Inside Trojan.Clampi: Stealing Your Information
October 16th, 2009
Let’s continue our Trojan.Clampi blog series by discussing three more modules downloaded and executed by Clampi. These modules share the common goal of gathering information, private or not, contained on the compromised computer. They don’t intercept network traffic like the Logger module does (described in my previous blog).
The PROT module
This module gathers private information from several sources, including Protected Storage (PStore), which contains user credentials stored by Internet Explorer or Outlook for instance. Interestingly, it also sets specific registry values in order to facilitate the creation of new entries in the PStore.
For instance, it sets the following registry entires:
* HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\ “Use FormSuggest” = “true”
This enables form suggestion.
* HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\“FormSuggest_Passwords” = “true”
This lets Internet Explorer fill login/password combinations in forms automatically. Suggesting passwords means it is stored in the PStore.
* HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\“FormSuggest_PW_Ask” = “no”
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete\“AutoSuggest” = “true”
This allows Windows Explorer to store network share information, for instance.
* HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\“POP3 Prompt for Password” = “0”
Lets Outlook record the mail account passwords in the PStore.
Symantec Security Blog