|
IT Developments
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Historical
Clampi Worm Puts Online Financial Transactions at Risk
- From: Brian Warkoczeski
- Date: Mon Aug 03 12:04:49 2009
Clampi Worm Puts Online Financial Transactions at Risk
By Jennifer LeClaire, newsfactor.com
www.yahoo.com
Jul 31, 2009
www.yahoo.com
With security researchers focused on the Black Hat security conference,
a Trojan called Clampi is still making its way across the Web looking
for victims.
Also known as Ligats, Ilomo or Rscan, Clampi is a Trojan that aims to
steal credentials from infected systems. According to SecureWorks,
hundreds of thousands of Windows computers may already be infected and
many more are at risk. In one recent example, an auto-parts store lost
about $75,000 to a group of attackers leveraging the power of Clamp in
early July.
Although Clampi is not a new threat -- it has been harassing Windows
users since 2007 -- security researchers report it is gaining momentum.
Joe Stewart, SecureWorks director of malware research for the counter
threat unit, launched an in-depth investigation into the Trojan and its
use of the psexec tools to spread earlier this year. What he discovered
is troubling.
"In recent months, Clampi has successfully spread across Microsoft
networks in a worm-like fashion," Stewart said.
How Clampi Attacks
Stewart has identified 1,400 of the 4,500 Web sites in 70 different
countries Clampi attackers are targeting. The Clampi Trojan, he
reported, requests information specifically from these sites via
infected computers. A sophisticated organized-crime group from Eastern
Europe is running Clampi and has been implicated in numerous high-dollar
thefts from banking institutions.
"Clampi's recent success in infecting victims is accomplished by using
domain-administrator credentials -- either stolen by the Trojan or
reused, or by virtue of the fact that a domain administrator has logged
into an already infected system. Once domain-administrator privileges
are granted, the Trojan uses the SysInternals tool psexec to copy itself
to all computers on the domain," Stewart said. "Clampi also serves as a
proxy server used by criminals to anonymize their activity when logging
into stolen accounts."
Although most major antivirus engines should detect Clampi and its
variants, Stewart said there is always a delay between a new Trojan
release and the detection time. He recommends businesses that use online
banking and financial transactions adopt a strategy to isolate
workstations where these activities are carried out.
Sophisticated Risks
Today's malware codes are incredibly sophisticated -- and may even have
their own internal encryption capabilities to hinder analysis or
hijacking of their botnets or codes, according to Ken Dunham, director
of global response at iSight Partners.
"Even if you wipe Windows and reinstall it, many of these Trojans can
still load up and take control of your system. We're moving toward
disk-level- or hardware-level-based compromise," Dunham said. "The
sophistication is something that needs to be recognized. We're dealing
with highly organized, talented people that are criminals."
Best practices are a must, but it can be difficult to protect against
Web-based attacks and specifically third-party browser attacks that
leverage Flash and PDF. Dunham said he sees new reports of attacks that
involve PDF or Flash exploits or something similar cross his desk every day.
"It's one thing to say you've got your Windows updated and your
antivirus in place. It's another thing to say you've got your browser
updated," Dunham said. "But do you have your browser plug-ins updated?
It's complicated."
|
|
|
