Monday, August 13, 2012

Gauss Worm spans to Bahraini Banks [BBK Online VIDEO]



You must have heard the news. A new worm capable of stealing sensitive financial data from selected websites. Banking deals documents, retail and corporate password accounts, browsing history, all being picked up by the worm and sent through an SSL secured channel to multiple servers across the world.

This worm spread through a network whenever it finds an active directory. This worm (Codenamed: Gauss,  W32.Gauss ) is clearly being funded by a country because, ready for this?, it only hit the middle east so far. Lebanon, Israel and a part of Saudi Arabia is affected. However, today I found a proof that the Gauss worm is targeting Bahrain as well.

I downloaded a quarantined version of Gauss (a dead worm for security researchers) in order to analyse it on my lab (as I usually do with new worms and viruses for the past 11 years). I enabled debugging mode and tested the worm against some Banks in Bahrain, in order to see:

  1. What Bahraini Banks are listed in Gauss Worm Database 
  2. How can the attack be prevented in the case the bank is listed.

To my astonishment the following banks are affected by Gauss Worm.
  1. National Bank of Bahrain (NBB)
  2. Bank of Bahrain and Kuwait (BBK) [BBK Online]
  3. Ahli United Bank (AUB)


Here is a video with my findings testing BBK website, the same test succeeded with AUB and NBB.



Gauss reads BBK login  as plain text
Language: ASP.NET
Click here to download HD version of the video
Watch Video

Gauss reads NBB login  as plain text
Language: ASP.NET
Gauss reads AUB login  as plain text
Language: JSP


Findings


How it Works

  1. Once the Gauss worm is installed on the system, it activates Bit Slicing (Not sure what that is yet)
  2. When the user visits any website, it will check if the website is listed in Gauss Database.
  3. If found, the worm fetches the index of the bank website, which bourse it is listed in and its URL.
  4. The worm starts listening for any input sent to the site.
  5. If any password/username combination is detected (using HyperThreading module) it will send the password to multiple servers across the globe (Mainly Malaysia and China)




After some research, I found out that the worm uses Windows Hook API  to hook into a running Internet Explorer instance and fetch the passwords as it's being sent to the Browser.


The Good
  1. Gauss can not read passwords out of Google Chrome [Tested]
  2. Gauss can not read passwords out of FireFox [Tested]
  3. Gauss can not read passwords out of Safari [Not Tested But can be confirmed]
  4. Gauss can not read passwords out of Safari [Not Tested But can be confirmed]


The Bad
  1. Gauss can read passwords out of Internet Explorer Browser [Tested]
  2. Gauss doesn't use Phishing [Tested]
  3. Guass doesn't use Phraming [Tested]
  4. Guass doesn't use any key-logging techniques [Tested]
  5. Guass doesn't pass by SSL [Tested]
  6. Guass doesn't use Screen Capture [Tested]
  7. Gauss cannot be detected by any anti-virus yet (13/August/2012)


How to Plug the Holes

Prevention
Once the problem is found the solution to prevent it is relatively simple. The banking websites are not efficiently written in the client side and can be easily scanned for a credential combination. Disabling Right click will not stop anyone from looking into the source code of the page, however making the code very difficult to comprehend by using multiple modules and less javascript in the main page will.

Morever, virtual keyboard can prevent conventional keyloggers from capturing key-strokes before they are sent to the page but once the characters are in the page, there is no method of protection against other processes scanning them.

Banking websites should also implement dynamic HTML instead of static HTML, and properly secure their javascript code.

Of course there is more to this worm than this, it is fully described here.

I'm willing to give more technical details on how to secure the website against future attacks.


Cure
EDIT: There is a way to cure the worm after it hits you here is a full guide.

EDIT2: Adam Kujawa wrote a good article about the Gauss worm here, describing the sources and the mystery components.