Researcher reveals massive 'professional thieving' botnet

Ultra-stealthy Clampi Trojan snags 'tremendous' amount of financial info, money

A ferocious piece of malware that's infected up to a million PCs is stealing a "tremendous" amount of financial information from consumers and businesses that log on to their bank, stock broker, credit card, insurance, job hunting and favorite e-shopping sites, a noted botnet researcher said today.

"Clampi is the most professional thieving pieces of malware I've ever seen," said Joe Stewart, director of malware research for SecureWorks' counter-threat unit. "We know of few others that are this sophisticated and wide-ranging. It's having a real impact on users."

The Clampi Trojan horse has infected anywhere between 100,000 and 1 million Windows PCs, said Stewart -- "We don't have a good way of counting at this point," he acknowledged -- and targets the user credentials of 4,500 Web sites.

That's an astounding number, said Stewart, who has identified 1,400 of the 4,500 total. "There are plenty of other banking Trojans out there, but they usually target just 20 or 30 sites."

Hackers sneak Clampi onto PCs by duping a user into opening an e-mailed file attachment or by using a multi-exploit toolkit that tries attack code for several different Windows vulnerabilities, Stewart said. Once on a machine, the Trojan monitors Web sessions, and if the PC owner browses to one of the 4,500 sites, it captures usernames, passwords, PINs and other personal information used to log on to those sites, or to fill out forms.

Periodically, Clampi "phones home" the hijacked information to a command-and-control server run by the hackers, who then empty bank or broker accounts, purchase goods using stolen credit card information or simply compile it for future use, said Stewart.

Although that describes most key-logging or spying malware, Stewart said Clampi is different, both because of the obvious scale of its operation and because of the multiple layers of encryption and deception used by its makers to cloak the attack code and make it nearly impossible for researchers to investigate its workings.

Stewart started tracking Clampi in 2007, but began an intensive examination earlier this year. "The packing that Clampi uses is very sophisticated, and makes it really, really difficult to reverse engineer, said Stewart. "I'd say this is the most difficult piece of malware I've ever seen to reverse engineer." Security researchers often will reverse engineer malware -- pulling it apart to try to decipher how it works -- during their investigations.

"They're using virtual machine-based packers that lets them take code from a virtual CPU instruction set, so that the next time it's packed, it's completely different," said Stewart. "You can't look at Clampi with a conventional tool, like a debugger. It's a real mess to follow, frankly."

The Trojan also encrypts the traffic between hijacked systems and the botnet command-and-control server using multiple methods, said Stewart. Not only is the network communications traffic encrypted in 448-bit blowfish encryption, but the strings inside the attack code binaries are also encrypted. Clampi also uses another unusual tactic to hide from antivirus scanners; its modules -- there are anywhere from four to seven different pieces of the malware -- are stored as encrypted "blobs" in the Windows registry.

The sheer scope of the Clampi operation also separates it from run-of-the-mill financial malware, Stewart argued. "They're targeting not just banking sites, but a wide variety of sites where people put in credentials that help them steal money somehow," said Stewart. Among the 1,400 site he has identified are military information portals, mortgage, insurance, online casino, utility advertising networks and news sites. The sites are hosted in 70 different countries.

"That, in itself, speaks to a vast operation on the back end," Stewart said.

It's impossible to say for certain, but all clues point to Russia or Eastern Europe as the base for the criminal gang riding herd on the Clampi botnet. "It looks like it's just one group behind it," said Stewart. "We don't see [chatter about it] on the usual underground forums, which is one reason why there's little or no coverage about Clampi up till now. It's very closely held, and the group is very secretive."

In fact, Stewart held out little hope of nailing the criminals behind Clampi. The command-and-control servers they use to direct the hijacked PCs -- and to receive the stolen usernames and passwords -- are not hosted by a commercial hosting service, but instead are hidden within individual compromised PCs. "I don't think we'll ever get the command-and-control servers," Stewart admitted.

One victim of a Clampi infection, and resulting theft, that has come forward is Slack Auto Parts, in Gainesville, Ga., which was robbed of nearly $US75,000, according to a story last week in the Washington Post. The co-owner of the company, Henry Slack, told the newspaper that the malware ripped off log-on information for the firm's bank accounts, then managed to move the money to multiple money "mules" across the U.S.

Clampi had been on a Slack PC for more than a year before the bot's controllers used the information gathered to pillage the company's bank account.

One way for businesses -- and users -- to stymie this ultra-stealthy Trojan, said Stewart, is to do any financial tasks on an isolated, dumbed-down PC that is used only to connect to banks, brokers and the like. That advice works because Clampi spreads most efficiently on company networks. If it manages to infect one PC inside an organization, it uses a Windows SysInternals tool dubbed "PsExec" made by Microsoft to copy the Trojan to all the machines on the domain.

"Clampi can spread across Microsoft networks in a worm-like fashion," said Stewart. "Forget things like Conficker. You'd better rank this [botnet] up there right at the top."

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags botnetsclampi trojantrojanmalware

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Show Comments

Most Popular Reviews

Latest News Articles


PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?