September 26, 2016

Why does Gauss install Palida Narrow font?

Source: Securelist

(LiveHacking.Com) – In the ongoing saga, which started with Stuxnet and continued with Duqu and Flame, Gauss is seen by many as malware which, like its predecessors, is state sponsored. It was discovered during the ITU’s investigation into Flame and is thought to have been created in mid-2011 and deployed for the first time in August-September of the same year.

The major difference between Stuxnet and its cousins is that Gauss is a banking Trojan and is designed to steal login details for customers of Lebanese banks including Bank of Beirut, EBLF, BlomBank, ByblosBank, FransaBank and Credit Libanais. It also targets users of Citibank and PayPal. Kaspersky lab have gone as far as to say “This is actually the first time we’ve observed a nation-state cyber-espionage campaign with a banking Trojan component.”

It has now been discovered that computers infected with Gauss all have a previously unknown font, known as “Palida Narrow”, installed on them. Security researchers have linked Duqu to Gauss, due to some similar characteristics, and have wondered if Gauss uses the same font rendering vulnerability as Duqu. However Kaspersky has checked the font for such malicious code and found nothing: “But of course, anything is possible”.

However the new font can be used as a marker for the presence of the malware and to this end the Cryptography Laboratory at the Technical University of Budapest has created a web page to test for Palida and hence Gauss.

 

Share and Enjoy:
  • Print
  • Digg
  • StumbleUpon
  • del.icio.us
  • Facebook
  • Yahoo! Buzz
  • Twitter
  • Google Bookmarks