Inside Trojan.Clampi: Bypassing your local firewall
October 26th, 2009
Clampi goes to unusual measures to bypass the local firewall on the compromised computer, such as the Windows Firewall. Usually, such firewalls allow only specific programs to communicate using specific ports and protocols. For instance, your browser would be allowed to use outbound TCP port 80.
As we’ve previously discussed, Clampi needs to communicate with a “Gate” gateway server in order to get its orders and send information. Any firewall would block the program if it tried to connect to the outside world. Bypassing this can be done in many ways, the most common one in the malware world being to add an entry in the Windows registry, added the program to the trusted file list.
The Clampi gang decided to inject their networking code into Internet Explorer, which is granted Web access by any standard firewall configuration out there. Fair enough—that’s another approach, but not a new one. Yet you’ve seen these guys don’t do things the way other malware authors usually do. They’ve decided to implement an API proxy and have only stubs of code injected and executed into the browser, but only when it’s needed. When Clampi needs to send information to the Gate, it will use the API proxy.
Let’s dive into the technical details now. Soon after Clampi is executed, it creates an Internet Explorer instance. Its window is hidden, the primary thread is suspended, and the program is started with a command line that looks like shellcode (named shellcode 0). Note that the shellcode/command line consists of a small decryptor stub, followed by an ASCII string. It’s a classic way to avoid NULL bytes (except for the terminating one), which would have the undesired side-effect of stopping the shellcode prematurely.
Clampi then injects a thread into Internet Explorer, pointing to GetCommandLineA. Upon execution of this thread, the shellcode address will be retrieved.
A second remote thread is then created, and executes shellcode 0.
Continues at Symantec