Clampi banking trojan misdirects business wire transfers

July 31st, 2009

An ultra-sophisticated virus/banking Trojan designed to infect workplace computers and misdirect wire transfers has begun spreading widely across the Internet.

This nasty but elegant piece of malware, called Clampi, has been around since 2006, and secure firm F-Secure has isolated 3,300 variants since then. But this latest variant is a doozy. More on this below. But first consider the context:

Clampi is one of a few dozen major families of “banking Trojans,” each with thousands of variants. Cutting-edge banking Trojans evolve in Brazil, for reasons outline by IBM ISS researcher Gunter Ollmann in this LastWatchdog post. In North America, banking Trojans, like ZueS, Torpig, Xorpig and Mebroot all use different encryption and obfuscation techniques.

So the good-guy researchers’ understanding of them is somewhat piecemeal. One common scenario is that cyber robbers buy the latest variant of their favorite banking Trojan, customize them, and then use them to access consumer online banking accounts. They then transfer funds to “mule accounts” — often using unwitting folks recruited via email or online job sites.

In one real-life example a gang of German cyber robbers used a customize version of ZeuS to pull off an Ocean’s 11-like heist for $6 million. See LastWatchdog’s full account of that caper here.

Impenetrable encryption

Back to Clampi. Perhaps the most distinctive characteristic of Clampi was its impenetrable encryption. I say ‘was’ because last week SecureWorks’ ace virus hunter, Joe Stewart, cracked it. He disclosed his findings at BlackHat Vegas 2009 security conference, which just wrapped up last night.

Unlike ZeuS, Torpig and other banking Trojans, which are most often sold as off-the-shelf tools, Clampi appears to be controlled by a single gang of cyber robbers based in Eastern Europe and implicated in a string of major heists from financial institutions, says Stewart.

Most banking Trojans distribute lists of target web pages to each infected PC. The list is usually for 25 to 100 financial institutions that do online banking, says Mikko Hypponen, senior analyst at F-Secure.

Once the PC gets the list of target web pages, the Trojan will watch for when the user clicks to one of those pages, and then steal a copy of the user name and password, and/or misdirect the user to a phishing page and/or execute shadow withdrawals while the user is logged on and doing routine online banking,

Clampi does much, much more. It’s controllers have hacked into a large number of innocuous, legit web pages and corrupted them with a quick-loading Trojan downloader, essentially a wormhole through with they then proceed to install a series of heavily-encrypted instructions, or modules.

4,600 targeted web pages

You can get Clampi by clicking to one of these web pages. One of the modules Stewart cracked contained a list of 4,600 web pages for a wide array of businesses and government agencies — and their banks.

Stewart has managed to identify 1,400 of the 4,600 web pages on this list. The breadth is stunning. They links are generally to log on or fill-in-the-form pages for advertising networks; utilities; email marketing; stock brokerages; market research databases; online casinos; online retailers; career sites; insurance companies; banking sites; credit card companies; accounting services; wire transfer services; mortgage lenders; consumer databases; webmail; foreign postal services; software vendors; military/government information portals; recommendation engines; ISPs; various news blogs; file upload sites.

“This thing is seeking out sites with the most users and the most money,” Stewart told LastWatchdog.

Another module sets up an ingenious trap to obtain the username and password of network administrators who have clearance to access all of an organization’s Windows PCs. The Trojan waits for anyone with Network Administrator credentials to  log onto the infected PC, say to do a software upgrade, or some other sort of maintenance.

The Trojan then uses a simple Windows component, called PsExec, that allows Network Administrators to instantly install anything on all computers he or she has access to — almost instantaneously. It logs on as the administrator, and then instantly spreads a copy of itself company-wide.

Stewart says Clampi could infect 15,000 PCs in the manner, maybe a lot more.

Stewart says he first noticed this latest version of Clampi in March and since then it has spread “in leaps and bounds.”

Fraudulent wire transfers

The attackers ultimate goal: tap into the online banking accounts businesses use to send wire transfers using the automated clearinghouse, or ACH, systems. They can then send wire transfers to online bank accounts of accomplices, known as mules.

That’s what happened Slack Auto Parts, a chain of nine stores in Gainsville, GA. Between July 3 and July 7 Clampi executed $75,000 in nine payments to six different mule accounts, says owner Henry Slack.

Slack hired cyber security investigators to unravel the scam. His company computers initially got infected by Clampi one year ago. The program tried, but failed to transfer an additional $69,000 in eight other transfers.

One of the money mules — a woman from Tampa — actually called Slack’s comptroller to complain when a $10,000 transfer she was expecting from Slack Auto was held up. The woman told the comptroller said she was recruited via email by a company called The Junior Group, which told her to expect the payment from Slack and forward most of it to Easter Europe.

The Junior Group is a longstanding online money laundering ring which recruits unwitting citizens to set up bank accounts into which it can transfer money from breached accounts. It appears to be operating out of Ukraine, says Hyponnen.

Mikko says Junior Group appears to have ties to Cardersplanet, one of the early carding forums — web sites where criminals buy, sell, trade and recruit. Certain advertising phrases on Junior Group’s website is identical to ad text on Carderplanet’s slick promo videos.

Henry Slack told LastWatchdog he expects to get most of his $75,000 back, but he’s in for a battle. Miami small businessman Joe Lopez lost $90,000 after an earlier banking Trojan — Coreflood — got onto one of his PCs. He had to sue Bank of America to try to get the money back. The bank argued that Lopez was responsible for security on his PC,

It was only after LastWatchdog wrote this story that Bank of America settled with Lopez. But clearly, small businessmen like Lopez and Slack are at very high risk of losing money to cyber intruders — without being able to recover some or most of it.,

“I don’t want this to happen to anyone else,” says Slack. “This is a real problem for the business community – it is almost impossible to prevent a sophisticated virus like this one from infecting your system and unless your bank has very strong security measures in place to identify and prevent fraudulent transfers, every business that does any on line banking is running a serious risk of this happening to them.”

“And, unlike personal banking, your bank will probably not automatically make you whole when you are defrauded,” Slack continued. “Thankfully, we had the resources to cope with this loss and we are confident we will recover all the stolen funds eventually one way or the other.

“But my recommendation to everyone out there is to make sure you have every internal security measure available in place and that your bank has every possible on line banking security measure in place as well. Otherwise, my advice is to not do on line banking in the current environment – it may be convenient but is riskier than you think.”

With Clampi continuing to spread, business should only do online financial transaction on a dedicated PC, says Stewart. That PC should absolutely not be used for email, accessing social networks or browsing the Internet.