Enter Gauss: A Nation State Sponsored Malware, with a Knack for Bank Accounts

We have seen Stuxnet designed to attack nuclear plants in Iran, we have seen Flame designed for mass surveillance of Middle-eastern nations and we have seen Duqu, the sister trojan of Stuxnet also aimed at Iran. How low does this cyber-espionage war fall? Well, low has a new definition now, as a new trojan Gauss has been discovered, which apparently steals bank account details of individuals.


The Gauss trojan surfaced as part of an ongoing investigation on Flame. It is believed to have been created mid-2011, and released in three months. The Gauss trojan shows the same level of sophistication as seen in Stuxnet and Duqu.

Kaspersky defines Gauss as,

In 140 chars or less, “Gauss is a nation state sponsored banking Trojan which carries a warhead of unknown designation”. Besides stealing various kinds of data from infected Windows machines, it also includes an unknown, encrypted payload, which is activated on certain specific system configurations.

Gauss is based on the flame platform, and performs an array of hacks ranging from infecting USB sticks, to stealing browser cookies, to listing the contents of system drives to hijacking social networking accounts. It was aimed mainly at Here is a paper released by Kaspersky Labs on the Gauss trojan [PDF link].

The Gauss trojan names its modules after famous mathematicians like Gauss himself, Lagrange and Godel. The primary module which implements the data stealing capabilities is called Gauss, and hence the name itself. This main payload, which affects USB storage devices, is protected by numerous layers of hashing and a strong RC4 encryption. Kaspersky has also urged cryptography experts to help with the decryption.


Published by

Chinmoy Kanjilal

Chinmoy Kanjilal is a FOSS enthusiast and evangelist. He is passionate about Android. Security exploits turn him on and he loves to tinker with computer networks. You can connect with him on Twitter @ckandroid.