Sporadic reports are surfacing that the authentication credential stealing Trojan Clampi is regaining momentum and poised to begin a new round of stealthily siphoning cash from the bank accounts belonging to compromised users.
Clampi—also known as Ligats, Ilomo and Rscan—was first discovered in January 2008. The Trojan targets machines running nearly all versions of Windows and spreads as a drive-by download through Websites with compromised vulnerabilities in Flash and ActiveX. It sits in the background monitoring Web browsing activity, specifically log-ins to accounts with financial activity. Without impeding connections or PC performance, Clampi stealthily captures users’ account IDs and authentication credentials and passes them to its master.
In recent months, Clampi has started spreading like a worm across networks with infected PCs. In a CNET report, SecureWorks’ Joe Stewart explained that Clampi uses capture domain registration credentials to leverage the Windows SysInternals tool “psexec” to copy itself across all connected computers within a domain.
What makes Clampi different, according to published reports, is that it’s monitoring a vast number of financially sensitive accounts. Banks and financial institutions are its prime target, but it’s also monitoring retail sites, utilities, ad networks, government agencies, online casinos and military portals.
The threat is not contained to individual home users. The Washington Post previously reported Clampi is responsible for several large, unauthorized bank transfers. A Kentucky county lost more than $415,000 to cyber-criminals after a treasurer’s PC was compromised. A Pennsylvania school district was hit to the tune of $700,000 and an auto parts store in Georgia lost $75,000, the newspaper reported.
>> Click here to read the full report on the "Secure Channel" blog