As you know, in every situation police come after the crime. So does antivirus solutions for every malware. As underground business matures, so their way of evading detection of their tools (could be anything – worm, Trojan, etc) and started to use sophisticated mechanisms (encryption, virtualization) to go undetected.
To read more about Clampi (also called as Ligats, Ilomo, or Rscan) infects computers using drive-by-downloads and exploiting vulnerabilities in browsers. Please visit CNET.Com article http://is.gd/23i3x for detailed description and original detailed analysis of the malware from SecureWorks.Com by Joe Steward please visit http://is.gd/23kqb.
Here is the brief introduction of the Trojan – Clampi is a banking Torjan, a perfect tool for Identity Theft, and one of the largest professional thieving operations on the Internet. Clampi got all advanced technological tweaks to identify which AV is installed on the computer and evade detection. The Trojan is not available as Crimeware tool. But targeting world’s most big business. So far targeted about 4500 web sites across globe, out of which 1400 of them were identified in over 70 countries. Clampi is capable of spreading through Microsoft Networks without detection. The recent published theft amount was US$75,000 at Slack Auto Parts (see news coverage on Banking fraud using money-mules
http://is.gd/23olr). There could be many unpublished huge sums by Clampi!
Note: Money-mule is a legitimate bank account holder like you and I. The actual thief transfers stolen money into our accounts, then ask us to write a check to the name they specify, usually to a different country.
Primary method of spreading: drive by download, then through pen drives. With its worm capabilities, it spreads across networks by stealing administrator credentials.
I would like to suggest three possible solutions to circumvent Clampi (also most other malware) from stealing your banking credentials. While this does not remove (see below for removal tools) Clampi from your computer, but might help you for a work around. Please note that solutions 2 and 3 are demos in my IT Security Awareness Program, I am happy to present here for your reference. I feel solution 3 is most effective for any one.
-
Use a separate PC, an extra effort on – your pocket, real estate at your office / home office and many more.
How to do it? – You are on your own my dear J.
-
Use Sandboxie (or virtualize your web browser) to browse, this may not be the best solution, as the Trojan can spread through other means, but this can prevent your computer from the changes made by your browser by undoing those changes after completing the browsing session. The similar option is available in IE8 as InPrivate browsing (after opening new tab, you will see a hyper link “Open an InPrivate Browsing window”). I would like to see similar option in all the browsers in the future.
How to do it? – By using Sandboxie please read SANS Institute white paper on Virtually Secure Browser – http://is.gd/23lzP.
-
Use VM Player and a free UNIX variant virtual machine (VM) appliance to do your financial transactions, best way to protect from all Microsoft Windows based malware attacks. This will also give you an idea on using new OS. Make sure that you meet the minimum system requirements. Otherwise your system will run very slowly.
How to do it? You need not be a UNIX guru just to your UNIX VM and open the browser to go online. There are many free VM appliances available. You need to do two things for this:
1. Download free VM Player http://www.vmware.com/products/player/
2. Download one of Linux (or UNIX) variant appliances for free. I am giving you the link to Ubuntu 9.04. (I use BackTrack 4 at which contains all security related tools). Ubuntu is good for UNIX beginners, which almost Windows like interface and lots of free tools. http://www.vmware.com/appliances/directory/va/147323/download
Sorry I am unable to give you complete instructions in this post. But here is the link from Ubuntu Help site https://help.ubuntu.com/community/VMware/Player on the installation of the same, but for Ubuntu 8.04, not 9.04. Please feel free to play and learn.
You can contact me if you need any specific instructions on how to implement any on the above solutions, just leave a comment below, I will get back to you.
Again sorry for the long gap in posting to this blog. I was busy on some other project. Form now I promise to have regular posts for your online security education. You can also Tweet me at Http://Twitter.Com/ITSKratu. Thanks for visiting my blog.
