Risk
7/29/2009
09:12 AM
Connect Directly
RSS
E-Mail
50%
50%

Researcher Uncovers Massive, Sophisticated Trojan Targeting Top Businesses

Trojan may already have infected hundreds of thousands of PCs, botnet expert says

LAS VEGAS -- BLACK HAT USA 2009 -- A security researcher has discovered a Trojan that is designed to extract account data from as many as 4,600 of the world's most popular and wealthy businesses.

In "one of the largest and most professional thieving operations on the Internet," a Trojan called Clampi (also known as Ligats, llomo, or Rscan) has spread across Microsoft networks in a worm-like fashion, and may already have infected hundreds of thousands of corporate and home PC users, according to SecureWorks researcher Joe Stewart, one of the world's foremost authorities on botnets and targeted attacks.

"We weren't all that worried about Storm, and we weren't all that worried about Conficker," Stewart says. "This one you need to worry about."

The Trojan uses PsExec -- a popular, lightweight Telnet replacement tool that lets one system execute processes on other systems -- and a sophisticated process of encryption and packing to hide its origins and targets. So far, Stewart says, the Trojan appears to be targeting 4,600 Websites, of which he has identified approximately 1,400 in 70 countries.

Those 1,400 sites include some of the most popular and financially lucrative companies in the world. "This thing is like the Dun & Bradstreet of the underground hacking world," Stewart says. "It's attacking the sites with the most users and the most money." Among the industries being targeted are banks, credit card companies, stock brokerages, insurance, retail, advertising networks, and utilities.

Clampi, which was first discovered in 2007, seeks out domain administrator credentials much the way Coreflood attack did last year, Stewart says. Once domain administrator privileges are granted, the Trojan uses the SysInternals tool "PsExec" to copy itself to all computers on the domain. Clampi also serves as a proxy server used by criminals to anonymize their activities when logging into stolen accounts, he says.

However, unlike Coreflood, which extracted a broad range of data from the infected PCs, Clampi extracts only useful credentials and account data, Stewart says. "These guys are getting exactly what they need, putting it in a database, and storing it," he says. "Even though much of the data is collected in multiple languages, they seem to have found a way to pull it all together." Clampi uses a modular approach to stealing data, even incorporating additional DLLs as needed to gain access to system and user information.

The Trojan has already infected some businesses and extracted funds from accounts, Stewart says, often using unwitting "mules" whose PCs or accounts serve as intermediaries for funds transfer. The Washington Post reported one such incident involving Slack Auto Parts earlier this week.

Clampi is operated by a "serious and sophisticated organized crime group from Eastern Europe" and already has been implicated in numerous high-dollar thefts from banking institutions, Stewart says. "This attack is not being sold underground," he says. "You can't buy a Clampi kit like you can for other Trojans."

Clampi generally can avoid detection by antivirus software, and it even has the ability to discover which AV software a PC is using and take steps to avoid it, Stewart says. Enterprises currently can block Clampi with an intrusion prevention system, but Stewart says he doesn't expect that defense to last very long before the Trojan adapts.

The best strategy to defend against Clampi -- and other attacks that use a similar approach -- is to use separate machines for Web surfing and funds transfer, Stewart says. "Using Windows, it's too dangerous to do transactions on the same machine you do for Web surfing," he says. "You can't have any crossover between them."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-7484
Published: 2014-10-20
The Coca-Cola FM Guatemala (aka com.enyetech.radio.coca_cola.fm_gu) application 2.0.41725 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-7485
Published: 2014-10-20
The Not Lost Just Somewhere Else (aka it.tinytap.attsa.notlost) application 1.6.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-7486
Published: 2014-10-20
The Mitsubishi Road Assist (aka com.agero.mitsubishi) application 1.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-7487
Published: 2014-10-20
The ADT Aesthetic Dentistry Today (aka com.magazinecloner.aestheticdentistry) application @7F080181 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-7488
Published: 2014-10-20
The Vineyard All In (aka com.wVineyardAllIn) application 0.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.