Video Screencast Help
Security Response

Inside Trojan.Clampi: Network Modules

Created: 23 Oct 2009 08:20:58 GMT • Updated: 23 Jan 2014 18:31:55 GMT
Nicolas Falliere's picture
0 0 Votes
Login to vote

Today, we’ll discuss the two remaining Clampi modules used for replication and traffic relay capabilities. The SOCKS module is very straight-forward—it’s a SOCKS proxy server. Normal SOCKS proxy servers act as a connection relays and are used for many purposes, such as connection filtering, passing traffic through firewalls, or to maintain anonymity.

The server’s code is injected into an instance of Internet Explorer. It then listens for incoming connections on a random TCP port above 5000. The SOCKS module is activated in response to a control server’s command. The client then sends the port it’s listening on for inbound connections to the proxy server:


In the above example, the SOCKS server will be listening to port 38329 (which is 0x95B9 in hexadecimal base).

Usually, relay servers like this one expect authentication from the user’s side. In this case, it doesn’t, which means that anyone can virtually connect to an compromised computer and have its traffic relayed through it (assuming the target is not hidden behind a NAT), once they find out which port the proxy is listening on.

The remaining module is codenamed SPREAD, and again, its name is self-explanatory. Similarly to the ACCOUNTS module, this module is a dropper for a legitimate software tool that will use to do the work on its behalf. These dropped programs are part of SysInternals’ psexec tool suite, designed to execute processes remotely:
-    psexec.exe: A command-line tool used to execute processes locally or remotely, dropped to the %Temp% folder.
-    psexesvc.exe: A wrapper to be used with the Service Manager, dropped in the %Windir% folder.

Once these two executables are spawned, they run a third executable, sent earlier by the Gate server and saved under the registry value “N” (the payload) in the HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings subkey.

Then, after spreading instructions have been received by the server, the following processes are executed at regular intervals:

- Clampi runs the following command:
<psexec.exe> -accepteula -c -d \\* <payload.exe> install
- The Service Manager runs psexesvc.exe, which in turns runs the following command:
<payload.exe> install

The Psexec command above instructs the tool to copy payload.exe (-c) and run it noninteractively (-d) on every network share (\\*) it has the rights to connect to. The –accepteula tells psexec not to pop up the standard SysInternals EULA when first run.

Thus, very simply, the payload is copied and run on every possible network share. The payload could be anything. During our analysis it was a dropper for Clampi, meaning the SPREAD module was indeed used for propagation. Still, it could just as easily be any executable, either developed by the Clampi gang itself or run as part of a pay-per-install scheme.

Next: Inside Trojan.Clampi: Bypassing your Local Firewall
Previous: Inside Trojan.Clampi: Enhanced Logging