172.74.72.8 (talk) Added in sources to support the claim of usage of the Clampi virus as a scarecrow by scammers into intimidating individuals |
Technophant (talk | contribs) m →Detailed analysis: rev wlink |
||
(34 intermediate revisions by 4 users not shown) | |||
Line 1: | Line 1: | ||
<noinclude>{{User:RMCD bot/subject notice|1=Clampi (trojan)|2=Talk:Clampi#Requested move 2 June 2020 }} |
|||
{{context|date=June 2016}} |
|||
</noinclude>{{cleanup rewrite|date=June 2020}} |
|||
⚫ | |||
'''Clampi''' (also known as also known as '''Ligats, llomo,''' or '''Rscan''')<ref>{{Cite web|last=Horowitz|first=Michael|date=2009-07-29|title=Defending against the Clampi Trojan|url=https://www.computerworld.com/article/2467216/defending-against-the-clampi-trojan.html|url-status=live|archive-url=|archive-date=|access-date=|website=Computer World}}</ref> is a strain of computer [[malware]] that affected [[Microsoft Windows|Windows]] [[personal computers|computers]]{{when|date=June 2020}}. More specifically, as a [[man-in-the-browser]] banking [[Trojan horse (computing)|trojan]] designed to transmit financial and personal information from a compromised computer to a third party for potential financial gain as well as report on computer configuration, communicate with a central server, and act as downloader for other malware.<ref name=":0">{{Cite web|last=|first=|date=|title=Inside the Jaws of Trojan.Clampi - Symantec Enterprise|url=https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=f6680a5d-0217-4d3e-9a98-c813924ef7e0&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments|url-status=live|archive-url=|access-date=2020-06-02|website=Broadcom Endpoint Protection Library}}</ref> Clampi was first observed in 2007 affecting computers running [[Microsoft Windows]].<ref>{{cite web|url=https://www.cnet.com/news/clampi-trojan-stealing-online-bank-data-from-consumers-and-businesses/|title=Clampi Trojan stealing online bank data from consumers and businesses|work=CNET|author=Elinor Mills|date=2009-07-29}}</ref> |
|||
⚫ | Clampi monitored over 4000 website URL's, effectively [[Keystroke logging|keylogging]] credentials and user information for not only bank and credit card websites, but also reported on utilities, market research firms, online casinos, and career websites.<ref>{{cite web |url=https://web.archive.org/web/20090802114351/http://www.networkworld.com/news/2009/072909-clampi-trojan.html|title=Clampi Trojan revealed as financial-plundering botnet monster|work=Network World |author=Ellen Messmer|date=2009-07-29}}</ref> At its peak in the fall of 2009, a [[computer security]] professional stated that it was one of the largest and most professional thieving operations on the Internet likely ran by a Russian or eastern European syndicate.<ref>{{cite web|url=http://voices.washingtonpost.com/securityfix/2009/09/clamping_down_on_clampi.html|title=Clamping Down on the 'Clampi' Trojan|work=Washington Post|author=Brian Krebs|authorlink=Brian Krebs|date=2009-09-11}}</ref> [[False positives and false negatives|False-positive]] reporting of Clampi is also often used by tech support scammers to pressure individuals into sending them money for the removal of the fake virus.<ref>{{cite web |url=https://www.kaspersky.com/resource-center/definitions/what-is-the-clampi-virus|title=What is the Clampi Virus?|work=Kaspersky |author=Kaspersky Team}}</ref><ref>{{cite web |url=https://web.archive.org/web/20200528040104/https://www.southbendtribune.com/news/business/protect-yourself-against-computer-viruses-and-scammers/article_a8bec3e2-5b18-5217-a244-b6c9ad14599a.html|title=Protect yourself against computer viruses — and scammers|work=South Bend Tribune |author=Dreama Jensen|date=2016-12-16}}</ref> |
||
==Detailed analysis== |
|||
Computer security analyst, Nicolas Falliere, claimed that "few threats have had us scratching our heads like Trojan.Clampi" It was the first trojan found to be using a [[virtual machine]] called [[VMProtect]] to hide its [[instruction set]].<ref>{{Cite web|title=VMAttack {{!}} Proceedings of the 12th International Conference on Availability, Reliability and Security|url=https://dl.acm.org/doi/abs/10.1145/3098954.3098995|access-date=2020-06-02|website=dl.acm.org|language=EN|doi=10.1145/3098954.3098995}}</ref> He remarked that the use of virtual machine added weeks to the time it takes for programmers to [[disassembler|disassemble]] and describe the threat and mechanism of action.