Inside Trojan.Clampi: Bypassing your local firewall

The latest malware threats from across the security forums

Moderators: Admin Team, Moderators

User avatar
Spudz
Posts: 1856
Joined: Mon Jul 20, 2009 4:35 am
Area Of Expertise: General guidance and advice
experience: Not only can I turn PC on, I know most of its functions too
PC time: Alot more than I should
Location: Kent, UK
Contact:

Inside Trojan.Clampi: Bypassing your local firewall

Postby Spudz » Tue Oct 27, 2009 3:17 am

Inside Trojan.Clampi: Bypassing your local firewall
Nicolas Falliere
October 26th, 2009

Clampi goes to unusual measures to bypass the local firewall on the compromised computer, such as the Windows Firewall. Usually, such firewalls allow only specific programs to communicate using specific ports and protocols. For instance, your browser would be allowed to use outbound TCP port 80.

As we’ve previously discussed, Clampi needs to communicate with a “Gate” gateway server in order to get its orders and send information. Any firewall would block the program if it tried to connect to the outside world. Bypassing this can be done in many ways, the most common one in the malware world being to add an entry in the Windows registry, added the program to the trusted file list.

The Clampi gang decided to inject their networking code into Internet Explorer, which is granted Web access by any standard firewall configuration out there. Fair enough—that’s another approach, but not a new one. Yet you’ve seen these guys don’t do things the way other malware authors usually do. They’ve decided to implement an API proxy and have only stubs of code injected and executed into the browser, but only when it’s needed. When Clampi needs to send information to the Gate, it will use the API proxy.

Let’s dive into the technical details now. Soon after Clampi is executed, it creates an Internet Explorer instance. Its window is hidden, the primary thread is suspended, and the program is started with a command line that looks like shellcode (named shellcode 0). Note that the shellcode/command line consists of a small decryptor stub, followed by an ASCII string. It’s a classic way to avoid NULL bytes (except for the terminating one), which would have the undesired side-effect of stopping the shellcode prematurely.

Clampi then injects a thread into Internet Explorer, pointing to GetCommandLineA. Upon execution of this thread, the shellcode address will be retrieved.

A second remote thread is then created, and executes shellcode 0.


Continues at Symantec
Spam - Uninteresting garbage quickly deleted.
Spammer - A parasitic worm intent on creating internet misery.

Image

Return to “Latest Malware Threats”

Who is online

Users browsing this forum: No registered users and 1 guest