Trojan Clampi Utilizes Shellcode for Circumventing Firewalls

According to researchers at security company Symantec, the Clampi Trojan is executing strange ways for bypassing compromised computers' firewalls like the Windows Firewall.

Using unique techniques, the Trojan, say experts, enhances its treacherous nature to beat common firewalls and makes its detection and assessment harder for security practitioners as well as vendors.

The researchers said - generally Clampi tries to establish a contact with a gateway server such as "Gate" from where it receives commands and sends information. However, firewalls in general would not let the malware establish any link with the world outside computer. Meanwhile, all variants of Clampi are devised to surpass certain conventional methods such as creating new registry entries on a Windows system. Instead they would carry out the code injection method straight into the Internet Explorer web browser.

While this method may be enough to launch an attack with most Trojans, Clampi's wicked activities involve many other stealthy forms, the researchers argue.

Instead of leaving its active payload inside the browser and letting it get detected, Clampi is so programmed that it would perform its activities when it is necessary. Thus, the attackers have taken on to enforce an Application Programming Interface (API) proxy and inject as well as run code remnants inside the Internet Explorer. At the time Clampi requires transmitting data to Gate, it resorts to the API proxy.

According to the researchers, immediately following Clampi's execution, the Trojan carries out an instance in the Internet Explorer. While the Trojan's window is concealed, its key strain is shelved, and Clampi is triggered off with a shellcode resembling command line, which notably comprises a tiny decrypting key and a subsequent American Standard Code for Information Interchange or ASCII sequence.

In their ending note, the researchers said that while trojans of other kinds might embrace certain similar tactics to penetrate firewalls along with endpoint tools and tried to concea themselves, hardly any carried them out as effectively as Clampi or utilized as sophisticated techniques as those of Clampi.

Related article: Trojans to Target VoIP in 2006

» SPAMfighter News - 06-11-2009

All SPAMfighter products offer a free trial!

SPAMfighter is a free spam filter for Outlook, Outlook Express,Windows Mail, Windows Live Mail and Thunderbird.

Optimize your Slow PC for better performance. Try FREE scan now

Disk space recovery
and disk optimization. Try FULL-DISKfighter free

SPAMfighter Exchange Module is a Spam filter for Exchange server - Free 30 days trial.

Remove Spyware with SPYWAREfighter - Free 30 days trial

Antivirus software for your Windows PC - Free 30 days trial