<ref name=":0" /> He discovered it logged and transmitted personal financial information from a compromised computer to a third party for potential financial gain as well as report on computer configuration, communicate with a central server, exploit [[Internet Explorer 8]], set up a [[SOCKS|SOCKS proxy]], and act as downloader for other malware. The virus was sophisticated enough to hide behind firewalls and go undetected for long periods of time.<ref>{{Cite web|date=2017-11-02|title=What is the Clampi Virus?|url=https://usa.kaspersky.com/resource-center/definitions/what-is-the-clampi-virus|access-date=2020-06-02|website=usa.kaspersky.com}}</ref> A list of around 4,800 URL's were [[Cyclic redundancy check|CRC encoded]] (similar to hashing). This was [[dictionary attack]]ed against a list of common url's in September 2009 to produce a partial list of known sites with some duplication and ambiguity.<ref name=":0" /> The source code has never been reported to be shared or sold online. |
|||
=== Relationship to technical support scams === |
|||
In 2007-2009, Clampi was also known to use a url redirect and/or [[homepage hijack]]ing to display fake [[technical support scam]] websites. Recently, it's often included in tech support scam scripts by pasting "Clampi foound (sic)" into the [[Windows Console]] using [[remote desktop]] then pulling up this Wikipedia page to exaggerate the dangers.<ref>{{cite AV media|url=https://www.youtube.com/watch?v=3gifAn1abNk&t=14:50|title=Tech Scammer Can't Fix His Own Fake Diagnosis|date=2020-03-12|people=[[Kitboga]]|language=|publisher=YouTube|trans-title=|ref=|id=|quote=clampi foound|medium=}}</ref><ref>{{Cite web|last=Selk|first=Avi|date=2019-02-08|title=Internet scammers are terrible. This troll is their nightmare.|url=https://www.washingtonpost.com/news/the-intersect/wp/2018/02/08/internet-scammers-are-terrible-this-troll-is-their-nightmare/|url-status=live|archive-url=|archive-date=|access-date=2019-09-22|website=The Washington Post}}</ref> |
|||
=== Named modules === |
|||
A list of components discovered through decryption of the executable in 2009:<ref name=":0" /> |
|||
# SOCKS - A [[SOCKS proxy]] that the attackers can use to log into your computer as your from your work/home internet connection |
|||
# PROT - Steals PSTORE (protected storage for [[Internet Explorer]]) [[Credential Management|credentials]] (login information), which typically contains information saved by users |
|||
# LOGGER - a [[Keystroke logging|keylogger]] that steals online credentials. |
|||
# LOGGEREXT - Aids in stealing online credentials for websites with enhanced security, ie Hypertext Transfer Protocol Secure ([[HTTPS]]) |
|||
# SPREAD - Spreads Clampi to computers in the network with open [[peer-to-peer networking]]. |
|||
# ACCOUNTS - Steals locally saved credentials for a variety of applications such as [[Instant messaging|Instant Messaging]] and [[FTP clients]]. |
|||
# INFO - Gathers and sends general [[System Information (Windows)|system information]] |
|||
# KERNAL - the eight module refers to itself as [[Kernel (operating system)|Kernel]] while running inside the proprietary protected [[virtual appliance]]. |
|||
<br /> |
|||
==See also==<!-- PLEASE RESPECT ALPHABETICAL ORDER --> |
==See also==<!-- PLEASE RESPECT ALPHABETICAL ORDER --> |
||
Line 18: | Line 45: | ||
*[http://abcnews.go.com/Business/story?id=8217116 Clampi virus targets companies' financial accounts] – ''[[ABC News]]'' |
*[http://abcnews.go.com/Business/story?id=8217116 Clampi virus targets companies' financial accounts] – ''[[ABC News]]'' |
||
*[http://www.pcworld.com/article/169333/botnet_spreading.html Massive Botnet Stealing Financial Info] – ''[[PC World]]'' |
*[http://www.pcworld.com/article/169333/botnet_spreading.html Massive Botnet Stealing Financial Info] – ''[[PC World]]'' |
||
*[https://www |
*[https://web.archive.org/web/20161223003901/https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/inside_trojan_clampi.pdf Inside the Jaws of Trojan.Clampi] - Symantec Security whitepaper (archived) |
||
*Defending Against the C |
|||
{{Botnets}} |
{{Botnets}} |
||
[[Category:Computer worms]] |
[[Category:Computer worms]] |
Revision as of 20:18, 2 June 2020
Clampi (also known as also known as Ligats, llomo, or Rscan)[1] is a strain of computer malware that affected Windows computers[when?]. More specifically, as a man-in-the-browser banking trojan designed to transmit financial and personal information from a compromised computer to a third party for potential financial gain as well as report on computer configuration, communicate with a central server, and act as downloader for other malware.[2] Clampi was first observed in 2007 affecting computers running Microsoft Windows.[3]
