Network News

X My Profile
View More Activity

Clamping Down on the 'Clampi' Trojan

Finding the notorious Clampi banking Trojan on a computer inside your network is a little like spotting a single termite crawling into a crack in the wall: Chances are, the unwelcome little intruder is part of a much larger infestation.

At least, that's the story told by two businesses which recently discovered Clampi infections, compromises that handed organized cyber gangs the access they needed to steal tens of thousands of dollars.

In early August, attackers used Clampi to swipe the online banking credentials assigned to the Sand Springs Oklahoma School District. The thieves then submitted a series of bogus payroll payments, totaling more than $150,000, to accomplices they had hired throughout the United States.

Sand Springs Superintendent Lloyd Snow said the district has since been able to get about half of those transfers reversed, while the district's bank graciously covered the rest of the loss.

Initially, Snow said, suspicion fell on one school computer on which the Clampi Trojan was indeed found. But a forensic investigation later revealed that a large number of other systems on the board's network also were sickened with Clampi.

"It was all over the whole office complex," Snow said. "Unfortunately, like most schools, we need about three times the number of people in our IT department than we have now."

Clampi is known for its stealth and sophistication: Indeed, Joe Stewart, a noted computer security researcher for Atlanta-based SecureWorks, recently published a paper calling it "one of the largest and most professional thieving operations on the Internet."

Less well-known, however, is its ability to spread. Unlike computer viruses and worms, most Trojans cannot spread on their own. Technically, Clampi can't either, but it often downloads a legitimate Microsoft remote control utility called PsExec, which it uses to seek out new hosts on a compromised network.

Clampi also struck multiple computers at a dermatologist's office in Michigan last month. The company's owner asked Security Fix not to publish his name or that of his company, so as not to frighten existing and future patients about the security of their health data.

On Aug. 26, the doctor discovered that criminals had stolen $40,000 from his company and transferred the funds in sub-$10,000 increments to five co-conspirators around the country. The dermatologist later found Clampi on four machines on his small office network.

"PsExec was one of the hints that we had a problem, as we were going over our application logs and saw this program being implemented across the network" the doctor said, noting that his firm has recovered just $12,000 of the stolen funds. "A little knowledge about this might prevent someone else from going through this same event."

How to Protect Against Clampi? Read on after the jump.

SecureWorks' advice comes very close to the tips I gave readers in a related blog post earlier this week. Their advice?

For Businesses:

Most major anti-virus engines should be able to detect Clampi variants; however, there is always a delay between a new Trojan release and the detection time. Given the prevalence and seriousness of the Clampi Trojan, it is recommended that businesses adopt a strategy to isolate workstations where banking/financial transactions are carried out from possible Clampi or other data-stealing Trojan infections.

This may include using a dedicated workstation for accessing financial accounts which is isolated from the rest of the local network and the Internet except for the specific financial sites required to be accessed. Since Trojans can also be spread using removable drives, systems should be hardened against auto run-type threats. Businesses may even consider using an alternative operating system for workstations accessing sensitive or financial accounts.

For Home Users:

SecureWorks recommends that home computer users use a computer dedicated only to doing their online banking and bill pay. They should not use that computer to surf the web and send and receive e-mail, since web exploits and malicious e-mail are two of the key malware infection vectors.

Further reading:

Clampi Trojan: The Rise of Matryoshka Malware

The Growing Threat to Business Banking Online

Cyber Thieves Steal $447,000 From Wrecking Firm

More Business Banking Victims Speak Out

Tighter Security Urged for Businesses Banking Online

Businesses Reluctant to Report Online Banking Fraud

Eastern European Cyber Gangs Target Small U.S. Firms, Group Says

PC Invader Costs Ky. County $415,000

By Brian Krebs  |  September 11, 2009; 6:59 AM ET
Categories:  Fraud , From the Bunker , Latest Warnings , Safety Tips , Small Business Victims  | Tags: clampi, money mules  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Updates Plug iPhone, QuickTime Security Holes
Next: Patches for Macs, and Advice for Mac Users

Comments

It does look as if we home users are going to have to dedicate a special computer to banking and other activities of that type. What a pity that this is necessary !...

Henri

Posted by: mhenriday | September 11, 2009 8:39 AM | Report abuse

Well, instead of dedicated home computer, how about using a virtual machine to do the banking?
Would that work?

Posted by: edlharris | September 11, 2009 11:27 AM | Report abuse

I've heard in the past that dedicating one browser on a home machine to banking / financial transactions protects against some malware attempts to steal financial records.
Any idea if this technique would defeat Clampi?

Posted by: cyberfool | September 11, 2009 12:21 PM | Report abuse

How about not using Windows for anything potentially dangerous?

Posted by: GWGOLDB | September 11, 2009 12:23 PM | Report abuse

The FBI/FTC needs some "secret shoppers" to intercept the "work at home" offers that are a basic necessity for schemes like this.

Posted by: gannon_dick | September 11, 2009 4:59 PM | Report abuse

Would using a Windows XP or Vista limited user account and Firefox prevent a Clampi infection?

