Inside Trojan.Clampi: The Logger Module
October 12th, 2009
As mentioned in our previous blog entry, most of the Trojan.Clampi features reside in separate modules that are sent by a remote server in response to clients’ queries. In this part of this blog series, we’ll have a look at one of the modules used by the malware to steal login credentials mostly from banking Web sites.
This module is codenamed LOGGER by the threat. After decryption, the beginning of the module’s raw data looks like this (compressed):
To avoid downloading the module each time Clampi runs, it is stored in the registry (in an encrypted form) in a value named “Mxx”, where “xx” is a zero-based number representing the current module count (e.g. “M02”).
Note that Clampi’s modules are standard DLLs, and like Clampi itself, are protected by a complex commercial software protector that uses executable code virtualization.
The LOGGER module injects a code stub into Internet Explorer and hooks several APIs imported by the standard Windows DLL, urlmon.dll, which is used by Internet Explorer to open Web pages. These hooks will redirect code execution to the Clampi-injected code. The hooked routines include:
http://www.symantec.com/connect/blogs/i ... ger-module