Researchers find financial-plundering botnet monster

A ferocious piece of malware that has infected up to a million PCs is stealing a "tremendous" amount of financial information, it has been claimed.

Share

A ferocious piece of malware that has infected up to a million PCs is stealing a "tremendous" amount of financial information, it has been claimed.

The data is being stolen from consumers and businesses that log on to their bank, stock broker, credit card, insurance, job hunting and favourite e-shopping sites, a noted botnet researcher said today.

The Clampi Trojan, an elusive piece of malware that uses encryption to hide its data-stealing activities, has infected anywhere between 100,000 and 1 million Windows PCs, said Joe Stewart, director of malware research for SecureWorks' counter-threat unit. "We don't have a good way of counting at this point," he acknowledged.

"Clampi is the most professional thieving pieces of malware I've ever seen," said Stewart. "We know of few others that are this sophisticated and wide-ranging. It's having a real impact on users."

"We've been able to get through the layers of encryption in Clampi," said Stewart.

Clampi is collecting data associated from about 4,600 websites, such as banks and other financial institutions targeted by criminal networks."

What's more, Clampi "is going after utilities, market research firms, online casinos and career sites," Stewart said, in a broad sweep to grab personally identifiable information, such as credentials and account information, that might be of use to criminals for financial gain.

Clampi, also known as Ligats, Ilomo or Rscan, is using psexec tools to spread to spread across Microsoft-based networks in a worm-like fashion.

So far, the analysis by SecureWorks has identified 1,400 specific sites in 70 countries out of the 4,600 or so total sites the Clampi Trojan appears programmed to monitor once it has infected a victim's Windows-based machine.

Hackers sneak Clampi onto PCs by duping a user into opening an e-mailed file attachment or by using a multi-exploit toolkit that tries attack code for several different Windows vulnerabilities, Stewart said. BUt Clampi's main way of spreading is through drive-by downloads when a user visits a Web site that has been compromised by attackers.

Some of these sites may be trusted as legitimate by Web visitors, but the site has been compromised, often because the Webmaster or network manager security credentials for it have been stolen and the attacker has simply loaded up the malware to enable the Clampi drive-by download.

Once on a machine, the Trojan monitors Web sessions, and if the PC owner browses to one of the 4,500 sites, it captures usernames, passwords, PINs and other personal information used to log on to those sites, or to fill out forms.

The design of the Clampi Trojan, which was first spotted in 2007, reveals its creator "has gone out and methodically figured out a lot about these sites," Stewart says.

He says the 4,600 number is enormous in comparison to what is usually found in Trojans designed for stealing financial data from victims trying to conduct transactions at online Web sites. Most Trojans of this sort, such as Zeus, normally would have not more than 30 banks as a target.

As a botnet, it is sweeping up victim's sensitive personal data and sending it back through a set of command-and-control servers to cybercriminals. Clampi seems to be picking up speed in its spread since July and may be the Trojan used in a cybertheft scam that hit Gainesville, Ga.-based Slack Auto Parts earlier this month.

The Clampi command-and-control server is encrypted by 448-bit blowfish encryption, using a randomly generated key that is sent to the control server using 2,048-bit RSA encryption. SecureWorks got through the encryption layer by intercepting the session key in a test system and decrypting the network traffic. This allowed the security firm to examine the list of Web sites targeted by a module that's part of Clampi.

Stewart said all clues point to Russia or Eastern Europe as the base for the criminal gang riding herd on the Clampi botnet. "It looks like it's just one group behind it," said Stewart. "We don't see [chatter about it] on the usual underground forums, which is one reason why there's little or no coverage about Clampi up till now. It's very closely held, and the group is very secretive."

"There is no product you can buy to stop this as a zero-day attack," Stewart says, though he added that antivirus software might eventually detect it and stop it later on your machine.

He recommended IT managers find a way to use a "separate system" to conduct financial transactions, one that is not the same system you might use to browse the Internet. That would lower the risk of being infected by the Clampi Trojan.