> https://www.us-cert.gov/control_systems/ics-cert/Gauss - Information-Stealing Malware
JSAR-12-222-01— Joint Security Awareness Report
August 9, 2012 - "... According to Kaspersky, information is collected by Gauss using various modules and has the following functionality:
• injecting its own modules into different browsers in order to intercept user sessions and steal passwords, cookies, and browser history,
• collecting information about the computer’s network connections,
• collecting information about processes and folders,
• collecting information about BIOS and CMOS RAM,
• collecting information about local, network and removable drives,
• infecting removable media drives with an information-stealing module in order to steal information from other computers,
• installing the custom “Palida Narrow” font (purpose unknown),
• ensuring the entire toolkit’s loading and operation, and
• interacting with the command and control server, sending the information collected to it, and downloading additional modules.
... Kaspersky’s analysis indicates that Gauss has a number of similarities to Duqu, Flame, and Stuxnet. The USB device information-stealing module exploits a known “.LNK” vulnerability (CVE-2010-2568b), the same vulnerability exploited by Stuxnet. According to the report, the USB module also includes an encrypted payload that has unknown functionality. Both ICS-CERT and US-CERT are evaluating the malware to understand the full functionality and will report updates as needed.
MITIGATION: At this time, no specific mitigations are available; however, several indicators associated with Gauss have been published in Kaspersky’s report. Organizations should consider taking defensive measures using the available indicators where practical..."
Font installed with Gauss trojan...
13 August 2012
Online detection of Gauss
Severity: Elevated Severity
August 13, 2012
Kaspersky Lab offers an on-line mechanism to detect the font installed by the Gauss spying malware.Analysis: Users that have Palida Narrow, an unusual font installed on their system should investigate why it is there. It may have been installed by the Gauss malware. At this time, there is no other known explanation why the font would be installed.