Malware, Worms, Viruses - Clampi Trojan Renews Assault on Bank Accounts

Secure Channel - Malware, Worms, Viruses - Clampi Trojan Renews Assault on Bank Accounts

Sporadic reports are surfacing that the authentication credential stealing Trojan Clampi is regaining momentum and poised to begin a new round of stealthily siphoning cash from the bank accounts belonging to compromised users.

Clampi - also known as Ligats, Ilomo and Rscan - was first discovered in January 2008. The Trojan targets machines running nearly all versions of Windows and spreads as a drive-by download through Websites with compromised vulnerabilities in Flash and ActiveX. It sits in the background monitoring Web browsing activity, specifically log-ins to accounts with financial activity. Without impeding connections or PC performance, Clampi stealthily captures users' account IDs and authentication credentials and passes them to its master.

In recent months, Clampi has started spreading like a worm across networks with infected PCs. In a CNET report, SecureWorks' Joe Stewart explained that Clampi uses capture domain registration credentials to leverage the Windows SysInternals tool "psexec" to copy itself across all connected computers within a domain.

What makes Clampi different, according to published reports, is that it's monitoring a vast number of financially sensitive accounts. Banks and financial institutions are its prime target, but it's also monitoring retail sites, utilities, ad networks, government agencies, online casinos and military portals.

The threat is not contained to individual home users. The Washington Post previously reported Clampi is responsible for several large, unauthorized bank transfers. A Kentucky county lost more than $415,000 to cyber-criminals after a treasurer's PC was compromised. A Pennsylvania school district was hit to the tune of $700,000 and an auto parts store in Georgia lost $75,000, the newspaper reported.

The conventional advice for dealing with Clampi is much the same as with all malware in the wild: Update antivirus signatures, monitor inbound and outbound traffic, block traffic from suspicious or known malicious domains, and patch vulnerability applications and services. In his interview with CNET, Stewart went a step further to say that businesses should isolate PCs used for high-value activities such as managing financial transactions and that those same machines should never be used for browsing the Web or accessing e-mail.


Shared via AddThis