Hundreds of thousands of Windows computers are believed to be infected with a Trojan called Clampi, which has been stealing banking and other log-in credentials from compromised PCs since 2007, a security researcher said on the eve of the Black Hat security conference in Las Vegas.
Clampi, also known as Ligats, Ilomo or Rscan, infects computers in drive-by downloads when people visit websites hosting malicious code that exploits vulnerabilities in browser plug-ins Flash and ActiveX, said Joe Stewart, director of malware research for the counter threat unit of SecureWorks.
When the infected computer is used to access a targeted banking or other site, the log-in and other information is stolen.
Clampi has spread quickly through Microsoft-based networks in a worm-like fashion in recent months, Stewart said. It uses domain administrator credentials that were either stolen by the Trojan or based on an administrator logging into an infected system. It then uses a Windows executable SysInternals tool — psexec — to copy itself to all the computers on the domain, he said.
Clampi also serves as a proxy server for criminals to make their activity anonymous when logging into stolen accounts.
Stewart has identified 1,400 websites in 70 countries out of 4,500 sites being targeted by the attack. The sites include banks, credit card companies, online casinos, retail sites, utilities, ad networks, stock brokerages, mortgage lenders and government and military portals.
Based on the techniques used, Stewart said criminals in eastern Europe are believed to be behind Clampi.
Read this
Feature: Cracking open the cybercrime economy
Hacking for fun has evolved into hacking for profit, and created a business model that is nearly as sophisticated as that of legal software
Because it can take days or weeks to get a sample of the latest version of the Trojan, antivirus protection is often delayed, arriving after a PC is already infected, according to Stewart.
"This type of Trojan, banking Trojans in general, are the biggest threat to home computer users and businesses doing banking online," he said. "You can't rely on antivirus. At some point, you are going to visit the wrong site and they'll get a Trojan on your computer."
The Trojan uses three types of encryption and sophisticated virtual machine-based packing technology to disguise itself when compromising antivirus filters, according to Stewart.
SecureWorks' intrusion prevention software does not stop PCs from becoming infected, but it prevents the stealing of the data by blocking encrypted traffic it deems suspicious, he said.
Stewart recommends consumer and business web surfers use a dedicated computer for their banking and other sensitive financial online activities, separate from the one where email is accessed and web surfing is done. People should be careful using removable drives on those isolated computers, as Trojans can also spread in that way.
By now, the criminals "probably have way more accounts than they can actually clean out," Stewart said.
Even so, losses from Clampi are starting to be publicised. The Trojan was behind the theft of nearly $75,000 (£45,500) from Slack Auto Parts in Georgia, according to The Washington Post.
Talkback
This is just one more reason to kill ActiveX for good.
Avoiding IE, at least for the time being is also a good idea.
The day IE no longer has anything to do with ActiveX, will probably be the day that IE can be used with reasonably safely.