Fortunately, Gauss left a calling card: Infected computers received a custom font called “Palida Narrow,” so testing for infection is as simple as finding the font. –Jared Newman, PCWorld

Both Kaspersky and CrySyS offer free Gauss online detection tools for windows users. Gauss is cyber surveillance malware that is designed to collect information about infected systems, as well as steal login credentials from banks, email, instant message accounts, and social networking sites.

The Kaspersky Lab Global Research & Analysis Team (GReAT) white paper state that Gauss was designed for 32-bit Windows operating systems, though some modules do not work under Windows 7, SP1. There is also a separate spy module operational for USB drives that are capable of collecting information from 64-bit Windows operating systems.

The new malware, dubbed Gauss for an in-code reference to a German mathematician, is designed to “steal and monitor data from clients of several Lebanese banks,” among other nefarious abilities. The code also includes some kind of “special warhead” that is so well encrypted that Kaspersky has been unable to identify it. –Lee Ferran | ABC News

Gauss is designed to collect information and send the data collected to its command-and-control servers. Information is collected using various modules, each of which has its own unique functionality:

1- Injecting its own modules into different browsers in order to intercept user sessions and steal passwords, cookies and browser history.

2- Collecting information about the computer’s network connections.

3- Collecting information about processes and folders.

4- Collecting information about BIOS, CMOS RAM.

5- Collecting information about local, network and removable drives.

6- Infecting USB drives with a spy module in order to steal information from other computers.

7- Installing the custom Palida Narrow font (purpose unknown).

8- Ensuring the entire toolkit’s loading and operation.

9- Interacting with the command and control server, sending the information collected to it, downloading additional modules.

It is currently unclear to security researchers what the motive behind Gauss is, but it is definitely focused on the financial industry for both information and potential profit. It is most likely that a nation-state is behind the initial creation of Gauss and it will most likely lead to toolkit commercialization in underground markets.

This type of malware will get repurposed, so don’t expect  the Palida Narrow font to remain as an indication of potential infection for long.

Source: SecureList:Gauss: Abnormal Distribution.