Inside Trojan.Clampi: Stealing Your Information

The latest malware threats from across the security forums

Moderators: Admin Team, Moderators

User avatar
Spudz
Posts: 1856
Joined: Mon Jul 20, 2009 4:35 am
Area Of Expertise: General guidance and advice
experience: Not only can I turn PC on, I know most of its functions too
PC time: Alot more than I should
Location: Kent, UK
Contact:

Inside Trojan.Clampi: Stealing Your Information

Postby Spudz » Fri Oct 16, 2009 11:13 am

Inside Trojan.Clampi: Stealing Your Information
Nicolas Falliere
October 16th, 2009

Let’s continue our Trojan.Clampi blog series by discussing three more modules downloaded and executed by Clampi. These modules share the common goal of gathering information, private or not, contained on the compromised computer. They don’t intercept network traffic like the Logger module does (described in my previous blog).

The PROT module
This module gathers private information from several sources, including Protected Storage (PStore), which contains user credentials stored by Internet Explorer or Outlook for instance. Interestingly, it also sets specific registry values in order to facilitate the creation of new entries in the PStore.
For instance, it sets the following registry entires:

* HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\ “Use FormSuggest” = “true”
This enables form suggestion.
* HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\“FormSuggest_Passwords” = “true”
This lets Internet Explorer fill login/password combinations in forms automatically. Suggesting passwords means it is stored in the PStore.
* HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\“FormSuggest_PW_Ask” = “no”
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete\“AutoSuggest” = “true”
This allows Windows Explorer to store network share information, for instance.
* HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\“POP3 Prompt for Password” = “0”
Lets Outlook record the mail account passwords in the PStore.


Symantec Security Blog
Spam - Uninteresting garbage quickly deleted.
Spammer - A parasitic worm intent on creating internet misery.

Image

Return to “Latest Malware Threats”

Who is online

Users browsing this forum: No registered users and 2 guests