Trojan.Clampi, also known as Ligats and Ilomo, is a Trojan horse that attempts to steal login credentials related to online banking and other financially related websites.
Infection
While Clampi itself does not spread further, it downloads a module that spreads Clampi across network shares. It copies itself to every possible network resource, which includes any computer the currently logged on user has access to. Due to the nature of how it accomplishes this, it could be any type of file, including other, unrelated malware, but currently it is a dropper for Clampi.
Functionality
Clampi's primary purpose is to steal credentials for online banking sites as well as credentials stored locally. It targets hundreds of websites in dozens of countries. Once it gathers the information its looking for, it injects itself into the Internet Explorer process in order to bypass any local firewall, thereby allowing it to send the gathered information to, and open a back channel to receive instructions from, its command and control (C&C) server.
Clampi also acts as a SOCKS proxy server, which provides anonymity for the Clampi author(s) when connecting to banking and other financially related websites using the stolen credentials, and bypass any online banking security or monitoring that may recognize abnormal connections from suspect IP addresses.
GEOGRAPHICAL DISTRIBUTION
Symantec has observed the following geographic distribution of this threat.
PREVALANCE
Symantec has observed the following infection levels of this threat worldwide.
SYMANTEC PROTECTION SUMMARY
The following content is provided by Symantec to protect against this threat family.
Antivirus signatures
Trojan.Clampi
Antivirus (heuristic/generic)
Trojan.Clampi!gen
Intrusion Prevention System
Click for a more detailed description of Rapid Release and Daily Certified virus definitions.
