Researcher Uncovers Massive, Sophisticated Trojan Targeting Top Businesses
Trojan may already have infected hundreds of thousands of PCs, botnet expert says
LAS VEGAS -- BLACK HAT USA 2009 -- A security researcher has discovered a Trojan that is designed to extract account data from as many as 4,600 of the world's most popular and wealthy businesses.
In "one of the largest and most professional thieving operations on the Internet," a Trojan called Clampi (also known as Ligats, llomo, or Rscan) has spread across Microsoft networks in a worm-like fashion, and may already have infected hundreds of thousands of corporate and home PC users, according to SecureWorks researcher Joe Stewart, one of the world's foremost authorities on botnets and targeted attacks.
More Security Insights
- Forrester Study: The Total Economic Impact of VMware View
- Securing Executives and Highly Sensitive Documents of Corporations Globally
- Top Big Data Security Tips and Ultimate Protection for Enterprise Data
- How to Improve Customer Analytics: Best Practices
"We weren't all that worried about Storm, and we weren't all that worried about Conficker," Stewart says. "This one you need to worry about."
The Trojan uses PsExec -- a popular, lightweight Telnet replacement tool that lets one system execute processes on other systems -- and a sophisticated process of encryption and packing to hide its origins and targets. So far, Stewart says, the Trojan appears to be targeting 4,600 Websites, of which he has identified approximately 1,400 in 70 countries.
Those 1,400 sites include some of the most popular and financially lucrative companies in the world. "This thing is like the Dun & Bradstreet of the underground hacking world," Stewart says. "It's attacking the sites with the most users and the most money." Among the industries being targeted are banks, credit card companies, stock brokerages, insurance, retail, advertising networks, and utilities.
Clampi, which was first discovered in 2007, seeks out domain administrator credentials much the way Coreflood attack did last year, Stewart says. Once domain administrator privileges are granted, the Trojan uses the SysInternals tool "PsExec" to copy itself to all computers on the domain. Clampi also serves as a proxy server used by criminals to anonymize their activities when logging into stolen accounts, he says.
However, unlike Coreflood, which extracted a broad range of data from the infected PCs, Clampi extracts only useful credentials and account data, Stewart says. "These guys are getting exactly what they need, putting it in a database, and storing it," he says. "Even though much of the data is collected in multiple languages, they seem to have found a way to pull it all together." Clampi uses a modular approach to stealing data, even incorporating additional DLLs as needed to gain access to system and user information.
The Trojan has already infected some businesses and extracted funds from accounts, Stewart says, often using unwitting "mules" whose PCs or accounts serve as intermediaries for funds transfer. The Washington Post reported one such incident involving Slack Auto Parts earlier this week.
Clampi is operated by a "serious and sophisticated organized crime group from Eastern Europe" and already has been implicated in numerous high-dollar thefts from banking institutions, Stewart says. "This attack is not being sold underground," he says. "You can't buy a Clampi kit like you can for other Trojans."
Clampi generally can avoid detection by antivirus software, and it even has the ability to discover which AV software a PC is using and take steps to avoid it, Stewart says. Enterprises currently can block Clampi with an intrusion prevention system, but Stewart says he doesn't expect that defense to last very long before the Trojan adapts.
The best strategy to defend against Clampi -- and other attacks that use a similar approach -- is to use separate machines for Web surfing and funds transfer, Stewart says. "Using Windows, it's too dangerous to do transactions on the same machine you do for Web surfing," he says. "You can't have any crossover between them."
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.