Jump to content

Clampi (trojan)

From Wikipedia, the free encyclopedia

This is an old revision of this page, as edited by 67.22.250.146 (talk) at 23:15, 26 November 2020. The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.

Clampi spyware (also known as Ligats, llomo, or Rscan) is a strain of computer malware which infects Windows and Mac computers. More specifically, as a man-in-the-browser banking trojan designed to transmit financial and personal information from a compromised computer to a third party for potential financial gain as well as report on computer configuration, communicate with a central server, and act as downloader for other malware. Clampi was first observed in 2007 affecting computers running the Microsoft Windows operating system, Apple Mac operating system,it has been found that it has infected more than two dozen major banking institutions in the United States, including TD Bank, Chase, HSBC, Wells Fargo, PNC, and Bank of America. It is designed to steal users' sensitive data, such as Account login information and Banking Passwords.

Clampi monitored over 4000 website URLs, effectively keylogging credentials and user information for not only bank and credit card websites, but also reported on utilities, market research firms, online casinos, and career websites. At its peak in the fall of 2009, a computer security professional stated that it was one of the largest and most professional thieving operations on the Internet, likely run by a Russian or eastern European syndicate.

Additional Knowledge: Since 2013 90% of users from United States are getting Clampi spyware on the time of Thanksgiving Day ,Black Friday and Christmas.

Detailed analysis

Computer security analyst Nicolas Falliere claimed that "few threats have had us scratching our heads like Trojan.Clampi." It was the first trojan found to be using a virtual machine called VMProtect to hide its instruction set. He remarked that the use of a virtual machine added weeks to the time required for programmers to disassemble and describe the threat and mechanism of action. He discovered it logged and transmitted personal financial information from a compromised computer to a third party for potential financial gain as well as reported on computer configuration, communicated with a central server, exploited Internet Explorer 8, set up a SOCKS proxy, and acted as downloader for other malware. The virus was sophisticated enough to hide behind firewalls and go undetected for long periods of time. A list of around 4,800 URLs were CRC encoded (similar to hashing). This was dictionary attacked against a list of common URLs in September 2009 to produce a partial list of known sites with some duplication and ambiguity. The source code has never been reported to be shared or sold online.

Operation

Clampi operates using packet sniffing, a method of reading network traffic, to determine when a user navigates to a banking website. The malware can then launch one of two different actions, depending on the variation. In its most popular form, Clampi will Form grab the webpage causing a man-in-the-middle attack. The Trojan uses Form grabbing to grab keystrokes before they can be encrypted by HTTPS. Clampi then sends the keystrokes to a Command & Control. This in turn causes a user's information to be stolen.

The second method that Clampi has used is to allow the user to log into the webpage. Once the user is in, the malware will use the page information to extract the company's logo and site formatting. It will then create a pop-up page informing the user of updates to the system, and requesting additional information, such as social security numbers. Most banking institutions inform their users that they will never ask for this information as a way to defend against these types of attacks. Clampi has been modified to address this defense, and has begun asking users for the type of information asked as security questions, such as the user's mother's maiden name, in an attempt for the attacker to use this information to reset the password at a later time.

Clampi also injects itself into other system processes, in an attempt to convert the host machine into a zombie, an unwilling member in a botnet. In order to maintain connection in the botnet, Clampi is coded with four domains, so if one goes down or loses communication, the Trojan can look for one of the others immediately

Named modules

A list of components discovered through decryption of the executable in 2009:[1]

  1. SOCKS – Configures a SOCKS proxy server attackers can use to log into your bank from your work/home internet connection.
  2. PROT – Steals PSTORE (protected storage for Internet Explorer) saved passwords
  3. LOGGER – Attempts to steal online credentials if the URL is on the list.
  4. LOGGEREXT – Aids in stealing online credentials for websites with enhanced security, ie HTTPS
  5. SPREAD – Spreads Clampi to computers in the network with shared directories.
  6. ACCOUNTS – Steals locally saved credentials for a variety of applications such as instant messaging and FTP clients.
  7. INFO – Gathers and sends general system information
  8. KERNAL – the eighth module refers to itself as Kernal while running inside the proprietary protected virtual appliance.

See also

References

  1. ^ "Inside the Jaws of Trojan.Clampi – Symantec Enterprise". Broadcom Endpoint Protection Library. Retrieved 2020-06-02.{{cite web}}: CS1 maint: url-status (link)
Retrieved from "https://en.wikipedia.org/enwiki/w/index.php?title=Clampi_(trojan)&oldid=990864029"