Clampi Worm Puts Online Financial Transactions at Risk
By Jennifer LeClaire / Top Tech News. Updated July 31, 2009.
With security researchers focused on the Black Hat security conference, a Trojan called Clampi is still making its way across the Web looking for victims.
Also known as Ligats, Ilomo or Rscan, Clampi is a Trojan that aims to steal credentials from infected systems. According to SecureWorks, hundreds of thousands of Windows computers may already be infected and many more are at risk. In one recent example, an auto-parts store lost about $75,000 to a group of attackers leveraging the power of Clamp in early July.
Although Clampi is not a new threat -- it has been harassing Windows users since 2007 -- security researchers report it is gaining momentum.
Joe Stewart, SecureWorks director of malware research for the counter threat unit, launched an in-depth investigation into the Trojan and its use of the psexec tools to spread earlier this year. What he discovered is troubling.
"In recent months, Clampi has successfully spread across Microsoft networks in a worm-like fashion," Stewart said.
How Clampi Attacks
Stewart has identified 1,400 of the 4,500 Web sites in 70 different countries Clampi attackers are targeting. The Clampi Trojan, he reported, requests information specifically from these sites via infected computers. A sophisticated organized-crime group from Eastern Europe is running Clampi and has been implicated in numerous high-dollar thefts from banking institutions.
"Clampi's recent success in infecting victims is accomplished by using domain-administrator credentials -- either stolen by the Trojan or reused, or by virtue of the fact that a domain administrator has logged into an already infected system. Once domain-administrator privileges are granted, the Trojan uses the SysInternals tool psexec to copy itself to all computers on the domain," Stewart said. "Clampi also serves as a proxy server used by criminals to anonymize their activity when logging into stolen accounts."
Although most major antivirus engines should detect Clampi and its variants, Stewart said there is always a delay between a new Trojan release and the detection time. He recommends businesses that use online banking and financial transactions adopt a strategy to isolate workstations where these activities are carried out.
Today's malware codes are incredibly sophisticated -- and may even have their own internal encryption capabilities to hinder analysis or hijacking of their botnets or codes, according to Ken Dunham, director of global response at iSight Partners.
"Even if you wipe Windows and reinstall it, many of these Trojans can still load up and take control of your system. We're moving toward disk-level- or hardware-level-based compromise," Dunham said. "The sophistication is something that needs to be recognized. We're dealing with highly organized, talented people that are criminals."
Best practices are a must, but it can be difficult to protect against Web-based attacks and specifically third-party browser attacks that leverage Flash and PDF. Dunham said he sees new reports of attacks that involve PDF or Flash exploits or something similar cross his desk every day.
"It's one thing to say you've got your Windows updated and your antivirus in place. It's another thing to say you've got your browser updated," Dunham said. "But do you have your browser plug-ins updated? It's complicated."