Virus found in Mideast can spy on bank transactions

The Moscow-based firm said it found Gauss had infected more than 2,500 personal computers, the bulk of them in Lebanon, Israel and the Palestinian territories. Targets included Lebanon's BlomBank, ByblosBank and Credit Libanais, as well as Citigroup Inc's <C.N> Citibank and eBay's <EBAY.O> PayPal online payment system.

Kaspersky Lab would not speculate on who was behind Gauss, but said the virus was connected to Stuxnet and two other related cyber espionage tools, Flame and Duqu. The U.S. Department of Defence declined to comment.

One of the firm's top researchers said Gauss also contains a module known as "Godel" that may include a Stuxnet-like weapon for attacking industrial control systems. Stuxnet, discovered in 2010, was used to attack computers that controlled the centrifuges at a uranium enrichment facility in Natanz, Iran.

Kamluk said analysis shows that the Gauss virus had a lot in common with the Flame virus.

"They have a common code base, similar methods of decryption of built-in lines, the same methods of communications with the control centre. There are absolutely no doubts left that it has the same authors. And it's well known that Flame was similarly connected to Stuxnet, the well-known worm which infected Iran and those Iranian nuclear centrifuges in particular," he said.

According to Kaspersky Lab, Gauss can also steal Internet browser passwords and other data, and send information about system configurations.

"This virus is a multi-component instrument for gathering information about a user of an infected computer. What information is gathered? It's information about its hardware, some data, some information about the network user's capabilities, for example, information about the domain he's working in, network adaptors. It's also capable of spreading infection through removable storage, USB flash drives, but this infection is used to steal similar information from other computers," Kamluk said.

While Kaspersky has yet to fully crack Godel's code, Kamluk said he suspects it is a cyber weapon designed to cause physical damage and that its developers went to a lot of trouble to hide its purpose, using an encryption scheme that could take months or even years to unravel.

"During our analysis, we were not able to find an appropriate key. We haven't found the programme that is needed for the virus to activate an additional code, so we are expecting that on some of the computers, a highly-secured and very dangerous component can run which was hidden by the developers from analysts and investigators. It was hidden and it may be even more dangerous than anything we've seen before," Kamluk said.

Modules in the virus have internal names that Kaspersky Lab researchers believe were chosen to pay homage to famous mathematicians and philosophers, including Johann Carl Friedrich Gauss, Kurt Godel and Joseph-Louis Lagrange.

Kaspersky estimates the total number of victims in the tens of thousands. More than half of the 2,500 found since May were in Lebanon, while only 43 were in the United States. The U.S. Department of Homeland Security said it was analysing the potential threat posed by Gauss.

New York's state banking regulator this week accused Britain's Standard Chartered Plc <STAN.L> of violating U.S. anti-money laundering laws by scheming with Iran to hide more than $250 billion of transactions. Experts said that surveillance viruses like Gauss are perfect tools for government intelligence units to gather information for such investigations, though they did not specifically link Gauss to the Standard Chartered case.