Inside the Jaws of Trojan.Clampi

Created: 25 Sep 2009 16:45:01 GMT • Updated: 23 Jan 2014 18:32:35 GMT
Login to vote
+4 4 Votes

It’s well known that malware is growing more sophisticated, but few threats have had us scratching our heads like Trojan.Clampi. In order to remove the mystery around this threat, Security Response will be publishing a series of blogs talking about various aspects of Clampi. As an introduction, we’d like to present a brief overview of the threat.

Trojan.Clampi has been around for a number of years now. During this time it has gone through many iterations, changing its code with a view to avoid detection and also to make it difficult for researchers to analyze.

From our analysis it seems that Clampi has mainly affected machines in the US. Clampi infection rates seem to be skewed towards countries where English is the primary language.  This may indicate the first infections were as a result of malicious drive-by attacks on English websites. The top 5 rates of new infections over the last two weeks are:

  1. North America
  2. Great Britain
  3. Canada
  4. New Zealand
  5. Mexico

The following graph shows the trend in Clampi detections over the last year. There are two notable spikes which correspond to the release of updates to this Trojan. The variant released on July 15, 2009 is what we are currently seeing in the wild.

View Inline Image

The next graph shows the geographical distribution of this threat over the last two weeks:

View Inline Image

Clampi uses a commercial utility to help prevent analysis of its code. This utility is supposed to be used to protect intellectual property by making it extremely difficult to analyze and subsequently crack copyrighted software. The techniques used to prevent analysis include:

  • Executable code virtualization (built-in virtual machine)
  • Packing
  • Encryption

The combination of these techniques makes it very difficult and time consuming to get at the underlying code to see exactly what the code is doing. This also makes it difficult to create detection for malware protected in this way. Symantec products detect all known variants as either Trojan.Clampi or Trojan.Clampi!gen. The first sets of definitions to detect these were:

Functionally, Clampi appears to be quite versatile. It has the capability to download arbitrary binaries that are then stored in the registry and loaded straight to memory, avoiding traditional antivirus scanning techniques that scan files on disk. It remains active on the network, connecting back to a server and waiting for commands. Clampi also has the ability to spread to other machines on the network through network shares—this feature is the reason we are seeing such widespread infections.

All communications are encrypted using the Blowfish algorithm created by Bruce Schneier. Without knowing the keys, decrypting this information may be impossible in a reasonable time. There is also evidence which points to Clampi functioning as a backdoor. So far the motivation behind Clampi appears to be financial. It has the ability to steal login credentials for online banking sites, something we have observed in a controlled lab environment. In one case we saw attempts to inject JavaScript into a well known banking site in an attempt to steal login details. Given this functionality, its modular nature, and the variety of functions seen to date, it’s also possible that Clampi may be a botnet for hire. 

As the layers of protection are peeled away we gain more insight into what this threat is doing and what it is capable of. The analysis also raises more questions but one thing remains clear—this is a very interesting threat. We hope you’ll enjoy the coming articles which will explore this threat.

Next: Inside Trojan.Clampi: Network Communication

Filed Under