Clampi monitored over 4000 website URL's, effectively keylogging credentials and user information for not only bank and credit card websites, but also reported on utilities, market research firms, online casinos, and career websites.[4] At its peak in the fall of 2009, a computer security professional stated that it was one of the largest and most professional thieving operations on the Internet likely ran by a Russian or eastern European syndicate.[5] False-positive reporting of Clampi is also often used by tech support scammers to pressure individuals into sending them money for the removal of the fake virus.[6][7]
Detailed analysis
Computer security analyst, Nicolas Falliere, claimed that "few threats have had us scratching our heads like Trojan.Clampi" It was the first trojan found to be using a virtual machine called VMProtect to hide its instruction set.[8] He remarked that the use of virtual machine added weeks to the time it takes for programmers to disassemble and describe the threat and mechanism of action.[2] He discovered it logged and transmitted personal financial information from a compromised computer to a third party for potential financial gain as well as report on computer configuration, communicate with a central server, exploit Internet Explorer 8, set up a SOCKS proxy, and act as downloader for other malware. The virus was sophisticated enough to hide behind firewalls and go undetected for long periods of time.[9] A list of around 4,800 URL's were CRC encoded (similar to hashing). This was dictionary attacked against a list of common url's in September 2009 to produce a partial list of known sites with some duplication and ambiguity.[2] The source code has never been reported to be shared or sold online.
Relationship to technical support scams
In 2007-2009, Clampi was also known to use a url redirect and/or homepage hijacking to display fake technical support scam websites. Recently, it's often included in tech support scam scripts by pasting "Clampi foound (sic)" into the Windows Console using remote desktop then pulling up this Wikipedia page to exaggerate the dangers.[10][11]
Named modules
A list of components discovered through decryption of the executable in 2009:[2]
- SOCKS - A SOCKS proxy that the attackers can use to log into your computer as your from your work/home internet connection
- PROT - Steals PSTORE (protected storage for Internet Explorer) credentials (login information), which typically contains information saved by users
- LOGGER - a keylogger that steals online credentials.
- LOGGEREXT - Aids in stealing online credentials for websites with enhanced security, ie Hypertext Transfer Protocol Secure (HTTPS)
- SPREAD - Spreads Clampi to computers in the network with open peer-to-peer networking.
- ACCOUNTS - Steals locally saved credentials for a variety of applications such as Instant Messaging and FTP clients.
- INFO - Gathers and sends general system information
- KERNAL - the eight module refers to itself as Kernel while running inside the proprietary protected virtual appliance.
See also
- Botnet
- Conficker
- Gameover ZeuS, the successor to ZeuS
- Operation Tovar
- Timeline of computer viruses and worms
- Tiny Banker Trojan
- Torpig
- Zombie (computing)
References
- ^ Horowitz, Michael (2009-07-29). "Defending against the Clampi Trojan". Computer World.
{{cite web}}
: CS1 maint: url-status (link) - ^ a b c d "Inside the Jaws of Trojan.Clampi - Symantec Enterprise". Broadcom Endpoint Protection Library. Retrieved 2020-06-02.
{{cite web}}
: CS1 maint: url-status (link) - ^ Elinor Mills (2009-07-29). "Clampi Trojan stealing online bank data from consumers and businesses". CNET.
- ^ Ellen Messmer (2009-07-29). "Clampi Trojan revealed as financial-plundering botnet monster". Network World.
- ^ Brian Krebs (2009-09-11). "Clamping Down on the 'Clampi' Trojan". Washington Post.
- ^ Kaspersky Team. "What is the Clampi Virus?". Kaspersky.
- ^ Dreama Jensen (2016-12-16). "Protect yourself against computer viruses — and scammers". South Bend Tribune.
- ^ "VMAttack | Proceedings of the 12th International Conference on Availability, Reliability and Security". dl.acm.org. doi:10.1145/3098954.3098995. Retrieved 2020-06-02.
- ^ "What is the Clampi Virus?". usa.kaspersky.com. 2017-11-02. Retrieved 2020-06-02.
- ^ Kitboga (2020-03-12). Tech Scammer Can't Fix His Own Fake Diagnosis. YouTube.
clampi foound
- ^ Selk, Avi (2019-02-08). "Internet scammers are terrible. This troll is their nightmare". The Washington Post. Retrieved 2019-09-22.
{{cite web}}
: CS1 maint: url-status (link)
External links
- Clampi virus targets companies' financial accounts – ABC News
- Massive Botnet Stealing Financial Info – PC World
- Inside the Jaws of Trojan.Clampi - Symantec Security whitepaper (archived)
- Defending Against the C