Inside Trojan.Clampi: Stealing Your Information
Let’s continue our Trojan.Clampi blog series by discussing three more modules downloaded and executed by Clampi. These modules share the common goal of gathering information, private or not, contained on the compromised computer. They don’t intercept network traffic like the Logger module does (described in my previous blog).
The PROT module
This module gathers private information from several sources, including Protected Storage (PStore), which contains user credentials stored by Internet Explorer or Outlook for instance. Interestingly, it also sets specific registry values in order to facilitate the creation of new entries in the PStore.
For instance, it sets the following registry entires:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\ “Use FormSuggest” = “true”
This enables form suggestion.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\“FormSuggest_Passwords” = “true”
This lets Internet Explorer fill login/password combinations in forms automatically. Suggesting passwords means it is stored in the PStore.
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\“FormSuggest_PW_Ask” = “no”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete\“AutoSuggest” = “true”
This allows Windows Explorer to store network share information, for instance.
HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\“POP3 Prompt for Password” = “0”
Lets Outlook record the mail account passwords in the PStore.
The PROT module also steals a variety of software licence or registration information, such as the following:
- Microsoft Office 2007
- Adobe Creative Suite
- Corel Painter 10
- Adobe FlashPlayer
- Sony SoundForge
It also retrieves the list of installed applications by opening HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall, browsing its subkeys, and then querying the values for “DisplayName” entries.
For example, I visited a popular forum site with Internet Explorer, forum.[REMOVED].com, and logged in with the login name abcdef and password 123456. This was then saved in the PStore by the browser. Here’s the client’s data sent in response to a PROT query (the bait PStore here contains my entry):
The INFO module
The goal of this module is to collect non-sensitive information about the compromised computer. In order to do that, it runs various standard Windows utilities (ipconfig, systeminfo, net, sc, tracert, arp, route, dir, etc.), as well as the fairly unknown wmic.exe (WMI command-line utility). WMI stands for Windows Management Instrumentation and is an interface through which programs can query system information or get notified of system events. The INFO module extensively uses WMI to retrieve information about the:
- Operating system version
- User accounts
- Installed components and drivers
- Running processes
- Drives (local, removable, ROM, etc.)
- Network interfaces
The ACCOUNTS module
Finally, let’s discuss the ACCOUNTS module. This module’s structure is fairly simple—it’s a dropper for the commercial application NsaSoft’s SpotAuditor, whose purpose is “recovering passwords and other critical business information saved in computers”.
The module drops SpotAuditor in the %Temp% folder and then runs it in a hidden window. It searches the “SpotAuditor” window, its “Audit Mode” subwindow, and then starts a scan by sending a proper WM_COMMAND message to this window. The scan results are then collected by sending valid WM_Xxx messages as well as reading the program’s memory image.
Thanks to this hack, Clampi is then able to collect passwords from various software or utilities that are not saved in the PStore or the registry (instant messaging programs or FTP clients, for instance).
Logic of the ACCOUNTS module
The combination of these three modules allows Clampi to collect an extensive list of credentials and machine or user information, which simpler Infostealer programs may fail to retrieve.