our Flagship financial information platform incorporating Reuters Insider
An ultra-low latency infrastructure for electronic trading and data distribution
A connected approach to governance, risk and compliance
Our next generation legal research platform
Our global tax workstation
About Thomson Reuters
Thomson Reuters is the world's largest international multimedia news agency, providing investing news, world news, business news, technology news, headline news, small business news, news alerts, personal finance, stock market, and mutual funds information available on Reuters.com, video, mobile, and interactive television platforms. Thomson Reuters journalists are subject to an Editorial Handbook which requires fair presentation and disclosure of relevant interests.
NYSE and AMEX quotes delayed by at least 20 minutes. Nasdaq delayed by at least 15 minutes. For a complete list of exchanges and delays, please click here.