Jump to content

Clampi (trojan): Difference between revisions

From Wikipedia, the free encyclopedia
Browse history interactively
← Previous edit
Content deleted Content added
VisualWikitext
Undid revision 991947795 by Materialscientist (talk)
Tags: Undo Reverted references removed
top: Typo fixing, minor formatting
 
(21 intermediate revisions by 19 users not shown)
Line 1: Line 1:
{{short description|man-in-the-browser trojan}}
{{Short description|Man-in-the-browser trojan}}
'''Clampi spyware''' (also known as '''Ligats, llomo,''' or '''Rscan''') is a strain of computer [[malware]] which infects [[Microsoft Windows|Windows]] and [[Mac operating system|Mac]] computers. More specifically, as a [[man-in-the-browser]] banking [[Trojan horse (computing)|trojan]] designed to transmit financial and personal information from a compromised computer to a third party for potential financial gain as well as report on computer configuration, communicate with a central server, and act as [[Download|downloader]] for other malware. Clampi was first observed in 2007 affecting computers running the Microsoft Windows [[operating system]], Apple [[Mac operating system]],it has been found that it has infected more than two dozen major banking institutions in the United States, including TD Bank, Chase, HSBC, Wells Fargo, PNC, and Bank of America. It is designed to steal users' sensitive data, such as Account login information and Banking Passwords.
'''Clampi''' (also known as '''Ligats, Ilomo,''' or '''Rscan''')<ref>{{Cite web|last=Horowitz|first=Michael|date=2009-07-29|title=Defending against the Clampi Trojan|url=https://www.computerworld.com/article/2467216/defending-against-the-clampi-trojan.html|website=Computerworld}}</ref> is a strain of computer [[malware]] which infects [[Microsoft Windows|Windows]] computers. More specifically, as a [[man-in-the-browser]] banking [[Trojan horse (computing)|trojan]] designed to transmit financial and personal information from a compromised computer to a third party for potential financial gain as well as report on computer configuration, communicate with a central server, and act as [[download]]er for other malware.<ref name=":0">{{Cite web|title=Inside the Jaws of Trojan.Clampi – Symantec Enterprise|url=https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=f6680a5d-0217-4d3e-9a98-c813924ef7e0&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments|url-status=live|access-date=2020-06-02|website=Broadcom Endpoint Protection Library|archive-url=https://web.archive.org/web/20210103162439/https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=f6680a5d-0217-4d3e-9a98-c813924ef7e0&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments |archive-date=2021-01-03 }}</ref> Clampi was first observed in 2007 affecting computers running the Microsoft Windows [[operating system]].<ref>{{cite web|url=https://www.cnet.com/news/clampi-trojan-stealing-online-bank-data-from-consumers-and-businesses/|title=Clampi Trojan stealing online bank data from consumers and businesses|publisher=CNET|author=Elinor Mills|date=2009-07-29|access-date=2020-07-18|archive-url=https://web.archive.org/web/20180629082303/https://www.cnet.com/news/clampi-trojan-stealing-online-bank-data-from-consumers-and-businesses/|archive-date=2018-06-29|url-status=live}}</ref>


