Clampi Trojan stealing online bank data from consumers and businesses

Joe Stewart, SecureWorks' director of malware research for the Counter Threat Unit, has been researching the Clampi Trojan for two years.

(Credit: Elinor Mills/CNET)

LAS VEGAS--Hundreds of thousands of Windows computers are believed to be infected with a Trojan called "Clampi" that has been stealing banking and other log-in credentials from compromised PCs since 2007, a security researcher said on the eve of the Black Hat security conference.

Clampi, also known as Ligats, Ilomo, or Rscan, infects computers in drive-by downloads when people visit Web sites hosting malicious code that exploits vulnerabilities in browser plug-ins Flash and ActiveX, said Joe Stewart, director of malware research for the Counter Threat Unit of SecureWorks.

When the infected computer is used to access a targeted banking or other site, the log-in and other information is stolen.

Clampi has spread quickly through Microsoft-based networks in a worm-like fashion in recent months, Stewart said. It uses domain administrator credentials that were either stolen by the Trojan or based on an administrator logging into an infected system. It then uses a Windows executable SysInternals tool, "psexec," to copy itself to all the computers on the domain, he said.

Clampi also serves as a proxy server for criminals to anonymize their activity when logging into stolen accounts.

Stewart has identified 1,400 Web sites in 70 different countries out of 4,500 sites being targeted by the Trojan attack. The sites include banks, credit card companies, online casinos, retail sites, utilities, ad networks, stock brokerages, mortgage lenders, and government and military portals.

Based on the techniques they are using, Stewart said criminals in Eastern Europe are believed to be behind Clampi.

Because it can take days or weeks to get a sample of the latest version of the Trojan, antivirus protection is often delayed, arriving after a PC is already infected, according to Stewart.

"This type of Trojan, banking Trojans in general, are the biggest threat to home computer users and businesses doing banking online," he said. "You can't rely on antivirus. At some point you are going to visit the wrong site and they'll get a Trojan on your computer."

The Trojan uses three types of encryption and sophisticated virtual machine-based packing technology to disguise itself in order to get through antivirus filters, according to Stewart.

SecureWorks' intrusion prevention software doesn't stop computers from getting infected but it prevents the stealing of the data by blocking the encrypted traffic that it deemed suspicious, he said.

Stewart recommends that consumer and business Web surfers use a dedicated computer for their banking and other sensitive financial online activities that is separate from the computer where e-mail is accessed and Web surfing is done. People should also be careful using removable drives on those isolated computers as Trojans can spread that way.

By now, the criminals "probably have way more accounts than they can actually clean out," Stewart said.

Even so, the losses from Clampi are starting to be publicized. The Trojan was behind the theft of nearly $75,000 from Slack Auto Parts in Gainesville, Ga., according to the Security Fix blog at The Washington Post.

[The_happy_switcher]

"Hundreds of thousands of Windows computers are believed to be infected with a Trojan called "Clampi." Butt slapping sound in offing and whimpers of 'thank you master may I have another?' resonating out there Windows Land today. <br /><br />--Microsoft. Your frustration. Our Fault.

[ballmerisanape]

Macs are susceptible to drive-by trojens too (Java).... just not this one.

[BogusBasin]

Ahhh haaaa haaaa hoooo haaaa!!!!!!!<br /><br />Where do you want to go today? Bankruptcy?!<br /><br />Amen

[monkeyfun14]

Nah I only hear the sounds of whipping from Apple land as you thousands run out to do their masters advertising.<br /><br /><br />--Apple Your Money. Our Lies.

[MythicalMe]

Who the %$@# cares. [CNET editors' note: Personal attack deleted.]<br /><br />I'd really like to read comments other than this constant Apple vs Windows vs Linux crap. I don't care, all computers and software has drawbacks. I learned this from the first program that I wrote some 30 years ago.

