SecureWorks Discovers Banking Trojan Targeting High Profile Businesses

Joe Stewart, researcher at SecureWorks, has found 'Clampi' a Trojan, also called Llomo, Rscan or Ligats, as it pulls out account information from the globe's most wealthy and popular businesses, as reported by DarkReading on July 29, 2009.

The malware has been contaminating PCs since 2007 and by now it has filched data from innumerable Windows users while hunting for information, which could help in logging into banking as well as other websites that interest online criminals.

The Trojan, in a major and highly sophisticated online thieving operation, has scattered on Microsoft networks in a typical style, and might have already infected innumerable home and corporate computer users.

It employs PsExec, a widely-used Telnet replacement program that allows a PC to run processes on associated PCs, and an advanced means for packing and encryption that helps to conceal the source it originates from and the target it intends to attack. Stewart states, Clampi seems to be aiming its attacks against 4,600 websites, about 1,400 of which he has detected in 70 nations. Those 1,400 sites comprise a few of the world's highly popular as well as financially lucrative enterprises.

Distinct from virus Coreflood, which extracted a variety of information from infected computers, Clampi pulls out no more than useful credentials and account data. Stewart said that the bad guys were getting all that they needed, storing them in a precise database. According to him, although the criminals collected most of the information in different languages, they managed to find a technique for placing all of them together.

Moreover, it works like a substitute server with which criminals keep their identity hidden while logging into users' hacked accounts.

Studying the techniques of using the Trojan, Stewart said that it was more prevalent in Eastern Europe.

Commenting on the point, specialists on computer security stated that trojans like Clampi posed the greatest risk to business and household PC users conducting online banking transactions. Anti-viruses were also not wholly reliable as users were sure to access the incorrect website somewhere along the line and become infected with a Trojan, they said.

Related article: SecureWorks Identifies Bank and Information Stealing Trojan Coreflood

» SPAMfighter News - 8/17/2009