Clampi monitored over 4000 website [[URLs]], effectively [[Keystroke logging|keylogging]] credentials and user information for not only bank and credit card websites, but also reported on utilities, market research firms, online casinos, and career websites.<ref>{{cite web |url=http://www.networkworld.com/news/2009/072909-clampi-trojan.html|title=Clampi Trojan revealed as financial-plundering botnet monster|work=Network World |author=Ellen Messmer|date=2009-07-29|archive-url=https://web.archive.org/web/20090802114351/http://www.networkworld.com/news/2009/072909-clampi-trojan.html|archive-date=2009-08-02}}</ref> At its peak in the fall of 2009, a [[computer security]] professional stated that it was one of the largest and most professional thieving operations on the Internet, likely run by a Russian or eastern European syndicate.<ref>{{cite news|url=http://voices.washingtonpost.com/securityfix/2009/09/clamping_down_on_clampi.html|title=Clamping Down on the 'Clampi' Trojan|newspaper=The Washington Post|author=Brian Krebs|authorlink=Brian Krebs|date=2009-09-11|access-date=2016-06-21|archive-url=https://web.archive.org/web/20160926060340/http://voices.washingtonpost.com/securityfix/2009/09/clamping_down_on_clampi.html|archive-date=2016-09-26|url-status=dead}}</ref> [[False positives and false negatives|False-positive]] reporting of Clampi is also often used by [[Technical support scam|tech support scammers]] to pressure individuals into sending them money for the removal of fake computer viruses.<ref>{{cite web|url=https://www.kaspersky.com/resource-center/definitions/what-is-the-clampi-virus|title=What is the Clampi Virus?|work=Kaspersky|author=Kaspersky Team|access-date=2020-07-18|archive-url=https://web.archive.org/web/20200204210610/https://www.kaspersky.com/resource-center/definitions/what-is-the-clampi-virus|archive-date=2020-02-04|url-status=live}}</ref><ref>{{cite web |url=https://www.southbendtribune.com/news/business/protect-yourself-against-computer-viruses-and-scammers/article_a8bec3e2-5b18-5217-a244-b6c9ad14599a.html|title=Protect yourself against computer viruses – and scammers|work=South Bend Tribune |author=Dreama Jensen|date=2016-12-16|archive-url=https://web.archive.org/web/20200528040104/https://www.southbendtribune.com/news/business/protect-yourself-against-computer-viruses-and-scammers/article_a8bec3e2-5b18-5217-a244-b6c9ad14599a.html|archive-date=2020-05-28}}</ref>
Clampi monitored over 4000 website [[URLs]], effectively [[Keystroke logging|keylogging]] credentials and user information for not only bank and credit card websites, but also reported on utilities, market research firms, online casinos, and career websites. At its peak in the fall of 2009, a [[computer security]] professional stated that it was one of the largest and most professional thieving operations on the Internet, likely run by a Russian or eastern European syndicate.


==Detailed analysis==
'''Additional Knowledge: Since 2013 90% of users from United States are getting Clampi spyware on the time of Thanksgiving Day ,Black Friday and Christmas.'''


Computer security analyst Nicolas Falliere claimed that "few threats have had us scratching our heads like Trojan.Clampi." It was the first trojan found to be using a [[virtual machine]] called [[VMProtect]] to hide its [[instruction set]].<ref>{{Cite journal|title=VMAttack {{!}} Proceedings of the 12th International Conference on Availability, Reliability and Security|doi=10.1145/3098954.3098995|s2cid=7759690}}</ref> He remarked that the use of a virtual machine added weeks to the time required for programmers to [[disassembler|disassemble]] and describe the threat and mechanism of action.<ref name=":0" /> He discovered it logged and transmitted personal financial information from a compromised computer to a third party for potential financial gain as well as reported on computer configuration, communicated with a central server, exploited [[Internet Explorer 8]], set up a [[SOCKS|SOCKS proxy]], and acted as downloader for other malware. The virus was sophisticated enough to hide behind [[Firewall (computing)|firewalls]] and go undetected for long periods of time.<ref>{{Cite web|date=2017-11-02|title=What is the Clampi Virus?|url=https://usa.kaspersky.com/resource-center/definitions/what-is-the-clampi-virus|access-date=2020-06-02|website=usa.kaspersky.com|archive-url=https://web.archive.org/web/20200204204444/https://usa.kaspersky.com/resource-center/definitions/what-is-the-clampi-virus|archive-date=2020-02-04|url-status=live}}</ref> A list of around 4,800 URLs were [[Cyclic redundancy check|CRC encoded]] (similar to hashing). This was [[dictionary attack]]ed against a list of common URLs in September 2009 to produce a partial list of known sites with some duplication and ambiguity.<ref name=":0" /> The source code has never been reported to be shared or sold online.
== Detailed analysis ==

Computer security analyst Nicolas Falliere claimed that "few threats have had us scratching our heads like Trojan.Clampi." It was the first trojan found to be using a [[virtual machine]] called [[VMProtect]] to hide its [[instruction set]]. He remarked that the use of a virtual machine added weeks to the time required for programmers to [[Disassembler|disassemble]] and describe the threat and mechanism of action. He discovered it logged and transmitted personal financial information from a compromised computer to a third party for potential financial gain as well as reported on computer configuration, communicated with a central server, exploited [[Internet Explorer 8]], set up a [[SOCKS|SOCKS proxy]], and acted as downloader for other malware. The virus was sophisticated enough to hide behind [[Firewall (computing)|firewalls]] and go undetected for long periods of time. A list of around 4,800 URLs were [[Cyclic redundancy check|CRC encoded]] (similar to hashing). This was [[Dictionary attack|dictionary attacked]] against a list of common URLs in September 2009 to produce a partial list of known sites with some duplication and ambiguity. The source code has never been reported to be shared or sold online.

