Gauss – A Super Virus. A new “state-sponsored” cyber surveillance virus dubbed “Gauss” has stolen passwords and key data from thousands of bank users in the Middle East, the top IT security firm Kaspersky Lab said on Thursday. Virus are evolving an getting more complicated and intelligent day by day.

According to Kaspersky, Gauss was a complete and “complex, nation-state sponsored cyber-espionage toolkit,” which aims to steal sensitive data, with a specific focus on browser passwords and online banking account details.

It has similarities to Stuxnet and Flame, the Russian company said in a statement, noting that although the new malware program was discovered in June 2012 it appears to have been in use since September 2011.

Gauss has the same source code as Flame, which was apparently designed to steal information from Iran’s suspected nuclear programme, with the United States and Israel suspected of being behind its origination.

Stuxnet was used to attack Iran’s nuclear centrifuges.

Kaspersky said Gauss had a specific focus on banking and financial data and its Trojan capability was used to steal detailed information about infected PCs including browser history, cookies, passwords, and system configurations.

“It is also capable of stealing access credentials for various online banking systems and payment methods,” said Kaspersky, whose virus detection experts discovered and named Gauss.

“Analysis of Gauss shows it was designed to steal data from several Lebanese banks including the Bank of Beirut, EBLF, BlomBank, ByblosBank, FransaBank and Credit Libanais,” and also “targets users of Citibank and PayPal,” it added.

Gauss’s main module was named by its creators after the German mathematician Johann Carl Friedrich Gauss, according to Kaspersky.

I just got a couple of scraps from my friends on Orkut today. It was quite unusual, as these friends had not left a scrap in ages.

Just checked my email in GMail and the message said Bom Sabado! ( do you know what Bom Sabado means ? If you don’t read this post)

I was not sure what it meant. The message was neither in English, nor in my mother tongue, and being suspicious I googled around and found that it indeed is a worm (it’s not a virus, no losses have been mentioned from it yet) that is spreading through out Orkut.

For everyone whose orkut account has been affected with the ‘bom sabado’ worm ….

The worm injects a hidden iframe containing a malicious javascript http://tptools.org/worm.js [do not click this], which steals the user cookie which contains the password in an encoded form. So the attacker do not get to know your plaintext password but can login using your credentials by impersonating using the cookie to fool the identification system
. So a trivial solution is to diable javascript, another solution is to disable iframes or u can take an advanced measure by blocking the domain http://tptools.org/ by editing your hosts file and redirecting it to a safe address, say 127.0.0.1

go to C:\windows\system32\drivers\etc\
There is a file named ‘hosts’. By default it is read-only. Go to it properties and uncheck the tickmark beside read-only
edit it with you favourite editor.

add this line at the end of it

127.0.0.1 tptools.org

save it. and then restart your network interface. ( in simple words, just reconnect your interner connection ) and bingo!! the worm’ll be useless.

Hope this message is really helpful and saves you from Bom Sabado!