GhostOfCaptSpaulding
07-31-2009, 03:20 PM
[offsite:1w3rpwpi]Clampi Worm Puts Online Financial Transactions at Risk
http://i233.photobucket.com/albums/ee162/21b45o13x25c54o34d45e/canoworms.jpg
With security researchers focused on the Black Hat security conference, a Trojan called Clampi is still making its way across the Web looking for victims.
Also known as Ligats, Ilomo or Rscan, Clampi is a Trojan that aims to steal credentials from infected systems. According to SecureWorks, hundreds of thousands of Windows computers may already be infected and many more are at risk. In one recent example, an auto-parts store lost about $75,000 to a group of attackers leveraging the power Relevant Products/Services of Clamp in early July.
Although Clampi is not a new threat -- it has been harassing Windows users since 2007 -- security researchers report it is gaining momentum.
Joe Stewart, SecureWorks director of malware research for the counter threat unit, launched an in-depth investigation into the Trojan and its use of the psexec tools to spread earlier this year. What he discovered is troubling.
"In recent months, Clampi has successfully spread across Microsoft Relevant Products/Services networks in a worm-like fashion," Stewart said.
How Clampi Attacks
Stewart has identified 1,400 of the 4,500 Web sites in 70 different countries Clampi attackers are targeting. The Clampi Trojan, he reported, requests information specifically from these sites via infected computers. A sophisticated organized-crime group from Eastern Europe is running Clampi and has been implicated in numerous high-dollar thefts from banking institutions.
"Clampi's recent success in infecting victims is accomplished by using domain-administrator credentials -- either stolen by the Trojan or reused, or by virtue of the fact that a domain administrator has logged into an already infected system. Once domain-administrator privileges are granted, the Trojan uses the SysInternals tool psexec to copy itself to all computers on the domain," Stewart said. "Clampi also serves as a proxy server Relevant Products/Services used by criminals to anonymize their activity when logging into stolen accounts."
Although most major antivirus engines should detect Clampi and its variants, Stewart said there is always a delay between a new Trojan release and the detection time. He recommends businesses that use online banking and financial transactions adopt a strategy to isolate workstations where these activities are carried out.
Sophisticated Risks
Today's malware codes are incredibly sophisticated -- and may even have their own internal encryption capabilities to hinder analysis or hijacking of their botnets or codes, according to Ken Dunham, director of global response at iSight Partners.
"Even if you wipe Windows and reinstall it, many of these Trojans can still load up and take control of your system. We're moving toward disk-level- or hardware Relevant Products/Services-level-based compromise," Dunham said. "The sophistication is something that needs to be recognized. We're dealing with highly organized, talented people that are criminals."
Best practices are a must, but it can be difficult to protect against Web-based attacks and specifically third-party browser attacks that leverage Flash and PDF. Dunham said he sees new reports Relevant Products/Services of attacks that involve PDF or Flash exploits or something similar cross his desk every day.
"It's one thing to say you've got your Windows updated and your antivirus in place. It's another thing to say you've got your browser updated," Dunham said. "But do you have your browser plug-ins updated? It's complicated."
Sci-Tech Today | Clampi Worm Puts Online Financial Transactions at Risk (http://www.sci-tech-today.com/news/Clampi-Worm-Threatens-Finances/story.xhtml?story_id=13300EUNALOP)[/offsite:1w3rpwpi]
And don't forget to wash your hands...
http://i233.photobucket.com/albums/ee162/21b45o13x25c54o34d45e/canoworms.jpg
With security researchers focused on the Black Hat security conference, a Trojan called Clampi is still making its way across the Web looking for victims.
Also known as Ligats, Ilomo or Rscan, Clampi is a Trojan that aims to steal credentials from infected systems. According to SecureWorks, hundreds of thousands of Windows computers may already be infected and many more are at risk. In one recent example, an auto-parts store lost about $75,000 to a group of attackers leveraging the power Relevant Products/Services of Clamp in early July.
Although Clampi is not a new threat -- it has been harassing Windows users since 2007 -- security researchers report it is gaining momentum.
Joe Stewart, SecureWorks director of malware research for the counter threat unit, launched an in-depth investigation into the Trojan and its use of the psexec tools to spread earlier this year. What he discovered is troubling.
"In recent months, Clampi has successfully spread across Microsoft Relevant Products/Services networks in a worm-like fashion," Stewart said.
How Clampi Attacks
Stewart has identified 1,400 of the 4,500 Web sites in 70 different countries Clampi attackers are targeting. The Clampi Trojan, he reported, requests information specifically from these sites via infected computers. A sophisticated organized-crime group from Eastern Europe is running Clampi and has been implicated in numerous high-dollar thefts from banking institutions.
"Clampi's recent success in infecting victims is accomplished by using domain-administrator credentials -- either stolen by the Trojan or reused, or by virtue of the fact that a domain administrator has logged into an already infected system. Once domain-administrator privileges are granted, the Trojan uses the SysInternals tool psexec to copy itself to all computers on the domain," Stewart said. "Clampi also serves as a proxy server Relevant Products/Services used by criminals to anonymize their activity when logging into stolen accounts."
Although most major antivirus engines should detect Clampi and its variants, Stewart said there is always a delay between a new Trojan release and the detection time. He recommends businesses that use online banking and financial transactions adopt a strategy to isolate workstations where these activities are carried out.
Sophisticated Risks
Today's malware codes are incredibly sophisticated -- and may even have their own internal encryption capabilities to hinder analysis or hijacking of their botnets or codes, according to Ken Dunham, director of global response at iSight Partners.
"Even if you wipe Windows and reinstall it, many of these Trojans can still load up and take control of your system. We're moving toward disk-level- or hardware Relevant Products/Services-level-based compromise," Dunham said. "The sophistication is something that needs to be recognized. We're dealing with highly organized, talented people that are criminals."
Best practices are a must, but it can be difficult to protect against Web-based attacks and specifically third-party browser attacks that leverage Flash and PDF. Dunham said he sees new reports Relevant Products/Services of attacks that involve PDF or Flash exploits or something similar cross his desk every day.
"It's one thing to say you've got your Windows updated and your antivirus in place. It's another thing to say you've got your browser updated," Dunham said. "But do you have your browser plug-ins updated? It's complicated."
Sci-Tech Today | Clampi Worm Puts Online Financial Transactions at Risk (http://www.sci-tech-today.com/news/Clampi-Worm-Threatens-Finances/story.xhtml?story_id=13300EUNALOP)[/offsite:1w3rpwpi]
And don't forget to wash your hands...