== <big>How the Clampi Virus Works</big> ==
Once downloaded into your computer, Clampi (also known as Ligats and Ilomo) lies in wait for you to sign in to make a financial transaction, such as accessing online banking or entering credit card information for an online purchase. The virus is sophisticated enough to hide behind firewalls and go undetected for long periods of time. The cybercriminals communicate with the malware through Control and Command servers using an open back channel.

As soon as you enter your username and password, Clampi records that information and sends it to the cybercriminals who control the virus. Once those credentials and numbers are in hackers' hands, they can do whatever they want with them. They have direct access to your bank account and can use your financial information for identity theft or sell it on the black market.

Because the hackers have total command over the virus once it's embedded in your operating system, they can act at will. One tactic is to slowly drain a bank account, taking out small amounts of cash at a time in hopes the owner might not notice the missing money for months. Hackers have also created fake invoices and fake employees in payroll systems.


=== Named modules ===
=== Named modules ===


A list of components discovered through decryption of the executable in 2009:<ref name=":0" />
A list of components discovered through decryption of the executable in 2009:<ref name=":0">{{Cite web|title=Inside the Jaws of Trojan.Clampi – Symantec Enterprise|url=https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=f6680a5d-0217-4d3e-9a98-c813924ef7e0&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments|url-status=live|access-date=2020-06-02|website=Broadcom Endpoint Protection Library}}</ref>


# SOCKS – Configures a [[SOCKS]] proxy server attackers can use to log into your bank from your work/home internet connection.
# SOCKS – Configures a [[SOCKS]] proxy server attackers can use to log into your bank from your work/home internet connection.
# PROT – Steals PSTORE (protected storage for [[Internet Explorer]]) saved passwords
# PROT – Steals PSTORE (protected storage for [[Internet Explorer]]) saved passwords
# LOGGER – Attempts to steal online credentials if the URL is on the list.
# LOGGER – Attempts to steal online credentials if the URL is on the list.
# LOGGEREXT – Aids in stealing online credentials for websites with enhanced security, ie [[HTTPS]]
# LOGGEREXT – Aids in stealing online credentials for websites with enhanced security, i.e. [[HTTPS]]
# SPREAD – Spreads Clampi to computers in the network with shared directories.
# SPREAD – Spreads Clampi to computers in the network with shared directories.
# ACCOUNTS – Steals locally saved credentials for a variety of applications such as [[instant messaging]] and [[FTP clients]].
# ACCOUNTS – Steals locally saved credentials for a variety of applications such as [[instant messaging]] and [[FTP clients]].
Line 44: Line 35:


==External links==
==External links==
*[https://abcnews.go.com/Business/story?id=8217116 Clampi virus targets companies' financial accounts] – ''[[ABC News]]''
*[https://abcnews.go.com/Business/story?id=8217116 Clampi virus targets companies' financial accounts] – ''[[ABC News (United States)|ABC News]]''
*[http://www.pcworld.com/article/169333/botnet_spreading.html Massive Botnet Stealing Financial Info] – ''[[PC World]]''
*[http://www.pcworld.com/article/169333/botnet_spreading.html Massive Botnet Stealing Financial Info] – ''[[PC World]]''
*[https://web.archive.org/web/20161223003901/https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/inside_trojan_clampi.pdf Inside the Jaws of Trojan.Clampi] – Symantec Security whitepaper (archived)
*[https://web.archive.org/web/20161223003901/https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/inside_trojan_clampi.pdf Inside the Jaws of Trojan.Clampi] – Symantec Security whitepaper (archived)
Line 53: Line 44:
[[Category:Facebook]]
[[Category:Facebook]]
[[Category:Myspace]]
[[Category:Myspace]]
[[Category:Trojan horses]]
[[Category:Windows trojans]]

