HOME

TheInfoList



Click Here for Items Related To - Clampi
OR:
Clampi on:   [Wikipedia]   [Google]   [Amazon]

Clampi (also known as Ligats, llomo, or Rscan) is a strain of computer
malware Malware (a portmanteau for ''malicious software'') is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, de ...
which infects
Windows Windows is a group of several proprietary graphical operating system families developed and marketed by Microsoft. Each family caters to a certain sector of the computing industry. For example, Windows NT for consumers, Windows Server for ...
computers. More specifically, as a
man-in-the-browser Man-in-the-browser (MITB, MitB, MIB, MiB), a form of Internet threat related to man-in-the-middle (MITM), is a proxy Trojan horse that infects a web browser by taking advantage of vulnerabilities in browser security to modify web pages, modify ...
banking
trojan Trojan or Trojans may refer to: * Of or from the ancient city of Troy * Trojan language, the language of the historical Trojans Arts and entertainment Music * ''Les Troyens'' ('The Trojans'), an opera by Berlioz, premiered part 1863, part 189 ...
designed to transmit financial and personal information from a compromised computer to a third party for potential financial gain as well as report on computer configuration, communicate with a central server, and act as downloader for other malware. Clampi was first observed in 2007 affecting computers running the Microsoft Windows
operating system An operating system (OS) is system software that manages computer hardware, software resources, and provides common daemon (computing), services for computer programs. Time-sharing operating systems scheduler (computing), schedule tasks for ef ...
. Clampi monitored over 4000 website
URLs A Uniform Resource Locator (URL), colloquially termed as a web address, is a reference to a web resource that specifies its location on a computer network and a mechanism for retrieving it. A URL is a specific type of Uniform Resource Identifie ...
, effectively keylogging credentials and user information for not only bank and credit card websites, but also reported on utilities, market research firms, online casinos, and career websites. At its peak in the fall of 2009, a
computer security Computer security, cybersecurity (cyber security), or information technology security (IT security) is the protection of computer systems and networks from attack by malicious actors that may result in unauthorized information disclosure, t ...
professional stated that it was one of the largest and most professional thieving operations on the Internet, likely run by a Russian or eastern European syndicate. False-positive reporting of Clampi is also often used by tech support scammers to pressure individuals into sending them money for the removal of fake computer viruses.


Detailed analysis

Computer security analyst Nicolas Falliere claimed that "few threats have had us scratching our heads like Trojan.Clampi." It was the first trojan found to be using a
virtual machine In computing, a virtual machine (VM) is the virtualization/ emulation of a computer system. Virtual machines are based on computer architectures and provide functionality of a physical computer. Their implementations may involve specialized har ...
called VMProtect to hide its
instruction set In computer science, an instruction set architecture (ISA), also called computer architecture, is an abstract model of a computer. A device that executes instructions described by that ISA, such as a central processing unit (CPU), is called a ...
. He remarked that the use of a virtual machine added weeks to the time required for programmers to disassemble and describe the threat and mechanism of action. He discovered it logged and transmitted personal financial information from a compromised computer to a third party for potential financial gain as well as reported on computer configuration, communicated with a central server, exploited
Internet Explorer 8 Windows Internet Explorer 8 (IE8) is a web browser for Windows. It was released by Microsoft on March 19, 2009, as the eighth version of Internet Explorer and the successor to Internet Explorer 7. It was the default browser in Windows 7 (later def ...
, set up a SOCKS proxy, and acted as downloader for other malware. The virus was sophisticated enough to hide behind firewalls and go undetected for long periods of time. A list of around 4,800 URLs were CRC encoded (similar to hashing). This was
dictionary attack In cryptanalysis and computer security, a dictionary attack is an attack using a restricted subset of a keyspace to defeat a cipher or authentication mechanism by trying to determine its decryption key or passphrase, sometimes trying thousands o ...
ed against a list of common URLs in September 2009 to produce a partial list of known sites with some duplication and ambiguity. The source code has never been reported to be shared or sold online.


