Inside Trojan.Clampi: The Logger Module

The latest malware threats from across the security forums

Moderators: Admin Team, Moderators

User avatar
Spudz
Posts: 1856
Joined: Mon Jul 20, 2009 4:35 am
Area Of Expertise: General guidance and advice
experience: Not only can I turn PC on, I know most of its functions too
PC time: Alot more than I should
Location: Kent, UK
Contact:

Inside Trojan.Clampi: The Logger Module

Postby Spudz » Mon Oct 12, 2009 12:28 pm

Inside Trojan.Clampi: The Logger Module
Nicolas Falliere
October 12th, 2009

As mentioned in our previous blog entry, most of the Trojan.Clampi features reside in separate modules that are sent by a remote server in response to clients’ queries. In this part of this blog series, we’ll have a look at one of the modules used by the malware to steal login credentials mostly from banking Web sites.

This module is codenamed LOGGER by the threat. After decryption, the beginning of the module’s raw data looks like this (compressed):

blog-2-image-1.jpg

To avoid downloading the module each time Clampi runs, it is stored in the registry (in an encrypted form) in a value named “Mxx”, where “xx” is a zero-based number representing the current module count (e.g. “M02”).

Note that Clampi’s modules are standard DLLs, and like Clampi itself, are protected by a complex commercial software protector that uses executable code virtualization.

The LOGGER module injects a code stub into Internet Explorer and hooks several APIs imported by the standard Windows DLL, urlmon.dll, which is used by Internet Explorer to open Web pages. These hooks will redirect code execution to the Clampi-injected code. The hooked routines include:


http://www.symantec.com/connect/blogs/i ... ger-module
Spam - Uninteresting garbage quickly deleted.
Spammer - A parasitic worm intent on creating internet misery.

Image

Return to “Latest Malware Threats”

Who is online

Users browsing this forum: No registered users and 1 guest