Defending against the Clampi Trojan

Joe Stewart, the director of malware research at SecureWorks, gave a rash of interviews yesterday documenting the devious and dangerous Clampi Trojan (also known as Ligats, llomo, or Rscan). The articles on the subject discussed his findings on how the Trojan works and what it does. But the focus here is on Defensive Computing rather than news reporting, so I'll describe how to defend yourself from the particularly nasty Clampi Trojan.  

The obvious first issue is whether anti-malware software can detect and remove Clampi.

An eWeek article says that Mr. Stewart "noted that most major anti-virus vendors are detecting Clampi variants." But, an article at DarkReading says, "Clampi generally can avoid detection by antivirus software, and it even has the ability to discover which AV software a PC is using and take steps to avoid it..." NetworkWorld quotes Stewart as saying "There is no product you can buy to stop this as a zero-day attack," and then adds that he "felt that antivirus software might eventually detect it and stop it later on your machine."

A Washington Post article told of an infection with Clampi that evaded detection for a year before it woke up and drained the bank accounts of a small business. On the SecureWorks website, an article by Stewart himself says "Most major anti-virus engines should be able to detect Clampi variants..."

Regardless, for Defensive Computing, you should never depend on a single anti-malware program as your sole line of defense. High value Windows machines should be scanned with 2, 3 or 4 major anti-malware programs.

This does not mean installing mulitple applications that each run constantly in the background. Many anti-malware programs are scan-on-demand. That is, they can be installed, but they do nothing until you manually run them. The free version of Malwarebytes' Anti-Malware is one such program. So too is Microsoft's Malicious Software Removal Tool, which I wrote about earlier.

Also, there are many online antivirus scans that also fit the scan-on-demand model and even run without being "installed".

Another option, which I just wrote about, is scanning from from outside the infected system, either from another computer on the LAN or by running anti-malware software off a bootable CD.  

When it comes to installing multiple constantly-active anti-malware programs, the limit is probably two. Even two can be problematical though, you always have to be careful that the two are compatible with each other.

Gregg Keizer's article in Computerworld was the only one, I saw, to mention that "Hackers sneak Clampi onto PCs by duping a user into opening an e-mailed file attachment..." Not too much to say about this, by now, even Fred Flintstone should know not to open attachments from strangers.

But, as I wrote about recently, you can never trust the FROM address of an email message. Don't use it to judge whether or not to open an attachment. If you were not expecting the attachment, verify the source before opening it. Or, consider opening Microsoft Office files with Open Office first. 

Many articles mentioned that Clampi can be installed with a drive-by download. Simply put, this means you view a web page and get infected. As Keizer put it, the malware uses "a multi-exploit toolkit that tries attack code for several different Windows vulnerabilities..."

Nothing new here either. Back in February I wrote Defending against drive-by downloads, where I discussed two defensive measures, DropMyRights and Sandboxie. Both prevent the installation of software that you did not specifically request. DropMyRights is the easier approach, Sandboxie takes some effort to get up to speed with, both on the conceptual level and the details. But Sandboxie is worth the effort, it can offer excellent protection.

Even better, is not having known bugs/vulnerabilities on your Windows computer in the first place.

To that end, I'm a big fan of the Secunia Online Inspector. It's not perfect, but Windows users are far better off with a clean bill of health from the Secunia scanner than without it. It is very likely that a scan will find vulnerable software on your computer, especially a full scan.

And, if you are offered the option, sign up for Secunia's email based alerts. Its a great passive way to learn of security updates to the most popular software. 

A number of articles about Clampi mentioned malware spreading on USB flash drives. Back in January, I wrote The best way to disable Autorun for protection from infected USB flash drives and Test your defenses against malicious USB flash drives.

There are two approaches to defending against malware on a USB flash drive: the Microsoft approach and the Nick Brown/Emin Atac approach. The one from Microsoft is a convoluted mess, spaghetti if you will, that only a large corporation could possibly create. I describe the approach documented by Nick Brown. It's simple, elegant and ironclad. The Microsoft approach is just the opposite.

So, defending against Clampi is nothing new. A pain for sure, but nothing new.

  Update July 31, 2009: Added expanded explanation of scanning a high value computer with multiple anti-malware applications.

Copyright © 2009 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon