A close look at the Clampi Trojan, an elusive piece of malware that uses encryption to help hide its nefarious data-stealing deeds, reveals it to be a botnet-controlled monster associated with around 4600 different sites.
"We've been able to get through the layers of encryption in Clampi," says Joe Stewart, director of malware research at SecureWorks. "Clampi is collecting data associated with about 4600 sites, such as banks and other financial institutions targeted by criminal networks."
But it doesn't stop there.
Clampi "is going after utilities, market research firms, online casinos and career sites," Stewart says, in a broad sweep to grab personally identifiable information, such as credentials and account information, that might be of use to criminals for financial gain. Clampi, also known as Ligats, Ilomo or Rscan, is using psexec tools to spread to spread across Microsoft-based networks in a worm-like fashion.
So far, the analysis by SecureWorks has identified 1400 specific sites in 70 countries out of the 4600 or so total sites the Clampi Trojan appears programmed to monitor once it has infected a victim's Windows-based machine.
The design of the Clampi Trojan, which was first spotted in 2007, reveals its creator "has gone out and methodically figured out a lot about these sites," Stewart says.
He says the 4600 number is enormous in comparison to what is usually found in Trojans designed for stealing financial data from victims trying to conduct transactions online. Most Trojans of this sort, such as Zeus, normally would have not more than 30 banks as a target.
The Clampi Trojan, once it worms its way into a victim's machine, will watch for the victim to try and do anything online associated with any of the 4600 different sites and then leap into action to steal data, transferring it via an encrypted channel back to command-and-control servers.
According to SecureWorks, Clampi's main way of spreading is through drive-by downloads when a user visits a website that has been compromised by attackers.
Some of these sites may be trusted as legitimate by web visitors, but the site has been compromised, often because the webmaster or network manager security credentials for it have been stolen and the attacker has simply loaded up the malware to enable the Clampi drive-by download.
The Clampi Trojan, believed to have infected hundreds of thousands of machines, basically functions as a botnet under the command-and-control of a botmaster, probably in Eastern Europe, Stewart says.
As a botnet, it is sweeping up victim's sensitive personal data and sending it back through a set of command-and-control servers to cybercriminals. Clampi seems to be picking up speed in its spread since July and may be the Trojan used in a cybertheft scam that hit Georgia-based Slack Auto Parts earlier this month.
The Clampi command-and-control server is encrypted by 448-bit blowfish encryption, using a randomly generated key that is sent to the control server using 2048-bit RSA encryption. SecureWorks got through the encryption layer by intercepting the session key in a test system and decrypting the network traffic. This allowed the security firm to examine the list of websites targeted by a module that's part of Clampi.
How can you defend yourself against Clampi?
"There is no product you can buy to stop this as a zero-day attack," Stewart says, though he added that antivirus software might eventually detect it and stop it later on your machine.
He recommended finding a way to use a "separate system" to conduct financial transactions, one that is not the same system you might use to browse the internet. That would lower the risk of being infected by the Clampi Trojan.