[R136a1]

New Evidence: Guys Behind Gauss and Flame are the Same [FireEye]

[SomeUnusedName]

Check the update, FireEye missed that the IP was a sinkhole for Gauss as well as Flame and therefore concluded they are connected, which at least from that evidence is wrong.

[Xylitol]

Mikko made my day with a tweet https://twitter.com/mikko/status/238743357898235905

[rkhunter]

Mikko made my day with a tweet https://twitter.com/mikko/status/238743357898235905

All credit goes to FireEye =))

[R136a1]

Offtopic, but interesting to read regarding the Gauss incident:

https://www.nytimes.com/2011/12/14/worl ... wanted=all
http://blogs.wsj.com/corruption-current ... nked-cash/

[Shabnam Aslani]

Hello everyone :geek:
I read the posts and it was so exciting to see no one mentained the interconnection between GAUSS madules:)
Absolutely they do not work seperatly... You should find the connection and sequence of executing of modules...I mean the real way that they work together.
The first module to execute is WMI or WinShell...you should inject this module to lsass.exe process and then it wil drop two other files named wmiqry32.dll and wmihlp32.dll...Then it will inject the wmiqry32.dll to svchost.exe with the -k netsvc command and you should patch the execution to load other modules. If you had any problem plz inform me.
thx