Members
  • Total Members: 14197
  • Latest: Levine
Stats
  • Total Posts: 43434
  • Total Topics: 16528
  • Online today: 3114
  • Online ever: 51419
  • (01. January 2010., 10:27:49)
Users Online
Users: 2
Guests: 3035
Total: 3037









Author Topic: Clampi Trojan stealing online bank data (Ligats, Ilomo, Rscan)  (Read 4063 times)

0 Members and 1 Guest are viewing this topic.

Samker

  • SCF Administrator
  • *****
  • Posts: 7529
  • KARMA: 322
  • Gender: Male
  • Whatever doesn't kill us makes us stronger.
    • SCforum.info - Samker's Computer Forum


Hundreds of thousands of Windows computers are believed to be infected with a Trojan called "Clampi" that has been stealing banking and other log-in credentials from compromised PCs since 2007, a security researcher said on the eve of the Black Hat security conference.

Clampi, also known as Ligats, Ilomo, or Rscan, infects computers in drive-by downloads when people visit Web sites hosting malicious code that exploits vulnerabilities in browser plug-ins Flash and ActiveX, said Joe Stewart, director of malware research for the Counter Threat Unit of SecureWorks.

When the infected computer is used to access a targeted banking or other site, the log-in and other information is stolen.

Clampi has spread quickly through Microsoft-based networks in a worm-like fashion in recent months, Stewart said. It uses domain administrator credentials that were either stolen by the Trojan or based on an administrator logging into an infected system. It then uses a Windows executable SysInternals tool, "psexec," to copy itself to all the computers on the domain, he said.

Clampi also serves as a proxy server for criminals to anonymize their activity when logging into stolen accounts.

Stewart has identified 1,400 Web sites in 70 different countries out of 4,500 sites being targeted by the Trojan attack. The sites include banks, credit card companies, online casinos, retail sites, utilities, ad networks, stock brokerages, mortgage lenders, and government and military portals.

Based on the techniques they are using, Stewart said criminals in Eastern Europe are believed to be behind Clampi.

Because it can take days or weeks to get a sample of the latest version of the Trojan, antivirus protection is often delayed, arriving after a PC is already infected, according to Stewart.

"This type of Trojan, banking Trojans in general, are the biggest threat to home computer users and businesses doing banking online," he said. "You can't rely on antivirus. At some point you are going to visit the wrong site and they'll get a Trojan on your computer."

The Trojan uses three types of encryption and sophisticated virtual machine-based packing technology to disguise itself in order to get through antivirus filters, according to Stewart.

SecureWorks' intrusion prevention software doesn't stop computers from getting infected but it prevents the stealing of the data by blocking the encrypted traffic that it deemed suspicious, he said.

Stewart recommends that consumer and business Web surfers use a dedicated computer for their banking and other sensitive financial online activities that is separate from the computer where e-mail is accessed and Web surfing is done. People should also be careful using removable drives on those isolated computers as Trojans can spread that way.

By now, the criminals "probably have way more accounts than they can actually clean out," Stewart said.

Even so, the losses from Clampi are starting to be publicized. The Trojan was behind the theft of nearly $75,000 from Slack Auto Parts in Gainesville, Ga., according to the Security Fix blog at The Washington Post: http://voices.washingtonpost.com/securityfix/2009/07/the_pitfalls_of_business_banki.html#more

(Cnet)

Samker's Computer Forum - SCforum.info


 

With Quick-Reply you can write a post when viewing a topic without loading a new page. You can still use bulletin board code and smileys as you would in a normal post.

Name: Email:
Verification:
Type the letters shown in the picture
Listen to the letters / Request another image
Type the letters shown in the picture:
Second Anti-Bot trap, type or simply copy-paste below (only the red letters):www.codekids.ba:

Enter your email address to receive daily email with 'SCforum.info - Samker's Computer Forum' newest content:

Kursevi programiranja za ucenike u Sarajevu

Terms of Use | Privacy Policy | Advertising
TinyPortal 2.3.1 © 2005-2023