Inside Trojan.Clampi: The Research Paper

The latest malware threats from across the security forums

Moderators: Admin Team, Moderators

User avatar
Spudz
Posts: 1856
Joined: Mon Jul 20, 2009 4:35 am
Area Of Expertise: General guidance and advice
experience: Not only can I turn PC on, I know most of its functions too
PC time: Alot more than I should
Location: Kent, UK
Contact:

Inside Trojan.Clampi: The Research Paper

Postby Spudz » Tue Nov 10, 2009 7:51 am

Inside Trojan.Clampi: The Research Paper
Nicolas Falliere
November 10th, 2009

Trojan.Clampi is an interesting threat, which we described in many blog entries over the past month. We’ve now compiled these entries, along with some new material, into a research paper—Inside the Jaws of Trojan.Clampi.

In a nutshell, Clampi is an Infostealer threat. Its executable can be seen as a host for separate modules, containing the real payloads of the threat. These modules are heavily protected from reverse-engineering as well. The functionalities range from banking-site password stealing, to local credential gathering, to a SOCKS proxy. The communication with Clampi’s command & control servers, the “Gates”, uses HTTP and is encrypted. Clampi spawns and uses an Internet Explorer instance as an API proxy to achieve network communication, bypassing firewalls along the way.

One thing we mentioned in passing in the blog entries is that the main executable and the modules are protected from reverse-engineering by VMProtect, a commercial packer used to virtualize executable files. We decided to go a little deeper in the paper, introducing the reader to how VMProtect works, how it affects Clampi, the effort needed to analyze such files, and also present ways to partially reverse the protection scheme in order to allow white-box analysis of this threat.


Continues at Syamntec Security Blog
Spam - Uninteresting garbage quickly deleted.
Spammer - A parasitic worm intent on creating internet misery.

Image

Return to “Latest Malware Threats”

Who is online

Users browsing this forum: No registered users and 3 guests