Researcher reveals massive 'professional thieving' botnet
Ultra-stealthy Clampi Trojan snags 'tremendous' amount of financial info, money
Computerworld - A ferocious piece of malware that's infected up to a million PCs is stealing a "tremendous" amount of financial information from consumers and businesses that log on to their bank, stock broker, credit card, insurance, job hunting and favorite e-shopping sites, a noted botnet researcher said today.
"Clampi is the most professional thieving pieces of malware I've ever seen," said Joe Stewart, director of malware research for SecureWorks' counter-threat unit. "We know of few others that are this sophisticated and wide-ranging. It's having a real impact on users."
The Clampi Trojan horse has infected anywhere between 100,000 and 1 million Windows PCs, said Stewart -- "We don't have a good way of counting at this point," he acknowledged -- and targets the user credentials of 4,500 Web sites.
That's an astounding number, said Stewart, who has identified 1,400 of the 4,500 total. "There are plenty of other banking Trojans out there, but they usually target just 20 or 30 sites."
Hackers sneak Clampi onto PCs by duping a user into opening an e-mailed file attachment or by using a multi-exploit toolkit that tries attack code for several different Windows vulnerabilities, Stewart said. Once on a machine, the Trojan monitors Web sessions, and if the PC owner browses to one of the 4,500 sites, it captures usernames, passwords, PINs and other personal information used to log on to those sites, or to fill out forms.
Periodically, Clampi "phones home" the hijacked information to a command-and-control server run by the hackers, who then empty bank or broker accounts, purchase goods using stolen credit card information or simply compile it for future use, said Stewart.
Although that describes most key-logging or spying malware, Stewart said Clampi is different, both because of the obvious scale of its operation and because of the multiple layers of encryption and deception used by its makers to cloak the attack code and make it nearly impossible for researchers to investigate its workings.
Stewart started tracking Clampi in 2007, but began an intensive examination earlier this year. "The packing that Clampi uses is very sophisticated, and makes it really, really difficult to reverse engineer, said Stewart. "I'd say this is the most difficult piece of malware I've ever seen to reverse engineer." Security researchers often will reverse engineer malware -- pulling it apart to try to decipher how it works -- during their investigations.
"They're using virtual machine-based packers that lets them take code from a virtual CPU instruction set, so that the next time it's packed, it's completely different," said Stewart. "You can't look at Clampi with a conventional tool, like a debugger. It's a real mess to follow, frankly."
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts