1. /
  2. Security Response/
  3. Trojan.Clampi

Trojan.Clampi

Risk Level 2: Low

Discovered:
January 16, 2008
Updated:
November 8, 2012 4:05:19 PM
Also Known As:
Win32/Ilomo.BC [Computer Associates], TROJ_ILOMO.B [Trend]
Type:
Trojan
Infection Length:
402,952 bytes
Systems Affected:
Windows 2000, Windows 7, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Vista, Windows XP
1. Prevention and avoidance
1.1 User behavior and precautions
1.2 Patch operating system and software
1.3 Address blocking
1.4 Network shares
2. Infection method
2.1 Websites
2.2 Network shares
3. Functionality
3.1 Installation
3.2 System modifications
3.3 Network activity
3.4 Back channel communications
3.5 Online credential stealing
3.6 Local credential stealing
4. Additional information



1. PREVENTION AND AVOIDANCE
The following actions can be taken to avoid or minimize the risk from this threat.


1.1 User behavior and precautions
Clampi attempts to compromise computers by automatically downloading and installing itself when a computer contacts an infected website, a process known as drive-by downloads. Users are advised to use software that rates the safety of URLs, such as Norton Safe Web.


1.2 Patch operating system and software
Users are advised to ensure that their operation systems and any installed software are fully patched, antivirus and firewall software are up to date and operational. Users are recommended to turn on automatic updates if available so that their computers can receive the latest patches and updates when they are made available.


1.3 Address blocking
Block access to the following addresses using a firewall, router or add entries to the local hosts files to redirect the following addresses to 127.0.0.1:
  • anamality.info
  • criticalfactor.cc
  • wiredx.in
  • webmail.re-factoring.cn
  • drugs4sale.loderunner.in
  • pop3.re-factoring.cn
  • secure.loderunner.in
  • try.mojitoboom.in
  • direct.matchbox.vc
  • host.cfiflistmanager.org
  • 147.202.39.101
  • 174.142.22.51
  • 195.189.247.110
  • 195.225.236.4
  • 209.85.120.100
  • 61.153.3.48
  • 64.18.143.52
  • 66.128.55.82
  • 66.199.237.3
  • 66.225.237.140
  • 66.7.197.104
  • 66.96.234.5
  • 66.98.144.21
  • 66.98.153.17
  • 67.15.150.130
  • 67.15.161.131
  • 67.15.236.244
  • 69.172.130.201
  • 69.57.140.18
  • 70.84.236.194
  • 72.233.28.167
  • 72.29.66.235
  • 78.108.183.225
  • 78.109.29.129
  • 78.109.30.213
  • 78.109.31.54
  • 78.47.214.117
  • 78.47.61.229
  • 78.47.61.232
  • 83.175.218.163
  • 84.16.229.188
  • 87.118.101.27
  • 87.118.88.30
  • 92.48.96.229
  • 94.75.221.70


1.4 Network shares
This threat is also known to spread inside large networks by using shares. The following steps can help protect your computer against this threat.
  • Users are advised to ensure that all network shares are only opened when they are necessary for use.
  • Use a strong password to guard any shared folders or accounts. A strong password is a password that is of sufficient length of 8 or more characters. The password should also use a combination of numeric, capital, lowercase characters, and symbols. Commonly used words from everyday language should not be used as they may easily be defeated by a dictionary attack.
  • Disable the AutoRun feature to prevent dropped files from running automatically when a network drive is opened.
  • Users of Symantec Endpoint Protection 11 or later can configure their software to prevent the execution of PsExec. The following MD5 hash should be used in conjunction with the instructions provided in the article How to configure Application Control in Symantec Endpoint Protection 11.0: 0x9178451979c2192c71eb286de3e1b2f7



2. INFECTION METHOD
While Clampi itself does not spread further, it downloads a module that spreads Clampi across network shares. The module uses a legitimate software tool to copy and run Clampi on every possible network resource. This will include any computer the currently logged on user has access to.

Currently the payload is a dropper for Clampi; however, the payload could be anything the attacker has specified. This means that the SPREAD module (see "3.3 Network activity" for more details regarding the modules) is indeed used for propagation. However, the payload file can just as easily be any executable, either developed by the Clampi author(s) or distributed as part of a pay-per-install scheme.


2.1 Websites
The following addresses have been known to host or facilitate this threat family:
  • anamality.info
  • criticalfactor.cc
  • wiredx.in
  • webmail.re-factoring.cn
  • drugs4sale.loderunner.in
  • pop3.re-factoring.cn
  • secure.loderunner.in
  • try.mojitoboom.in
  • direct.matchbox.vc
  • host.cfiflistmanager.org
  • 147.202.39.101
  • 174.142.22.51
  • 195.189.247.110
  • 195.225.236.4
  • 209.85.120.100
  • 61.153.3.48
  • 64.18.143.52
  • 66.128.55.82
  • 66.199.237.3
  • 66.225.237.140
  • 66.7.197.104
  • 66.96.234.5
  • 66.98.144.21
  • 66.98.153.17
  • 67.15.150.130
  • 67.15.161.131
  • 67.15.236.244
  • 69.172.130.201
  • 69.57.140.18
  • 70.84.236.194
  • 72.233.28.167
  • 72.29.66.235
  • 78.108.183.225
  • 78.109.29.129
  • 78.109.30.213
  • 78.109.31.54
  • 78.47.214.117
  • 78.47.61.229
  • 78.47.61.232
  • 83.175.218.163
  • 84.16.229.188
  • 87.118.101.27
  • 87.118.88.30
  • 92.48.96.229
  • 94.75.221.70


2.2 Network shares
It downloads a module, which is a dropper for psexec, a legitimate software tool that is designed to copy and execute processes on a remote share. The module drops two files:
  • psexec.exe—A command-line tool used to execute processes locally or remotely, dropped to the %Temp% folder.
  • psexesvc.exe—A wrapper to be used with the Service Manager, dropped in the %Windir% folder.
Once these two executables are spawned, they run a third executable, sent earlier by the command and control server and saved under the registry value "N" (usually Clampi) in the following subkey: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings

This file is the file that is spread through remote network shares and typically is Clampi. The file is extracted from the registry and saved as a randomly named temporary file (referred to as the payload file below).

If instructions to spread are received from the command and control server, the following processes are executed at regular intervals:
psexec.exe -accepteula -c -d \\* [PAYLOAD FILE NAME] install
[PAYLOAD FILE NAME] install
(through the Service Manager)

The Psexec command above instructs the tool to copy (-c) the payload file and run it noninteractively (-d) on every network resource (\\*) it has the rights to connect to. The –accepteula parameter tells psexec not to display the standard SysInternals EULA when first run so that it can perform its activities without the user noticing.



3. FUNCTIONALITY


3.1 Installation
Clampi has been found infecting computers via drive-by downloads. Users visit a Web site that has been compromised by an exploit that allows arbitrary executables to be silently installed on the computer.

When executed, Clampi copies itself to one of the following locations:
  • %Temp%\[ORIGINAL FILE NAME].exe
  • %System%\regscan.exe
  • %UserProfile%\Application Data\svchosts.exe
  • %UserProfile%\Application Data\taskmon.exe
  • %UserProfile%\Application Data\rundll.exe
  • %UserProfile%\Application Data\service.exe
  • %UserProfile%\Application Data\sound.exe
  • %UserProfile%\Application Data\upnpsvc.exe
  • %UserProfile%\Application Data\lsas.exe
  • %UserProfile%\Application Data\logon.exe
  • %UserProfile%\Application Data\helper.exe
  • %UserProfile%\Application Data\event.exe
  • %UserProfile%\Application Data\dumpreport.exe
  • %UserProfile%\Application Data\msiexeca.exe

Note: The Trojan modifies the timestamp of the dropped file to match that of the following file:
%System%\Kernel32.dll

It then creates the following registry entry so that it executes every time Windows starts: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"[RANDOM NAME]" = "[PATH TO TROJAN]"

Note: The possible randomly named registry key values and path pairs are listed below.
  • Svchosts—%UserProfile%\Application Data\svchosts.exe
  • TaskMon—%UserProfile%\Application Data\taskmon.exe
  • RunDll—%UserProfile%\Application Data\rundll.exe
  • System—%UserProfile%\Application Data\service.exe
  • Sound—%UserProfile%\Application Data\sound.exe
  • UPNP—%UserProfile%\Application Data\upnpsvc.exe
  • lsass—%UserProfile%\Application Data\lsas.exe
  • Init—%UserProfile%\Application Data\logon.exe
  • Windows—%UserProfile%\Application Data\helper.exe
  • EventLog—%UserProfile%\Application Data\event.exe
  • CrashDump—%UserProfile%\Application Data\dumpreport.exe
  • Setup—%UserProfile%\Application Data\msiexeca.exe
  • Regscan—%System%\regscan.exe

Clampi creates some additional registry keys including the following:

Clampi version
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings\"GID" = "[EIGHT CHARACTERS]"

List of command & control servers
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings\"GatesList" = "[HEXADECIMAL
CHARACTERS]"

Encryption keys
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings\"KeyM" = "[HEXADECIMAL CHARACTERS]"
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings\"KeyE" = "[NUMBER]"

Unique machine ID
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings\"PID" = "[BINARY DATA]"

Downloaded modules
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings\"M[TWO HEXADECIMAL DIGITS]" = "[BINARY DATA]"

Binary to spread (typically Clampi)
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings\"N" = "[BINARY DATA]"

Clampi then begins downloading additional modules (see "3.3 Network activity" for more details regarding the modules). To avoid downloading the module each time Clampi runs, they are stored in the registry (in an encrypted and compressed form) in a value named "Mxx" where "xx" is a zero-based number representing the current module count (e.g. "M02"). The modules are actually DLL files and are unencrypted, uncompressed, and then loaded straight from the registry to memory and executed by the main Clampi binary. Thus, these modules are never saved to disk as a file.


3.2. System modifications
The following side effects may be observed on computers compromised by members of this threat family.


Files/folders created
One or more of the following files:
  • %Temp%\[ORIGINAL FILE NAME].exe
  • %System%\regscan.exe
  • %UserProfile%\Application Data\svchosts.exe
  • %UserProfile%\Application Data\taskmon.exe
  • %UserProfile%\Application Data\rundll.exe
  • %UserProfile%\Application Data\service.exe
  • %UserProfile%\Application Data\sound.exe
  • %UserProfile%\Application Data\upnpsvc.exe
  • %UserProfile%\Application Data\lsas.exe
  • %UserProfile%\Application Data\logon.exe
  • %UserProfile%\Application Data\helper.exe
  • %UserProfile%\Application Data\event.exe
  • %UserProfile%\Application Data\dumpreport.exe
  • %UserProfile%\Application Data\msiexeca.exe


    Files/folders deleted

    None


    Files/folders modified
    None


    Registry subkeys/entries created
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"[RANDOM NAME]" = "[PATH TO TROJAN]"
    • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings\"GID" = "[EIGHT CHARACTERS]"
    • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings\"GatesList" = "[HEXADECIMAL CHARACTERS]"
    • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings\"KeyM" = "[HEXADECIMAL CHARACTERS]"
    • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings\"KeyE" = "[NUMBER]"
    • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings\"PID" = "[BINARY DATA]"
    • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings\"M[TWO HEXADECIMAL DIGITS]" = "[BINARY DATA]"
    • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings\"N" = "[BINARY DATA]"


    Registry subkeys/entries deleted
    None


    Registry subkeys/entries modified (final values given)
    • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\"Use FormSuggest" = "true"
    • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\"FormSuggest_Passwords" = "true"
    • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\"FormSuggest_PW_Ask" = "no"
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete\"AutoSuggest" = "true"
    • HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\"POP3 Prompt for Password" = "0"


    Processes

    iexplore.exe (code injection)


    3.3 Network activity
    The threat may perform the following network activities.


    Downloading
    Clampi attempts to contact a malicious website in order to download more components. It has been known to connect to the following network addresses to download components on to the compromised computer:
    • anamality.info
    • criticalfactor.cc
    • wiredx.in
    • webmail.re-factoring.cn
    • drugs4sale.loderunner.in
    • pop3.re-factoring.cn
    • secure.loderunner.in
    • try.mojitoboom.in
    • direct.matchbox.vc
    • host.cfiflistmanager.org
    • 147.202.39.101
    • 174.142.22.51
    • 195.189.247.110
    • 195.225.236.4
    • 209.85.120.100
    • 61.153.3.48
    • 64.18.143.52
    • 66.128.55.82
    • 66.199.237.3
    • 66.225.237.140
    • 66.7.197.104
    • 66.96.234.5
    • 66.98.144.21
    • 66.98.153.17
    • 67.15.150.130
    • 67.15.161.131
    • 67.15.236.244
    • 69.172.130.201
    • 69.57.140.18
    • 70.84.236.194
    • 72.233.28.167
    • 72.29.66.235
    • 78.108.183.225
    • 78.109.29.129
    • 78.109.30.213
    • 78.109.31.54
    • 78.47.214.117
    • 78.47.61.229
    • 78.47.61.232
    • 83.175.218.163
    • 84.16.229.188
    • 87.118.101.27
    • 87.118.88.30
    • 92.48.96.229
    • 94.75.221.70

    The downloaded components are stored in encrypted form in the following registry entry:
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings\"M[TWO HEXADECIMAL DIGITS]" = "[BINARY DATA]"

    The components consist of the following modules:
    • SOCKS—A socks proxy.
    • PROT—Steals PSTORE credentials, which typically contains credentials saved when using a Web browser.
    • LOGGER—Steals online credentials.
    • LOGGEREXT—Aids in stealing online credentials for websites with enhanced security.
    • SPREAD—Spreads Clampi to machines in the network with open network shares.
    • ACCOUNTS—Steals locally saved credentials for a variety of applications such as Instant Messaging and FTP clients.
    • INFO—Gathers and sends general system information.

    Clampi also refers to an 8th module as KERNEL, which is a copy of itself.


    Uploading
    Sensitive information collected from the compromised computer is uploaded to a remote computer.


    Other network activity


    Firewall bypassing
    Clampi attempts to bypass the local firewall on the compromised computer by injecting its networking code into Internet Explorer, which is granted Web access by any standard firewall configuration as browsers are allowed to use outbound TCP port 80.

    Clampi implements an API proxy where stubs of code are injected and executed in Internet Explorer that execute APIs on Clampi's behalf, but only when it’s needed. When Clampi needs to send information to the command and control server, it will use the API proxy.

    Soon after Clampi is executed, it creates an Internet Explorer instance. The Internet Explorer window is hidden and the primary thread is suspended. The IE instance is started with a command line that contains shellcode (named shellcode 0).



    Clampi then injects a thread into Internet Explorer, pointing to GetCommandLineA. Upon execution of this thread, the location of the shellcode in the IE memory space will be retrieved.
    A second remote thread is then created and executes shellcode 0.


    SOCKS proxy
    The SOCKS proxy servers act as connection relays passing traffic from one computer to another. The server's code is injected into an instance of Internet Explorer to bypass any local firewall. It then listens for incoming connections on a random TCP port above 5000. The SOCKS module is activated in response to a command from the control server. The client then sends the port it's listening on for inbound connections to the command and control server.




    The Clampi author(s) are using the proxy server to conduct fund transfers using compromised credentials. The proxies provides anonymity and bypasses any online banking security or monitoring that may recognize abnormal connections from suspect IP addresses.


    3.4 Back channel communications
    Clampi connects to one of the gateway servers listed in the following registry subkey: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings\GatesList

    These servers run the Nginx Web server and serve as the command and control servers, providing instructions to computers compromised by Clampi and collecting information Clampi has gathered from its compromised host.

    The client queries the server using a POST request that contains stolen information or asks the server "What do I do next?" The server then sends a standard HTTP/200 response.

    Clampi's POST requests are in plain ASCII and have the following structure:
    o=[OPERATION]&s=[CLIENT_ID]&b=[DATA_CHUNK]

    Where:
    • The [OPERATION] field is a single character in the set ('i','a','c','d','u').
    • The [CLIENT_ID] field is 16 characters long, and contains a unique, per-session, random ID identifying the compromised computer.
    • The [DATA_CHUNK] contains the payload. It is encoded with a variation of the Base64 algorithm. It is also encrypted using the Blowfish ECB symmetric encryption algorithm with a 56-byte key—the longest key usable by Blowfish.




    Initially, the client sends two queries, "o=i" (Initiate) and "o=a", to set up the connection. The Initiate query contains a chunk of 256 bytes, believed to be the encoded session key used for Blowfish encryption later on. These two operations occur only once per session.

    After these two exchanges, an encrypted tunnel is established. From then on the data chunks will be encrypted using Blowfish.

    A typical exchange then consists of "o=c" (Contact) and "o=d" (Data) queries. A Contact query does not contain a data chunk, but only comes with the client ID. It simply tells the server "I’m alive, what do I do?" The server's answer to a Contact query contains a four-byte ID that identifies the transaction that’s about to take place as well as code that instructs the client what do next.

    Typically, the server will then instruct the client to load other modules. If the client doesn't have them already, they will be sent in a later HTTP response.




    Stolen data is sent in data queries as well. For instance, passwords and login credentials stolen by the PROT module will be sent in a Unicode, binary-ASCII encoded form.



    Online banking login information is sent in a similar fashion. In the instance below, the data posted to the banking site is intercepted from inside the browser (before SSL encryption) and sent to the gateway server with other metadata items such as the Referrer, the Host, or the HTTP method:
    S=online.bankof[REMOVED].com
    P=443
    M=POST
    O=/ib/securebin/navwebdll.dll/webtellermgr/PWB001
    H=Referrer: https://online.bankof[REMOVED].com/ib/securehtm/boc-ib/ebanklogin.htm\r\nAccept-Language: en-us\r\nContent-Type: application/x-www-form-urlencoded\r\n
    D=TxnName=SignOn&resolution=924x716&browser=ie&CustomerID=4158896&PIN=475823

    By using standard HTTP and strong encryption, coupled with a modular approach of the client's functionalities, Clampi's communication model is simple, yet very efficient.


    3.5 Online credential stealing
    The main functionality of Trojan.Clampi is to steal banking credentials. This is enabled by the LOGGER and LOGGEREXT modules. After decryption, the LOGGER module's raw data looks like this (compressed):




    The LOGGER module injects a code stub into Internet Explorer and hooks several APIs imported by the standard Windows DLL, urlmon.dll, which is used by Internet Explorer to open Web pages. These hooks will redirect code execution to the Clampi-injected code. The hooked routines include:
    • InternetConnectA
    • InternetOpenA
    • InternetSetStatusCallbackA
    • InternetReadFileExA
    • InternetOpenUrlA
    • InternetCrackUrlA
    • InternetReadFile
    • InternetWriteFile
    • HttpOpenRequestA
    • InternetSendRequestA
    • HttpSendRequestExA
    • InternetQueryOptionA
    • InternetQueryDataAvailable
    • InternetCloseHandle

    Each time the user visits a Web page, Clampi will verify if the website is on a match list using the injected code. If a match is found, the data sent to the (usually) financially related website will also be sent to Clampi's gateway servers, allowing Clampi to steal large amounts of login credentials and other confidential data.

