* Gauss found in Lebanon, Israel, Palestinian territories
* Kaspersky Lab describes Gauss as cyber surveillance tool
* Says it may also be able to cause physical damage
* Says may be from same 'factories' as Stuxnet, Flame, Duqu
(Adds names of banks, comments by security experts, background
By Jim Finkle
BOSTON, Aug 9 A new cyber surveillance virus has
been found in the Middle East that can spy on banking
transactions and steal login information for social networking
sites, email and instant messaging, according to a leading
computer security firm, Kaspersky Lab.
Dubbed Gauss, the virus may also be capable of attacking
critical infrastructure and was very likely built in the same
laboratories as Stuxnet, the computer worm widely believed to
have been used by the United States and Israel to attack Iran's
nuclear program, Kaspersky Lab said on Thursday.
The Moscow-based firm said it found Gauss had infected more
than 2,500 personal computers, the bulk of them in Lebanon,
Israel and the Palestinian territories. Targets included
Lebanon's BlomBank, ByblosBank and Credit Libanais, as well as
Citigroup Inc's Citibank and eBay's PayPal online
Officials with the three Lebanese banks said they were
unaware of the virus. PayPal spokesman Anuj Nayar said the
company was investigating the matter but was not aware of any
increase in "rogue activity" as a result of Gauss. A Citibank
spokeswoman declined to comment.
Kaspersky Lab would not speculate on who was behind Gauss,
but said the virus was connected to Stuxnet and two other
related cyber espionage tools, Flame and Duqu. The U.S.
Department of Defense declined to comment.
"After looking at Stuxnet, Duqu and Flame, we can say with a
high degree of certainty that Gauss comes from the same
'factory' or 'factories,'" Kaspersky on its website. "All these
attack toolkits represent the high end of nation-state-sponsored
cyber-espionage and cyber war operations."
Kaspersky's findings are likely to fuel a growing
international debate over the development and use of cyber
weapons and espionage tools. Those discussions were stirred up
by the discovery of Flame in May by Kaspersky and others.
Jeffrey Carr, an expert on cyber warfare who runs a small
security firm known as Taia Global, said the U.S. government has
long monitored Lebanese banks for clues about the activities of
militant groups and drug cartels. He said Gauss was likely built
by adapting technology deployed in Flame.
"You've got this successful platform. Why not apply it to
this investigation into Lebanese banks and whether or not they
are involved in money laundering for Hezbollah?" he said.
Several analysts said they were not surprised to hear that
most of the Gauss infections were discovered in Lebanon.
"Beirut is a hot spot for the clandestine movement of money by
states," said a former U.S. intelligence expert on money
laundering who asked not to be named.
New York's state banking regulator this week accused
Britain's Standard Chartered Plc of violating U.S.
anti-money laundering laws by scheming with Iran to hide more
than $250 billion of transactions.
Experts said that surveillance viruses like Gauss are
perfect tools for government intelligence units to gather
information for such investigations, though they did not
specifically link Gauss to the Standard Chartered case.
"Espionage happens all the time," said Mikko Hypponen, chief
research officer at anti-virus software maker F Secure
. "In the old days you had to go where the information
was to copy it. Today it is on computers and networks."
HOMAGE TO MATHEMATICIANS
According to Kaspersky Lab, Gauss can also steal Internet
browser passwords and other data, and send information about
Modules in the virus have internal names that Kaspersky Lab
researchers believe were chosen to pay homage to famous
mathematicians and philosophers, including Johann Carl Friedrich
Gauss, Kurt Godel and Joseph-Louis Lagrange.
Kaspersky Lab said it called the virus Gauss because that is
the name of the most important module, which implements its
One of the firm's top researchers said Gauss also contains a
module known as "Godel" that may include a Stuxnet-like weapon
for attacking industrial control systems. Stuxnet, discovered in
2010, was used to attack computers that controlled the
centrifuges at a uranium enrichment facility in Natanz, Iran.
Roel Schouwenberg, a senior researcher with Kaspersky, said
the Godel code may include a similar "warhead."
Godel copies a compressed, encrypted program onto USB
drives. That program will only decompress and activate when it
comes in contact with a targeted system.
While Kaspersky has yet to fully crack Godel's code,
Schouwenberg said he suspects it is a cyber weapon designed to
cause physical damage and that its developers went to a lot of
trouble to hide its purpose, using an encryption scheme that
could take months or even years to unravel.
UN TO ISSUE WARNING
A United Nations agency that advises countries on protecting
infrastructure plans to send an alert on the mysterious code.
"We don't know what exactly it does. We can have some ideas.
We are going to emphasize this," said Marco Obiso, a cyber
security coordinator for the Geneva-based International
Telecommunications Union, or ITU.
Kaspersky estimates the total number of victims in the tens
of thousands. More than half of the 2,500 found since May were
in Lebanon, while only 43 were in the United States.
The U.S. Department of Homeland Security said it was
analyzing the potential threat posed by Gauss.
"The department's cyber security analysts are working with
organizations that could potentially be affected to detect,
mitigate and prevent such threats,' said DHS spokesman Peter
Researchers at Symantec Corp, the biggest maker of
security software, have begun analyzing Gauss and said it
appeared at first blush to be related to Stuxnet, Duqu and
Flame, according to a spokeswoman for the company.
(For more information on Gauss, see )
(Additional reporting by Erika Solomon in Beirut, Tabassum
Zakaria and Phillip Stewart in Washington and Alistair Barr and
Joseph Menn in San Francisco; editing by Tiffany Wu, John
Wallace and Matthew Lewis)