Risk
7/29/2009
09:12 AM
50%
50%

Researcher Uncovers Massive, Sophisticated Trojan Targeting Top Businesses

Trojan may already have infected hundreds of thousands of PCs, botnet expert says

LAS VEGAS -- BLACK HAT USA 2009 -- A security researcher has discovered a Trojan that is designed to extract account data from as many as 4,600 of the world's most popular and wealthy businesses.

In "one of the largest and most professional thieving operations on the Internet," a Trojan called Clampi (also known as Ligats, llomo, or Rscan) has spread across Microsoft networks in a worm-like fashion, and may already have infected hundreds of thousands of corporate and home PC users, according to SecureWorks researcher Joe Stewart, one of the world's foremost authorities on botnets and targeted attacks.

"We weren't all that worried about Storm, and we weren't all that worried about Conficker," Stewart says. "This one you need to worry about."

The Trojan uses PsExec -- a popular, lightweight Telnet replacement tool that lets one system execute processes on other systems -- and a sophisticated process of encryption and packing to hide its origins and targets. So far, Stewart says, the Trojan appears to be targeting 4,600 Websites, of which he has identified approximately 1,400 in 70 countries.

Those 1,400 sites include some of the most popular and financially lucrative companies in the world. "This thing is like the Dun & Bradstreet of the underground hacking world," Stewart says. "It's attacking the sites with the most users and the most money." Among the industries being targeted are banks, credit card companies, stock brokerages, insurance, retail, advertising networks, and utilities.

Clampi, which was first discovered in 2007, seeks out domain administrator credentials much the way Coreflood attack did last year, Stewart says. Once domain administrator privileges are granted, the Trojan uses the SysInternals tool "PsExec" to copy itself to all computers on the domain. Clampi also serves as a proxy server used by criminals to anonymize their activities when logging into stolen accounts, he says.

However, unlike Coreflood, which extracted a broad range of data from the infected PCs, Clampi extracts only useful credentials and account data, Stewart says. "These guys are getting exactly what they need, putting it in a database, and storing it," he says. "Even though much of the data is collected in multiple languages, they seem to have found a way to pull it all together." Clampi uses a modular approach to stealing data, even incorporating additional DLLs as needed to gain access to system and user information.

The Trojan has already infected some businesses and extracted funds from accounts, Stewart says, often using unwitting "mules" whose PCs or accounts serve as intermediaries for funds transfer. The Washington Post reported one such incident involving Slack Auto Parts earlier this week.

Clampi is operated by a "serious and sophisticated organized crime group from Eastern Europe" and already has been implicated in numerous high-dollar thefts from banking institutions, Stewart says. "This attack is not being sold underground," he says. "You can't buy a Clampi kit like you can for other Trojans."

Clampi generally can avoid detection by antivirus software, and it even has the ability to discover which AV software a PC is using and take steps to avoid it, Stewart says. Enterprises currently can block Clampi with an intrusion prevention system, but Stewart says he doesn't expect that defense to last very long before the Trojan adapts.

The best strategy to defend against Clampi -- and other attacks that use a similar approach -- is to use separate machines for Web surfing and funds transfer, Stewart says. "Using Windows, it's too dangerous to do transactions on the same machine you do for Web surfing," he says. "You can't have any crossover between them."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-0714
Published: 2015-05-02
Multiple cross-site scripting (XSS) vulnerabilities in Cisco Finesse Server 10.0(1), 10.5(1), 10.6(1), and 11.0(1) allow remote attackers to inject arbitrary web script or HTML via unspecified parameters, aka Bug ID CSCut53595.

CVE-2014-3598
Published: 2015-05-01
The Jpeg2KImagePlugin plugin in Pillow before 2.5.3 allows remote attackers to cause a denial of service via a crafted image.

CVE-2014-8361
Published: 2015-05-01
The miniigd SOAP service in Realtek SDK allows remote attackers to execute arbitrary code via a crafted NewInternalClient request.

CVE-2015-0237
Published: 2015-05-01
Red Hat Enterprise Virtualization (RHEV) Manager before 3.5.1 ignores the permission to deny snapshot creation during live storage migration between domains, which allows remote authenticated users to cause a denial of service (prevent host start) by creating a long snapshot chain.

CVE-2015-0257
Published: 2015-05-01
Red Hat Enterprise Virtualization (RHEV) Manager before 3.5.1 uses weak permissions on the directories shared by the ovirt-engine-dwhd service and a plugin during service startup, which allows local users to obtain sensitive information by reading files in the directory.

Dark Reading Radio
Archived Dark Reading Radio
Join security and risk expert John Pironti and Dark Reading Editor-in-Chief Tim Wilson for a live online discussion of the sea-changing shift in security strategy and the many ways it is affecting IT and business.