1. /
  2. Security Response/
  3. Trojan.Clampi

Trojan.Clampi

Risk Level 2: Low

Discovered:
January 16, 2008
Updated:
November 8, 2012 4:05:19 PM
Also Known As:
Win32/Ilomo.BC [Computer Associates], TROJ_ILOMO.B [Trend]
Type:
Trojan
Infection Length:
402,952 bytes
Systems Affected:
Windows 2000, Windows 7, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Vista, Windows XP
Trojan.Clampi, also known as Ligats and Ilomo, is a Trojan horse that attempts to steal login credentials related to online banking and other financially related websites.

Infection
While Clampi itself does not spread further, it downloads a module that spreads Clampi across network shares. It copies itself to every possible network resource, which includes any computer the currently logged on user has access to. Due to the nature of how it accomplishes this, it could be any type of file, including other, unrelated malware, but currently it is a dropper for Clampi.


Functionality
Clampi's primary purpose is to steal credentials for online banking sites as well as credentials stored locally. It targets hundreds of websites in dozens of countries. Once it gathers the information its looking for, it injects itself into the Internet Explorer process in order to bypass any local firewall, thereby allowing it to send the gathered information to, and open a back channel to receive instructions from, its command and control (C&C) server.

Clampi also acts as a SOCKS proxy server, which provides anonymity for the Clampi author(s) when connecting to banking and other financially related websites using the stolen credentials, and bypass any online banking security or monitoring that may recognize abnormal connections from suspect IP addresses.



GEOGRAPHICAL DISTRIBUTION
Symantec has observed the following geographic distribution of this threat.





PREVALANCE
Symantec has observed the following infection levels of this threat worldwide.




SYMANTEC PROTECTION SUMMARY
The following content is provided by Symantec to protect against this threat family.


Antivirus signatures

Trojan.Clampi


Antivirus (heuristic/generic)

Trojan.Clampi!gen


Intrusion Prevention System

Antivirus Protection Dates

  • Initial Rapid Release version January 18, 2008 revision 040
  • Latest Rapid Release version June 24, 2014 revision 006
  • Initial Daily Certified version January 17, 2008 revision 033
  • Latest Daily Certified version July 17, 2013 revision 022
  • Initial Weekly Certified release date January 23, 2008
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Threat Assessment

Wild

  • Wild Level: Low
  • Number of Infections: 0 - 49
  • Number of Sites: 3 - 9
  • Geographical Distribution: Medium
  • Threat Containment: Easy
  • Removal: Easy

Damage

  • Damage Level: Medium
  • Payload: Steals information from the compromised computer.
  • Releases Confidential Info: Steals banking and other financial website-related credentials.
  • Compromises Security Settings: Bypasses local firewalls.

Distribution

  • Distribution Level: Low
Writeup By: Jarrad Shearer

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report
Symantec DeepSight Screensaver