[SVContrarian]

Perhaps a bit more detail here? What versions are vulnerable? Are fully patched versions vulnerable? Win7? 64 bit with DEP? The article and links have zero useful information to assess whether you're vulnerable - why spread fear on the back of so little information? Bad practices are part of the issue - browsing dodgy sites from a domain admin account? Duh. Plus this doesn't seem like it's taking the world by storm. 100,000 infections is a whopping 0.01% of the billion-plus PCs. (One in a hundred thousand). Finally, Windows defender has been blocking this since Oct 2008, with the Clampi definition updated most recently in June 2009. If you're using that, are you vulnerable? Come on CNET, where's the beef? Without some decent details, this is useless fearmongering.

[markdoiron]

I agree. Unfortunately, articles like this are woefully short on details, and I find myself depending on the reader comments to fill those in. It would be nice to find a much more comprehensive article that didn't leave me with a dozen questions. --mark d.

[elinormills]

Good questions. Here is what Stewart said: "I haven't looked closely enough at the exploit pages to know for sure - figuring out which patchlevels are affected takes a bit of effort to determine, especially since these kits often include exploits for third-party software like Acrobat and Flash. So you could be up-to-date on all your Microsoft patches, but when was the last time Flash was updated on your system? Or, you could be up-to-date on the Flash plugin, but the version of Flash embedded inside the Acrobat plugin might be a version behind although the Acrobat plugin itself is the latest version."

[FF2009]

Happy ActiveX hunting lol <br /><br />When I used Windows I never browsed with ActiveX enabled because of fear of some day i'll bump in to something strange as what's happening this days. <br /><br /><br />feel much better and safe now that I switched to Ubuntu. <br /><br />Happy ActiveX hunting you all, lol

[PSmith]

Macs are NOT vulnerable to "drive-by Trojans." The term "drive-by" means you get infected simply by visiting a malware-infected site. A Trojan, on the other hand, must be installed on a Macintosh by the user. Unlike Windows, Mac OS X is not vulnerable to ActiveX Trojans that can infect a machine via "drive-by" means.<br />The vulnerability exists only because some users (yes, even some Mac users) are just plain stupid.

[ballmerisanape]

Nobody said they were.. in fact.. the second post was by an admitted Apple Fanboy (me).. <br /><br />and it said.. <br /><br />"Macs are susceptible to drive-by trojens too (Java).... just not this one."

[monkeyfun14]

Vista is immune to drive by's<br /><br />If your going to bash an OS atleast make sure the lies stay valid with the current one.

[ballmerisanape]

Can I edit my post.. lol<br /><br />On the contrary.. Macs are indeed vulnerable to web drive-by Trojans via a browser Java exploit. <br /><br />Read:<br /><br />http://www.appleinsider.com/articles/09/05/20/security_firm_warns_of_java_vulnerability_in_mac_os_x.html

[ballmerisanape]

monkeyfun14<br /><br />What makes you think that?

[monkeyfun14]

For one UAC doesn't install a damn thing unless you prove it and no exploit in the wild has ever bypassed it.

[ballmerisanape]

monkeyfun14 , <br /><br />Then by your logic.. the Mac OS is immune to viruses and Trojan programs. <br /><br />I'm cool with that logic.

[monkeyfun14]

@ballmerisanape <br /> <br />When did I say that? <br /> <br />I said Vista was immune to drive by's which it is. <br />So is OSX. <br /> <br />I never said it was immune to trojans but those require the user to approve it of running.

[baconstang]

The Mac Java exploit was patched a few weeks ago. Currently there is no known worm or trojan that can infect a Mac without the administrators password. The Java issue could infect without the password (although I think you had to be online with Ad privileges).

[MrRetardo]

As for the whole "Mac/Windows/Linux Immune" argument... We all know how every single computer user is smart enough to NOT run with Admin Privleges, right??? ;)

[fgwgner]

Hay MythicalMe glad that some body finally a post on cnet that makes sense less your GOD no program code is perfect their is always sec holes in any program or O.S

[marcharmon]

This article <br /><br />Defending against the Clampi Trojan<br />http://blogs.computerworld.com/defending_against_the_clampi_trojan<br /><br />looks at the ways Clampi infects Windows machines and offers defensive tactics for each attack vector. Its a long list, perhaps too long for many computer users. Inexperienced, non-techies are probably better off running Firefox on Linux both for their safety and ours.

[gellersamantha]

that very scary to know our information is not at all protected in this worl of technology.<br />Samantha<br />www.Aafter.com