Posted by: Garak | September 12, 2009 8:17 AM | Report abuse

FTA: "Unfortunately, like most schools, we need about three times the number of people in our IT department than we have now."
Perhaps insuring those already employed are better educated might help.

From the PsExec link in the article;
"PsExec is a light-weight telnet-replacement that lets you execute processes on other systems, complete with full interactivity for console applications, without having to manually install client software."
That in itself sounds like a trojan and if not it is surely a huge blinking sign saying "enter here".

Posted by: spamsux1 | September 12, 2009 1:06 PM | Report abuse

I know that it may be wise to have a second machine dedicated to financial uses, but really, how many people can afford, let alone have space for a second computer. I am about ready to return to paper billing for everything, and pray the businesses I deal with have security that works on their own networks. Somehow, I don't feel optimistic about that. Something needs to be done. What that is I can't say.

Posted by: tojo45 | September 12, 2009 3:54 PM | Report abuse

Tojo45:
Here is a solution that should work for you and will not require you to buy a second computer. It is actually pretty easy to set up. This will make you 100% safe from Clampi, and also make you 99+% safe (relative to Windows) from other viruses and malware.
This link describes in detail how to set up a Unix based OS (Ubuntu) on your existing Windows computer. After you have installed Ubuntu you will see a menu every time you start up our computer and you will be able to run either Ubuntu or Windows- negating the need for an additional computer. A very good, very safe, free solution for those who need to do online banking.
The system Ubuntu created is also very cool in that you can simply run Ubuntu from the install cd without actually installing Ubuntu. This allows you to make sure the system will run fine on you hardware (usually not a problem anyway) before you actually install Ubuntu on your system.

https://help.ubuntu.com/community/WindowsDualBoot

Posted by: dfolk1 | September 12, 2009 5:16 PM | Report abuse


In theory a VM could be used to protect against this nonsense - esp if it was running something like Linux in the VM.

If this became a common enough practice, I would expect to see various bits of malware attempting to infect virtual disks.

It would might be safer to turn it around - do your "risky" web work in a VM, and keep the host clean, but people probably wouldn't be happy with this option either - I would expect that video playback in a VM wouldn't be as good.

Another possibility is to use removable drives - you keep one in a desk drawer for online banking, and have another one for the rest of the stuff..

Ultimately though I have this feeling that the entirety of the internet is doomed by these sorts of things. The malware gets more and more sophisticated all the time, and the hassle factor for everyday users grows ever larger. Eventually people will throw up their hands and turn off the computer to do something like reading a book or playing cards.


Posted by: jackrussell252521 | September 12, 2009 7:23 PM | Report abuse

'Unfortunately, like most schools, we need about three times the number of people in our IT department than we have now.'

Uh no. They need only one person to make good decisions.

'It does look as if we home users are going to have to dedicate a special computer to banking and other activities of that type. What a pity that this is necessary !...'

No. You need - theoretically - to dedicate a special computer to isolated use for silly reasons with Microsoft Windows. Everything else should be non-Windows.

'Well, instead of dedicated home computer, how about using a virtual machine to do the banking?'

Yes. And that virtual machine means connecting with non-Windows. Why are you keeping Windows?

'How about not using Windows for anything potentially dangerous?'

That's too radical. Anything involving connecting your computer anywhere is potentially dangerous for Windows.

'The FBI/FTC needs some "secret shoppers" to intercept the "work at home" offers that are a basic necessity for schemes like this.'

The FBI/FTC don't need anything. If the FBI can prohibit Windows and if other countries can follow suit then the FBI can sit around all day eating doughnuts.

'Would using a Windows XP or Vista limited user account and Firefox prevent a Clampi infection?'

Oh definitely. Hahahaha. Go for it! LOL

'I know that it may be wise to have a second machine dedicated to financial uses, but really, how many people can afford, let alone have space for a second computer.'

True. And Ubuntu is prohibitively expensive.

'This link describes in detail how to set up a Unix based OS (Ubuntu) on your existing Windows computer.'

Suggestion ignored.

'Another possibility is to use removable drives'

Hysterical. The Internet helps those who help themselves. The Internet will in this regard be going on an extended holiday cruise.

'Ultimately though I have this feeling that the entirety of the internet is doomed by these sorts of things.'

There's nothing wrong with the Internet - only the Windows lusers lusing it.

'Eventually people will throw up their hands and turn off the computer to do something like reading a book or playing cards.'

Or just getting off Windows like everyone else.

http://rixstep.com/2/20090914,00.shtml

Posted by: Rixstep | September 13, 2009 4:23 PM | Report abuse

Guess I'll continue to use my Mac for paying bills and surfing the net. And for photos and movies. Oh, and for everything else.

Posted by: btbeme | September 18, 2009 10:38 AM | Report abuse

I don't think there is any debate that if everyone used Linux or Apple, the bad guys would exploit it equally as well as they do Windows ... but using a minority OS does buy you a lot of safety until that happens. I like the idea of doing my banking from a Linux "Live CD".

Posted by: fredsnertz | September 18, 2009 12:55 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company