Network News

X My Profile
View More Activity

Clampi Trojan: The Rise of Matryoshka Malware

Last week, Security Fix told the online banking saga of Slack Auto Parts, a company in Georgia that lost nearly $75,000 at the hands of an extremely sophisticated malicious software family known as "Clampi". I only mentioned the malware in passing, but it deserves a closer look: Research released this week by a top malware analyst suggests that Clampi is among the stealthiest and most pervasive threats to Microsoft Windows systems today.

Joe Stewart, director of malware research for the Counter Threat Unit at computer security firm SecureWorks, said Clampi appears to have spread to hundreds of thousands of Windows systems, since its debut in 2007. Unlike other malware families designed to steal credentials -- which are frequently sold and used among the larger cyber criminal community -- Stewart said Clampi appears to be the ever-evolving weapon used by a single organized crime group operating out of Eastern Europe that has been implicated in numerous high-dollar thefts from banking institutions.

matryoshka.JPG

It is not unusual for malware authors to obfuscate various components that are nested inside one another like so many Matryoshka dolls all in a bid to stymie researchers and anti-virus companies. But Stewart said the criminals behind Clampi have encrypted or obfuscated nearly every aspect of the malware -- including the lists of e-commerce sites targeted, the data stolen, and Clampi's various feature plug-ins -- multiple times, and with very strong encryption (Matryoshka Mafia image courtesy FreakingNews.com).

Typically, password-stealing Trojans contain a list of a few dozen banking institutions that the malware will look to steal data from if the victim visits those sites. But according to Stewart, Clampi's authors aren't just targeting banking sites.

"They are targeting institutions where users may enter data that might be useful in stealing money, such as utilities, retail, online casinos, banking, insurance, accounting services, credit bureaus," Stewart said.

Stewart says Clampi is targeting credentials from some 4,600 Web sites, though so far he says he's only be able to identify about 1,400 of those. The list below gives the reader some idea of the breadth of sites targeted by this malware:

Advertising networks
Utilities
Email marketing
Stock brokerages
Market research databases
Online casinos
Retail
Career sites
Insurance
Banking
Credit card companies
Accounting Services
Wire transfer services
Mortgage lenders
Consumer databases
Webmail
Foreign Postal Services (Non-US)
Software
Military/Government information portals
Recommendation engines
ISPs
Various News blogs
File upload sites

According to Stewart, the information stolen by Clampi is sent from the victim PC to a Web server controlled by the attackers using a randomly-generated session key with 2048-bit RSA encryption. This technology is used to obfuscate data being stolen, so that in theory, only the attackers who have the encryption key can intercept or read the stolen data.

"On top of that, they're using 448-bit Blowfish encryption," Stewart said [fans of the TV drama "24" may recall hearing the show's star Jack Bauer talking about trying to crack bad-guy communications encrypted with Blowfish].

"It's virtually uncrackable in any time frame we could possibly look at," Stewart said. "It's difficult to understand what it does given all this advanced packing and encryption. This is by far the hardest thing I've ever had to reverse engineer."

Stewart said Clampi also makes it easy for attackers to log into the victim's bank account by tunneling back through that victim's PC, a tactic that could defeat some bank Web site security features that raise alarms when a customer logs in from an unusual Internet address. This feature is remarkably similar to a password stealing Trojan known as Zeus. In fact, earlier this month I wrote about Bullitt County, Kentucky, which lost $415,000 when hackers using Zeus's connect-back feature tunneled through the local treasurer's machine to log into the county's bank account.

Most Trojans can't spread on their own, but Clampi can, and does: it uses a legitimate Windows program called "psexec" to try to spread to other systems on a network once it has gained a foothold on one PC. In fact, the latest writeup on Clampi from Symantec says the anti-virus vendor has observed an increase in the number of Clampi infections since July 1, possibly due to this spreading capability.

Stewart said the sophistication and stealth of this malware strain has become so bad that it's time for Windows users to start thinking of doing their banking and other sensitive transactions on a dedicated system that is not used for everyday Web surfing.

This isn't such a radical idea, if you own a Mac or just have a spare computer lying around. If you want true peace of mind while conducting sensitive transactions online, grab a copy of a bootable, live Linux installation like Knoppix or Ubuntu Live, burn it to a CD-Rom, boot the spare system up into that operating system, and do your online banking from there.

Stewart's writeup on Clampi is available here.

By Brian Krebs  |  July 30, 2009; 3:06 PM ET
Categories:  Fraud , From the Bunker , Latest Warnings , Small Business Victims  | Tags: clampi, matryoshka malware  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Weaponizing Web 2.0
Next: Critical Update for Adobe Flash Player

Comments

Whoa! This sounds like a really well thought-out enterprise. Perhaps the economic downturn is spurring the well-educated malefactors of the (formerly) Soviet block to new ingenuity.