    The match list is stored as cyclical redundancy checks (CRC) of portions of the URLs of the targeted sites. The injected code will calculate the CRCs of the current URL and compare the CRC to a list found in a data file, which is also being sent by the server. The following are the reasons that CRCs are used rather than plain-text URLs:
    • The URLs are not stored in plain text, which avoids raising instant suspicion.
    • Pattern matching a large list of URLs is faster using CRCs.
    • Storing CRCs takes less space than full URLs.
    • CRCs are essentially one-way functions, so reversing the CRCs to URLs is not a trivial task. This means that given a specific site, someone can determine if it is being monitored easily, but establishing a comprehensive list of monitored sites is not.

    There are over 4,600 CRCs in the current LOGGER data file and it can be updated dynamically.
    Despite the use of the one-way CRCing function, Symantec has reversed most of the URLs, determining which sites are being targeted. The list includes major banks and other financial institutions, online payment sites, but also high-traffic social websites, webmail, and security vendor portals.

    The domains are from all around the world including more than 120 top-level domains. The majority (45%) are .com domains based in the United States. Ignoring non-country specific top-level domains such as .com, .net, and .org, Australia (.au) and Italy (.it) are the most represented domains followed by the United Kingdom (.uk).




    While most sites are financial institutions, a variety of other types of websites are targeted. Spot checking these sites show that all have a login form on their home page. The authors likely automatically crawled the Web for sites that had some type of login form or other strings such as 'Your account' on their home page and met certain popularity or industry-type criteria.

    Some online banking sites utilized enhanced security techniques. For example, one problem arises with banking sites that pre-process the user's personal information using client-side JavaScript before sending it over the network (where the LOGGER module has hooks). For instance, a hash of the input PIN number could be sent instead of the PIN number itself. This mechanism adds an extra layer of security, preventing malware from sniffing network traffic at one end of the SSL tunnel. To get around this, the Clampi author(s) created another module named LOGGEREXT (which stands for "Logger Extended").

    This module actively replaces JavaScript stubs inside of targeted Web pages. The replacement code is similar to Win32 hooks—they are called instead of other JavaScript functions, do some processing, and then call the original function.

    The target pages, the original JavaScript stubs, and the replacement ones are stored in a separate data file, loaded by the LOGGEREXT module in its address space.

    The current data file that LOGGEREXT uses contains exactly 78 entries. The malware authors analyzed about 15 websites carefully enough to determine where additional JavaScript stubs should be injected and when the module should be called.


    URL checking tool
    Symantec has created an online flash applet that will check if a domain is being targeted by Clampi. To use it, type in a URL or domain name, including possible subdomains. E.g., if your bank is www.mybank.com, you may want to try other valid combinations your bank uses, such as login.mybank.com or secure.mybank.com. While Type 2 domain CRCs are not the only match patterns Clampi uses, they do represent 99% of the URLs matched. Thus, if the domain you test does not match, there is still a chance the domain is being monitored. Finally, the applet only checks the CRCs at the time of posting.


    3.6 Local credential stealing
    Clampi also searches the local system for credentials, utilizing two mechanisms to do so – a custom written module (PROT) that searches the PSTORE and other locations and a module (ACCOUNTS) that uses a third party tool to search and decrypt a variety of additional password save locations.

    The PROT module gathers private information from several sources, including Protected Storage (PStore), which contains user credentials stored by Internet Explorer or Outlook and potentially other applications.

    Clampi also sets specific registry values in order to facilitate the creation of new entries in the PStore. The PROT module sets the following registry entries:

    Enables form suggestion:
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\"Use FormSuggest" = "true"

    Lets Internet Explorer fill login/password combinations in forms automatically. Suggesting passwords means it is stored in the PStore:
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\"FormSuggest_Passwords" = "true"

    Allows Windows Explorer to store network share information, for instance:
    • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\"FormSuggest_PW_Ask" = "no"
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete\"AutoSuggest" = "true"

    Lets Outlook record the mail account passwords in the PStore:
    HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\"POP3 Prompt for Password" = "0"

    The PROT module also steals a variety of software license or registration information, such as for the following applications:
    • Microsoft Office 2007
    • Adobe Creative Suite
    • Corel Painter 10
    • Adobe FlashPlayer
    • Sony SoundForge

    Furthermore, the module also retrieves the list of installed applications by opening the following registry subkey, browsing its subkeys, and then querying the values for "DisplayName" entries: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

    The second method used by Clampi is performed by the ACCOUNTS module, which is a dropper for the commercial application NsaSoft's SpotAuditor to recover passwords and other information.

