

Kaspersky Lab Discovers 'Gauss' - sspencer
http://www.kaspersky.com/about/news/virus/2012/Kaspersky_Lab_and_ITU_Discover_Gauss_A_New_Complex_Cyber_Threat_Designed_to_Monitor_Online_Banking_Accounts

======
sounds
From the article: "... the installation of a special font called Palida
Narrow, and the purpose of this action is still unknown."

Would this perhaps be a tracking ability, as described at
<https://panopticlick.eff.org> (specifically, the list of "System Fonts")

It would require the users to visit a site that is collecting this tracking
information, but it isn't impossible to imagine a popular site among the
target audience being strong-armed by a nation-state into installing something
to do this.

The tracking is practically invisible to end users.

~~~
delinka
Your EFF link says Chrome on iOS is 1 in ~93,000 while a Chrome incognito tab
is 1 in ~89,000. Incognito is _less_ unique and _more_ identifiable that a
regular tab. Interesting results.

~~~
icegreentea
What? If you are less unique, then you are also less identifiable.

~~~
delinka
I certainly got my adjectives mixed up. I usually proofread better than that.
Oops.

s/less/more/

------
apawloski
"Another key feature of Gauss is the ability to infect USB thumb drives, using
the same LNK vulnerability that was previously used in Stuxnet and Flame."

Do we have to repeat the same debate about this one's origin?

~~~
spec_laconic
That .lnk vulnerability is now in metasploit; I don't think we can safely say
that Gauss is from the same org from this one piece of evidence.

~~~
duaneb
The viruses (this and skywiper) appear to be both targeting the middle east...
Maybe they're all just chumps and easy targets out there, but it also makes
sense that they have the same people behind them.

------
nvmc
I like how they call it a "nation-state sponsored cyber-espionage toolkit",
and then go on to refer to its unknown creators.

------
jsannemo
Reading their analysis of Gauss, it appears 0xACDC is used for XOR encryption
when communicating with the C&C servers. Didn't we just read about another
security company and AC/DC...? <http://news.ycombinator.net/item?id=4286696>

------
duaneb
Probably just a continuation of the same virus that's been going around for
years at this point: <http://www.crysys.hu/skywiper/skywiper.pdf>

Kaspersky tends to exaggerate how novel these viruses are.

------
picklefish
This was a better read for me:
<https://www.securelist.com/en/blog?weblogid=208193767> saw it on slashdot

------
sgt101
Oh ho - and suddenly Standard Chartered is fingered for transactions with
Iran!

Yuk Yuk Yuk - I wonder what is going on with this then!

------
forgotusername
What now.. a heavily cybermilitarized nationstate so broke it needs to skim
its own citizens' bank accounts? Advanced Persistent Phish?

Trying to remember the last time I _didn't_ read about some ultra-dooper-al-
quaeda-cyber-virus. Seems any kid with a C compiler these days pumping out
cutpasted code qualifies as a complex threat.

Coming up: 50 page white paper on the seemingly "innocuous" font (translation:
obviously some previously unknown 0day secret intelligence 007 cyber warhead)
and its implications for national security funding.

~~~
Torgo
This virus could be used to track the flow of money in terror networks. It
could also be used offensively to surprise-defund them, or to grab off-the-
books cash for your own nation's agents in the field.

~~~
forgotusername
Applying Occam's razor we're left with a teenage drop out who has found a way
to sell bank account details on the black market, to fund his new car.

But of course not, obviously it's Al Quaeda. How else will the security
industry succeed in strangling more cash and evil, preferential, freedom-
damaging policies from central government?

~~~
daeken
Absolutely no one is even suggesting it's Al Quaeda. Did you read the article
at all? It points to the US and/or Israel above all else...

~~~
irishcoffee
Unless I missed something, the central government referred to is not located
in the middle east.

~~~
chc
You missed something. forgotusername strongly seems to be suggesting that
security experts are falsely claiming this is from Al Qaeda so they can get
money from the US government to fight the terrorists. That's what daeken was
responding to.

