HOME

TheInfoList



Click Here for Items Related To - Clampi
OR:
Clampi on:   [Wikipedia]   [Google]   [Amazon]

Clampi (also known as Ligats, llomo, or Rscan) is a strain of computer
malware Malware (a portmanteau for ''malicious software'') is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, depri ...
which infects
Windows Windows is a group of several proprietary graphical operating system families developed and marketed by Microsoft. Each family caters to a certain sector of the computing industry. For example, Windows NT for consumers, Windows Server for serv ...
computers. More specifically, as a
man-in-the-browser Man-in-the-browser (MITB, MitB, MIB, MiB), a form of Internet threat related to man-in-the-middle (MITM), is a proxy Trojan horse that infects a web browser by taking advantage of vulnerabilities in browser security to modify web pages, modify tra ...
banking
trojan Trojan or Trojans may refer to: * Of or from the ancient city of Troy * Trojan language, the language of the historical Trojans Arts and entertainment Music * ''Les Troyens'' ('The Trojans'), an opera by Berlioz, premiered part 1863, part 1890 ...
designed to transmit financial and personal information from a compromised computer to a third party for potential financial gain as well as report on computer configuration, communicate with a central server, and act as downloader for other malware. Clampi was first observed in 2007 affecting computers running the Microsoft Windows
operating system An operating system (OS) is system software that manages computer hardware, software resources, and provides common services for computer programs. Time-sharing operating systems schedule tasks for efficient use of the system and may also in ...
. Clampi monitored over 4000 website
URLs A Uniform Resource Locator (URL), colloquially termed as a web address, is a reference to a web resource that specifies its location on a computer network and a mechanism for retrieving it. A URL is a specific type of Uniform Resource Identifie ...
, effectively
keylogging Keystroke logging, often referred to as keylogging or keyboard capturing, is the action of recording (logging) the keys struck on a keyboard, typically covertly, so that a person using the keyboard is unaware that their actions are being monitored ...
credentials and user information for not only bank and credit card websites, but also reported on utilities, market research firms, online casinos, and career websites. At its peak in the fall of 2009, a
computer security Computer security, cybersecurity (cyber security), or information technology security (IT security) is the protection of computer systems and networks from attack by malicious actors that may result in unauthorized information disclosure, the ...
professional stated that it was one of the largest and most professional thieving operations on the Internet, likely run by a Russian or eastern European syndicate.
False-positive A false positive is an error in binary classification in which a test result incorrectly indicates the presence of a condition (such as a disease when the disease is not present), while a false negative is the opposite error, where the test result ...
reporting of Clampi is also often used by tech support scammers to pressure individuals into sending them money for the removal of fake computer viruses.


Detailed analysis

Computer security analyst Nicolas Falliere claimed that "few threats have had us scratching our heads like Trojan.Clampi." It was the first trojan found to be using a
virtual machine In computing, a virtual machine (VM) is the virtualization/emulation of a computer system. Virtual machines are based on computer architectures and provide functionality of a physical computer. Their implementations may involve specialized hardw ...
called VMProtect to hide its
instruction set In computer science, an instruction set architecture (ISA), also called computer architecture, is an abstract model of a computer. A device that executes instructions described by that ISA, such as a central processing unit (CPU), is called an ' ...
. He remarked that the use of a virtual machine added weeks to the time required for programmers to disassemble and describe the threat and mechanism of action. He discovered it logged and transmitted personal financial information from a compromised computer to a third party for potential financial gain as well as reported on computer configuration, communicated with a central server, exploited
Internet Explorer 8 Windows Internet Explorer 8 (IE8) is a web browser for Windows. It was released by Microsoft on March 19, 2009, as the eighth version of Internet Explorer and the successor to Internet Explorer 7. It was the default browser in Windows 7 (later def ...
, set up a SOCKS proxy, and acted as downloader for other malware. The virus was sophisticated enough to hide behind firewalls and go undetected for long periods of time. A list of around 4,800 URLs were CRC encoded (similar to hashing). This was
dictionary attack In cryptanalysis and computer security, a dictionary attack is an attack using a restricted subset of a keyspace to defeat a cipher or authentication mechanism by trying to determine its decryption key or passphrase, sometimes trying thousands or ...
ed against a list of common URLs in September 2009 to produce a partial list of known sites with some duplication and ambiguity. The source code has never been reported to be shared or sold online.


Named modules

A list of components discovered through decryption of the executable in 2009: # SOCKS – Configures a
SOCKS A sock is a piece of clothing worn on the feet and often covering the ankle or some part of the calf. Some types of shoes or boots are typically worn over socks. In ancient times, socks were made from leather or matted animal hair. In the late ...
proxy server attackers can use to log into your bank from your work/home internet connection. # PROT – Steals PSTORE (protected storage for
Internet Explorer Internet Explorer (formerly Microsoft Internet Explorer and Windows Internet Explorer, commonly abbreviated IE or MSIE) is a series of graphical user interface, graphical web browsers developed by Microsoft which was used in the Microsoft Wind ...
) saved passwords # LOGGER – Attempts to steal online credentials if the URL is on the list. # LOGGEREXT – Aids in stealing online credentials for websites with enhanced security, ie
HTTPS Hypertext Transfer Protocol Secure (HTTPS) is an extension of the Hypertext Transfer Protocol (HTTP). It is used for secure communication over a computer network, and is widely used on the Internet. In HTTPS, the communication protocol is enc ...
# SPREAD – Spreads Clampi to computers in the network with shared directories. # ACCOUNTS – Steals locally saved credentials for a variety of applications such as
instant messaging Instant messaging (IM) technology is a type of online chat allowing real-time text transmission over the Internet or another computer network. Messages are typically transmitted between two or more parties, when each user inputs text and trigge ...
and
FTP clients The following tables compare general and technical information for a number of File Transfer Protocol (FTP) clients. Unless otherwise specified in footnotes, comparisons are based on the stable versions without any add-ons, extensions, or extern ...
. # INFO – Gathers and sends general system information # KERNAL – the eighth module refers to itself as
Kernal KERNAL is Commodore's name for the ROM-resident operating system core in its 8-bit home computers; from the original PET of 1977, followed by the extended but strongly related versions used in its successors: the VIC-20, Commodore 64, Plus/4, ...
while running inside the proprietary protected
virtual appliance A virtual appliance is a pre-configured virtual machine image, ready to run on a hypervisor; virtual appliances are a subset of the broader class of software appliances. Installation of a software appliance on a virtual machine and packaging that i ...
.


See also

*
Botnet A botnet is a group of Internet-connected devices, each of which runs one or more bots. Botnets can be used to perform Distributed Denial-of-Service (DDoS) attacks, steal data, send spam, and allow the attacker to access the device and its conn ...
*
Conficker Conficker, also known as Downup, Downadup and Kido, is a computer worm targeting the Microsoft Windows operating system that was first detected in November 2008. It uses flaws in Windows OS software and dictionary attacks on administrator passw ...
*
Gameover ZeuS GameOverZeus is a peer-to-peer botnet based on components from the earlier ZeuS trojan. The malware was created by Russian hacker Evgeniy Mikhailovich Bogachev. It is believed to have been spread through use of the Cutwail botnet. Unlike its pr ...
, the successor to ZeuS *
Operation Tovar Operation Tovar is an international collaborative operation carried out by law enforcement agencies from multiple countries against the Gameover ZeuS botnet, which is believed by the investigators to have been used in bank fraud and the distributi ...
*
Timeline of computer viruses and worms A timeline is a display of a list of events in chronological order. It is typically a graphic design showing a long bar labelled with dates paralleling it, and usually contemporaneous events. Timelines can use any suitable scale representin ...
*
Tiny Banker Trojan Tiny Banker Trojan, also called Tinba, is a malware program that targets financial institution websites. It is a modified form of an older form of viruses known as Banker Trojans, yet it is much smaller in size and more powerful. It works by estab ...
*
Torpig Torpig, also known as Anserin or Sinowal is a type of botnet spread through systems compromised by the Mebroot rootkit by a variety of trojan horses for the purpose of collecting sensitive personal and corporate data such as bank account and credit ...
*
Zombie (computing) In computing, a zombie is a computer connected to the Internet that has been compromised by a hacker via a computer virus, computer worm, or trojan horse program and can be used to perform malicious tasks under the remote direction of the h ...


References


External links


Clampi virus targets companies' financial accounts
– ''
ABC News ABC News is the news division of the American broadcast network ABC. Its flagship program is the daily evening newscast ''ABC World News Tonight, ABC World News Tonight with David Muir''; other programs include Breakfast television, morning ...
''
Massive Botnet Stealing Financial Info
– ''
PC World ''PC World'' (stylized as PCWorld) is a global computer magazine published monthly by IDG. Since 2013, it has been an online only publication. It offers advice on various aspects of PCs and related items, the Internet, and other personal tech ...
''
Inside the Jaws of Trojan.Clampi
– Symantec Security whitepaper (archived) {{Botnets Computer worms Facebook Myspace Trojan horses