Interesting to mention Apple. Absolutely NO ethical aspersions toward Apple, but the proprietary high concept is reminiscent of the Cupertino colossus.

Posted by: featheredge99 | July 30, 2009 3:36 PM | Report abuse

Windows users should see

Defending against the Clampi Trojan
http://blogs.computerworld.com/defending_against_the_clampi_trojan

For many, the advice here will be just too much, making Macs and Linux machines perhaps the best way to do online banking.

Posted by: MichaelsPostingID | July 31, 2009 10:11 AM | Report abuse

Brian

Just downloaded Ubuntu 9.04 and burned the image to a CD-ROM.

Using WinXP Pro, the disk appeared to boot [Ubuntu came up] but then couldn't execute any of the commands.

Suggestions ???

Posted by: brucerealtor@gmail.com | July 31, 2009 10:38 AM | Report abuse

As a security analyst, I'd say that Clampi (or Clomp, as Sophos calls it) may be too clever for its own good.

By using PsExec to spread, it gives us something less complex to be looking for on a system, and if you block PsExec from running you stop the malware from being able to spread (http://www.sophos.com/blogs/sophoslabs/v/post/5734).

It also uses a technique to inject code into Internet Explorer, which again is something very easy to spot and block (http://www.sophos.com/blogs/sophoslabs/v/post/5289).

Clomp has squarely shot itself in the foot - its “clever features” mean that it announces its presence to anybody who cares to listen.

Posted by: RichardCohen_Sophos | July 31, 2009 2:11 PM | Report abuse

@brucerealtor, you may find help at http://ubuntuforums.org/

Put the passphrase "quacking ostrich" in your question, I'll keep an eye out for it.

Posted by: amturnip | July 31, 2009 9:21 PM | Report abuse

DONE

Posted by: brucerealtor@gmail.com | August 1, 2009 12:54 AM | Report abuse

Another great piece of work, Bk! The comments here are amusing. It's entertaining to see how reluctantly people accept the fact their precious Windows systems 'might just not be securable'. All the best.

Posted by: Rixstep | August 1, 2009 8:00 PM | Report abuse

@MichaelsPostingID: 'For many, the advice here will be just too much, making Macs and Linux machines perhaps the best way to do online banking.'

So you're saying if people have the right skills they might still be able to stay on Windows? For what reason would they want to do that? Isn't security supposed to be easy?

Posted by: Rixstep | August 2, 2009 12:29 AM | Report abuse

@RichardCohen_Sophos: not sure what to make of your comment and your references!

- Are you saying the threat alert is over and everybody can go *safely* back to using Windows for crucial sensitive tasks such as banking, airport systems, surgery systems, defence systems, and the like? It's OK now according to you? Yes or no please. One syllable. Thanks.

- Are you saying Windows is again secure as long as everyone is using your products?

- Can you address the remaining 200,000+ malware strains in the same fashion? And give people some sort of documented guarantee?

If you have something that good then you should get the word out and help us save the Internet!

;)

Posted by: Rixstep | August 2, 2009 5:13 PM | Report abuse

Or you could just take 20 minutes a month, write out your check payments, affix the stamps and mail.

Or is this too much effort for banking security?

Posted by: jcluma | August 3, 2009 2:00 PM | Report abuse

@Rixstep: my comment and references are about the implication that Clomp's polymorphism, encryption and general clever nastiness makes it extremely difficult to detect, while in fact some of its techniques, including using PSExec to spread http://www.sophos.com/blogs/sophoslabs/v/post/5734 and IE code injection http://www.sophos.com/blogs/sophoslabs/v/post/5289 , actually make it easier to spot.

No, I'm certainly not saying there's no problem and nothing to worry about, far from it. In fact I'm suggesting people should protect themselves accordingly. Malware like this can be detected and stopped using many different techniques, and the two I mentioned allow a great many different variants of Clomp to be detected and stopped. And even while at Sophos we'll aim to detect all future variants of Clomp proactively as Mal/Clomp-A using Behavioral Genotypes, these are classic examples of why static detection doesn't tell the whole story.

As for 200,000+ strains, again this is where these proactive technologies can help. In fact AV-Test.org alone has more than 22 million individual samples - yes, a great many of these will be members of the same families, but again it shows why proactive detection and a layered defense are really important. More on that story at http://www.sophos.com/blogs/gc/g/2009/07/24/avtestorgs-malware-count-exceeds-22-million/ .

Posted by: RichardCohen_Sophos | August 6, 2009 1:42 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company