Clamping Down on the 'Clampi' Trojan
Finding the notorious Clampi banking Trojan on a computer inside your network is a little like spotting a single termite crawling into a crack in the wall: Chances are, the unwelcome little intruder is part of a much larger infestation.
At least, that's the story told by two businesses which recently discovered Clampi infections, compromises that handed organized cyber gangs the access they needed to steal tens of thousands of dollars.
In early August, attackers used Clampi to swipe the online banking credentials assigned to the Sand Springs Oklahoma School District. The thieves then submitted a series of bogus payroll payments, totaling more than $150,000, to accomplices they had hired throughout the United States.
Sand Springs Superintendent Lloyd Snow said the district has since been able to get about half of those transfers reversed, while the district's bank graciously covered the rest of the loss.
Initially, Snow said, suspicion fell on one school computer on which the Clampi Trojan was indeed found. But a forensic investigation later revealed that a large number of other systems on the board's network also were sickened with Clampi.
"It was all over the whole office complex," Snow said. "Unfortunately, like most schools, we need about three times the number of people in our IT department than we have now."
Clampi is known for its stealth and sophistication: Indeed, Joe Stewart, a noted computer security researcher for Atlanta-based SecureWorks, recently published a paper calling it "one of the largest and most professional thieving operations on the Internet."
Less well-known, however, is its ability to spread. Unlike computer viruses and worms, most Trojans cannot spread on their own. Technically, Clampi can't either, but it often downloads a legitimate Microsoft remote control utility called PsExec, which it uses to seek out new hosts on a compromised network.
Clampi also struck multiple computers at a dermatologist's office in Michigan last month. The company's owner asked Security Fix not to publish his name or that of his company, so as not to frighten existing and future patients about the security of their health data.
On Aug. 26, the doctor discovered that criminals had stolen $40,000 from his company and transferred the funds in sub-$10,000 increments to five co-conspirators around the country. The dermatologist later found Clampi on four machines on his small office network.
"PsExec was one of the hints that we had a problem, as we were going over our application logs and saw this program being implemented across the network" the doctor said, noting that his firm has recovered just $12,000 of the stolen funds. "A little knowledge about this might prevent someone else from going through this same event."
How to Protect Against Clampi? Read on after the jump.
SecureWorks' advice comes very close to the tips I gave readers in a related blog post earlier this week. Their advice?
Most major anti-virus engines should be able to detect Clampi variants; however, there is always a delay between a new Trojan release and the detection time. Given the prevalence and seriousness of the Clampi Trojan, it is recommended that businesses adopt a strategy to isolate workstations where banking/financial transactions are carried out from possible Clampi or other data-stealing Trojan infections.
This may include using a dedicated workstation for accessing financial accounts which is isolated from the rest of the local network and the Internet except for the specific financial sites required to be accessed. Since Trojans can also be spread using removable drives, systems should be hardened against auto run-type threats. Businesses may even consider using an alternative operating system for workstations accessing sensitive or financial accounts.
For Home Users:
SecureWorks recommends that home computer users use a computer dedicated only to doing their online banking and bill pay. They should not use that computer to surf the web and send and receive e-mail, since web exploits and malicious e-mail are two of the key malware infection vectors.
September 11, 2009; 6:59 AM ET
Categories: Fraud , From the Bunker , Latest Warnings , Safety Tips , Small Business Victims | Tags: clampi, money mules
Save & Share: Previous: Updates Plug iPhone, QuickTime Security Holes
Next: Patches for Macs, and Advice for Mac Users
Posted by: mhenriday | September 11, 2009 8:39 AM | Report abuse
Posted by: edlharris | September 11, 2009 11:27 AM | Report abuse
Posted by: cyberfool | September 11, 2009 12:21 PM | Report abuse
Posted by: GWGOLDB | September 11, 2009 12:23 PM | Report abuse
Posted by: gannon_dick | September 11, 2009 4:59 PM | Report abuse
Posted by: Garak | September 12, 2009 8:17 AM | Report abuse
Posted by: spamsux1 | September 12, 2009 1:06 PM | Report abuse
Posted by: tojo45 | September 12, 2009 3:54 PM | Report abuse
Posted by: dfolk1 | September 12, 2009 5:16 PM | Report abuse
Posted by: jackrussell252521 | September 12, 2009 7:23 PM | Report abuse
Posted by: Rixstep | September 13, 2009 4:23 PM | Report abuse
Posted by: btbeme | September 18, 2009 10:38 AM | Report abuse
Posted by: fredsnertz | September 18, 2009 12:55 PM | Report abuse
The comments to this entry are closed.