Latest revision as of 21:03, 4 November 2024

Clampi (also known as Ligats, Ilomo, or Rscan)[1] is a strain of computer malware which infects Windows computers. More specifically, as a man-in-the-browser banking trojan designed to transmit financial and personal information from a compromised computer to a third party for potential financial gain as well as report on computer configuration, communicate with a central server, and act as downloader for other malware.[2] Clampi was first observed in 2007 affecting computers running the Microsoft Windows operating system.[3]

Clampi monitored over 4000 website URLs, effectively keylogging credentials and user information for not only bank and credit card websites, but also reported on utilities, market research firms, online casinos, and career websites.[4] At its peak in the fall of 2009, a computer security professional stated that it was one of the largest and most professional thieving operations on the Internet, likely run by a Russian or eastern European syndicate.[5] False-positive reporting of Clampi is also often used by tech support scammers to pressure individuals into sending them money for the removal of fake computer viruses.[6][7]

Detailed analysis

[edit]

Computer security analyst Nicolas Falliere claimed that "few threats have had us scratching our heads like Trojan.Clampi." It was the first trojan found to be using a virtual machine called VMProtect to hide its instruction set.[8] He remarked that the use of a virtual machine added weeks to the time required for programmers to disassemble and describe the threat and mechanism of action.[2] He discovered it logged and transmitted personal financial information from a compromised computer to a third party for potential financial gain as well as reported on computer configuration, communicated with a central server, exploited Internet Explorer 8, set up a SOCKS proxy, and acted as downloader for other malware. The virus was sophisticated enough to hide behind firewalls and go undetected for long periods of time.[9] A list of around 4,800 URLs were CRC encoded (similar to hashing). This was dictionary attacked against a list of common URLs in September 2009 to produce a partial list of known sites with some duplication and ambiguity.[2] The source code has never been reported to be shared or sold online.

Named modules

[edit]

A list of components discovered through decryption of the executable in 2009:[2]

  1. SOCKS – Configures a SOCKS proxy server attackers can use to log into your bank from your work/home internet connection.
  2. PROT – Steals PSTORE (protected storage for Internet Explorer) saved passwords
  3. LOGGER – Attempts to steal online credentials if the URL is on the list.
  4. LOGGEREXT – Aids in stealing online credentials for websites with enhanced security, i.e. HTTPS
  5. SPREAD – Spreads Clampi to computers in the network with shared directories.
  6. ACCOUNTS – Steals locally saved credentials for a variety of applications such as instant messaging and FTP clients.
  7. INFO – Gathers and sends general system information
  8. KERNAL – the eighth module refers to itself as Kernal while running inside the proprietary protected virtual appliance.

See also

[edit]

References

[edit]
  1. ^ Horowitz, Michael (2009-07-29). "Defending against the Clampi Trojan". Computerworld.
  2. ^ a b c d "Inside the Jaws of Trojan.Clampi – Symantec Enterprise". Broadcom Endpoint Protection Library. Archived from the original on 2021-01-03. Retrieved 2020-06-02.
  3. ^ Elinor Mills (2009-07-29). "Clampi Trojan stealing online bank data from consumers and businesses". CNET. Archived from the original on 2018-06-29. Retrieved 2020-07-18.
  4. ^ Ellen Messmer (2009-07-29). "Clampi Trojan revealed as financial-plundering botnet monster". Network World. Archived from the original on 2009-08-02.
  5. ^ Brian Krebs (2009-09-11). "Clamping Down on the 'Clampi' Trojan". The Washington Post. Archived from the original on 2016-09-26. Retrieved 2016-06-21.
  6. ^ Kaspersky Team. "What is the Clampi Virus?". Kaspersky. Archived from the original on 2020-02-04. Retrieved 2020-07-18.
  7. ^ Dreama Jensen (2016-12-16). "Protect yourself against computer viruses – and scammers". South Bend Tribune. Archived from the original on 2020-05-28.
  8. ^ "VMAttack | Proceedings of the 12th International Conference on Availability, Reliability and Security". doi:10.1145/3098954.3098995. S2CID 7759690. {{cite journal}}: Cite journal requires |journal= (help)
  9. ^ "What is the Clampi Virus?". usa.kaspersky.com. 2017-11-02. Archived from the original on 2020-02-04. Retrieved 2020-06-02.
[edit]
Retrieved from "https://en.wikipedia.org/enwiki/w/index.php?title=Clampi_(trojan)&oldid=1255414812"