Clampi Trojan: The Rise of Matryoshka Malware
Last week, Security Fix told the online banking saga of Slack Auto Parts, a company in Georgia that lost nearly $75,000 at the hands of an extremely sophisticated malicious software family known as "Clampi". I only mentioned the malware in passing, but it deserves a closer look: Research released this week by a top malware analyst suggests that Clampi is among the stealthiest and most pervasive threats to Microsoft Windows systems today.
Joe Stewart, director of malware research for the Counter Threat Unit at computer security firm SecureWorks, said Clampi appears to have spread to hundreds of thousands of Windows systems, since its debut in 2007. Unlike other malware families designed to steal credentials -- which are frequently sold and used among the larger cyber criminal community -- Stewart said Clampi appears to be the ever-evolving weapon used by a single organized crime group operating out of Eastern Europe that has been implicated in numerous high-dollar thefts from banking institutions.
It is not unusual for malware authors to obfuscate various components that are nested inside one another like so many Matryoshka dolls all in a bid to stymie researchers and anti-virus companies. But Stewart said the criminals behind Clampi have encrypted or obfuscated nearly every aspect of the malware -- including the lists of e-commerce sites targeted, the data stolen, and Clampi's various feature plug-ins -- multiple times, and with very strong encryption (Matryoshka Mafia image courtesy FreakingNews.com).
Typically, password-stealing Trojans contain a list of a few dozen banking institutions that the malware will look to steal data from if the victim visits those sites. But according to Stewart, Clampi's authors aren't just targeting banking sites.
"They are targeting institutions where users may enter data that might be useful in stealing money, such as utilities, retail, online casinos, banking, insurance, accounting services, credit bureaus," Stewart said.
Stewart says Clampi is targeting credentials from some 4,600 Web sites, though so far he says he's only be able to identify about 1,400 of those. The list below gives the reader some idea of the breadth of sites targeted by this malware:
Market research databases
Credit card companies
Wire transfer services
Foreign Postal Services (Non-US)
Military/Government information portals
Various News blogs
File upload sites
According to Stewart, the information stolen by Clampi is sent from the victim PC to a Web server controlled by the attackers using a randomly-generated session key with 2048-bit RSA encryption. This technology is used to obfuscate data being stolen, so that in theory, only the attackers who have the encryption key can intercept or read the stolen data.
"On top of that, they're using 448-bit Blowfish encryption," Stewart said [fans of the TV drama "24" may recall hearing the show's star Jack Bauer talking about trying to crack bad-guy communications encrypted with Blowfish].
"It's virtually uncrackable in any time frame we could possibly look at," Stewart said. "It's difficult to understand what it does given all this advanced packing and encryption. This is by far the hardest thing I've ever had to reverse engineer."
Stewart said Clampi also makes it easy for attackers to log into the victim's bank account by tunneling back through that victim's PC, a tactic that could defeat some bank Web site security features that raise alarms when a customer logs in from an unusual Internet address. This feature is remarkably similar to a password stealing Trojan known as Zeus. In fact, earlier this month I wrote about Bullitt County, Kentucky, which lost $415,000 when hackers using Zeus's connect-back feature tunneled through the local treasurer's machine to log into the county's bank account.
Most Trojans can't spread on their own, but Clampi can, and does: it uses a legitimate Windows program called "psexec" to try to spread to other systems on a network once it has gained a foothold on one PC. In fact, the latest writeup on Clampi from Symantec says the anti-virus vendor has observed an increase in the number of Clampi infections since July 1, possibly due to this spreading capability.
Stewart said the sophistication and stealth of this malware strain has become so bad that it's time for Windows users to start thinking of doing their banking and other sensitive transactions on a dedicated system that is not used for everyday Web surfing.
This isn't such a radical idea, if you own a Mac or just have a spare computer lying around. If you want true peace of mind while conducting sensitive transactions online, grab a copy of a bootable, live Linux installation like Knoppix or Ubuntu Live, burn it to a CD-Rom, boot the spare system up into that operating system, and do your online banking from there.
Stewart's writeup on Clampi is available here.
July 30, 2009; 3:06 PM ET
Categories: Fraud , From the Bunker , Latest Warnings , Small Business Victims | Tags: clampi, matryoshka malware
Save & Share: Previous: Weaponizing Web 2.0
Next: Critical Update for Adobe Flash Player
Posted by: featheredge99 | July 30, 2009 3:36 PM | Report abuse
Posted by: MichaelsPostingID | July 31, 2009 10:11 AM | Report abuse
Posted by: firstname.lastname@example.org | July 31, 2009 10:38 AM | Report abuse
Posted by: RichardCohen_Sophos | July 31, 2009 2:11 PM | Report abuse
Posted by: amturnip | July 31, 2009 9:21 PM | Report abuse
Posted by: email@example.com | August 1, 2009 12:54 AM | Report abuse
Posted by: Rixstep | August 1, 2009 8:00 PM | Report abuse
Posted by: Rixstep | August 2, 2009 12:29 AM | Report abuse
Posted by: Rixstep | August 2, 2009 5:13 PM | Report abuse
Posted by: jcluma | August 3, 2009 2:00 PM | Report abuse
Posted by: RichardCohen_Sophos | August 6, 2009 1:42 PM | Report abuse
The comments to this entry are closed.