Named modules

A list of components discovered through decryption of the executable in 2009: # SOCKS – Configures a
SOCKS A sock is a piece of clothing worn on the feet and often covering the ankle or some part of the calf. Some types of shoes or boots are typically worn over socks. In ancient times, socks were made from leather or matted animal hair. In the lat ...
proxy server attackers can use to log into your bank from your work/home internet connection. # PROT – Steals PSTORE (protected storage for
Internet Explorer Internet Explorer (formerly Microsoft Internet Explorer and Windows Internet Explorer, commonly abbreviated IE or MSIE) is a series of graphical user interface, graphical web browsers developed by Microsoft which was used in the Microsoft Wind ...
) saved passwords # LOGGER – Attempts to steal online credentials if the URL is on the list. # LOGGEREXT – Aids in stealing online credentials for websites with enhanced security, ie
HTTPS Hypertext Transfer Protocol Secure (HTTPS) is an extension of the Hypertext Transfer Protocol (HTTP). It is used for secure communication over a computer network, and is widely used on the Internet. In HTTPS, the communication protocol is e ...
# SPREAD – Spreads Clampi to computers in the network with shared directories. # ACCOUNTS – Steals locally saved credentials for a variety of applications such as
instant messaging Instant messaging (IM) technology is a type of online chat allowing real-time text transmission over the Internet or another computer network. Messages are typically transmitted between two or more parties, when each user inputs text and trigge ...
and
FTP clients The following tables compare general and technical information for a number of File Transfer Protocol (FTP) clients. Unless otherwise specified in footnotes, comparisons are based on the stable versions without any add-ons, extensions, or extern ...
. # INFO – Gathers and sends general system information # KERNAL – the eighth module refers to itself as
Kernal KERNAL is Commodore's name for the ROM-resident operating system core in its 8-bit home computers; from the original PET of 1977, followed by the extended but strongly related versions used in its successors: the VIC-20, Commodore 64, Plus/ ...
while running inside the proprietary protected
virtual appliance A virtual appliance is a pre-configured virtual machine image, ready to run on a hypervisor; virtual appliances are a subset of the broader class of software appliances. Installation of a software appliance on a virtual machine and packaging that ...
.


See also

*
Botnet A botnet is a group of Internet-connected devices, each of which runs one or more bots. Botnets can be used to perform Distributed Denial-of-Service (DDoS) attacks, steal data, send spam, and allow the attacker to access the device and its co ...
*
Conficker Conficker, also known as Downup, Downadup and Kido, is a computer worm targeting the Microsoft Windows operating system that was first detected in November 2008. It uses flaws in Windows OS software and dictionary attacks on administrator pas ...
*
Gameover ZeuS GameOverZeus is a peer-to-peer botnet based on components from the earlier ZeuS trojan. The malware was created by Russian hacker Evgeniy Mikhailovich Bogachev. It is believed to have been spread through use of the Cutwail botnet. Unlike its pred ...
, the successor to ZeuS * Operation Tovar *
Timeline of computer viruses and worms A timeline is a display of a list of events in chronological order. It is typically a graphic design showing a long bar labelled with dates paralleling it, and usually contemporaneous events. Timelines can use any suitable scale represent ...
* Tiny Banker Trojan * Torpig *
Zombie (computing) In computing, a zombie is a computer connected to the Internet that has been compromised by a hacker via a computer virus, computer worm, or trojan horse program and can be used to perform malicious tasks under the remote direction of the ...


References


External links


Clampi virus targets companies' financial accounts
– ''
ABC News ABC News is the journalism, news division of the American broadcast network American Broadcasting Company, ABC. Its flagship program is the daily evening newscast ''ABC World News Tonight, ABC World News Tonight with David Muir''; other progra ...
''
Massive Botnet Stealing Financial Info
– ''
PC World ''PC World'' (stylized as PCWorld) is a global computer magazine published monthly by IDG. Since 2013, it has been an online only publication. It offers advice on various aspects of PCs and related items, the Internet, and other personal tec ...
''
Inside the Jaws of Trojan.Clampi
– Symantec Security whitepaper (archived) {{Botnets Computer worms Facebook Myspace Trojan horses