    The module drops SpotAuditor in the %Temp% folder and then runs it in a hidden window. It searches the "SpotAuditor" window, its "Audit Mode" subwindow, and then starts a scan by sending a WM_COMMAND message to this window.

    The scan results are then collected by sending valid WM_Xxx messages as well as reading the program's memory image.

    Thanks to this hack, Clampi is then able to collect passwords from various software or utilities that are not saved in the PStore or the registry.

    NsaSoft's SpotAuditor claims to recover passwords for the following applications:
    • Internet Explorer 7
    • Internet Explorer 6
    • Mozilla Firefox
    • Opera
    • MSN messenger 6.0 - 7.5 and Windows Live Messenger 8
    • Windows messenger
    • Dialup, RAS and VPN
    • Outlook Express and Microsoft Office Outlook
    • Remote Desktop
    • ICQ
    • Trillian
    • Miranda IM
    • Google Talk ( GTalk )
    • Google Desktop
    • Camfrog Video Chat and Easy Web Cam
    • VNC 4.xxx
    • WinProxy Administrator
    • Total Commander (Windows Commander )
    • CoffeeCup Direct FTP
    • IpSwitch Messenger, IpSwitch Messenger, IM server, IMail server, WS_FTP
    • SmartFTP
    • FileZilla
    • FTP Navigator
    • 32bit FTP
    • WebDrive FTP
    • FTP Control
    • DeluxeFtp
    • AutoFTP
    • FTP Voyager
    • SecureFX
    • Ftp Now
    • Core FTP
    • FFFTP
    • Internet Download Manager
    • &RQ

    Once this data is gathered, it is sent back to the command and control server.



    4. ADDITIONAL INFORMATION
    For more information relating to this threat family, please see the following resources:

    Recommendations

    Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

    • Use a firewall to block all incoming connections from the Internet to services that should not be publicly available. By default, you should deny all incoming connections and only allow services you explicitly want to offer to the outside world.
    • Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
    • Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task. When prompted for a root or UAC password, ensure that the program asking for administration-level access is a legitimate application.
    • Disable AutoPlay to prevent the automatic launching of executable files on network and removable drives, and disconnect the drives when not required. If write access is not required, enable read-only mode if the option is available.
    • Turn off file sharing if not needed. If file sharing is required, use ACLs and password protection to limit access. Disable anonymous access to shared folders. Grant access only to user accounts with strong passwords to folders that must be shared.
    • Turn off and remove unnecessary services. By default, many operating systems install auxiliary services that are not critical. These services are avenues of attack. If they are removed, threats have less avenues of attack.
    • If a threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
    • Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
    • Configure your email server to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files.
    • Isolate compromised computers quickly to prevent threats from spreading further. Perform a forensic analysis and restore the computers using trusted media.
    • Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.
    • If Bluetooth is not required for mobile devices, it should be turned off. If you require its use, ensure that the device's visibility is set to "Hidden" so that it cannot be scanned by other Bluetooth devices. If device pairing must be used, ensure that all devices are set to "Unauthorized", requiring authorization for each connection request. Do not accept applications that are unsigned or sent from unknown sources.
    • For further information on the terms used in this document, please refer to the Security Response glossary.
    Writeup By: Jarrad Shearer
    Summary| Technical Details| Removal

    Search Threats

    Search by name
    Example: W32.Beagle.AG@mm
    STAR Antimalware Protection Technologies
    Internet Security Threat Report, Volume 17
    Symantec DeepSight Screensaver