Bank data-stealing Trojan infects hundreds of thousands of PCs - researcher
30 July 2009 | 10066 views | 0
A "tremendous" amount of financial data has been stolen by a Trojan that has infected hundreds of thousands of corporate and personal PCs, according to information security specialist SecureWorks.
Clampi, also known as Ligats, Ilomo or Rscan, has spread across Microsoft networks in a "worm-like fashion" and is "one of the largest and most professional thieving operations on the Internet" says Joe Stewart, director of malware research at SecureWorks' counter threat unit.
Once it has infected a PC, the Trojan monitors Web sessions to see if one of 4500 targeted sites are visited. If a victim uses one of these sites - which include those of banks, credit card companies, stock brokerages and insurance firms - it captures sensitive information such as usernames, passwords and PINs.
Stewart claims to have so far identified 1400 affected sites in 70 different countries.
Stewart says Clampi is operated by a "serious and sophisticated" organised crime group from Eastern Europe and has been implicated in numerous high-dollar thefts from banking institutions.
Its recent success in infecting victims has been achieved by using domain administrator credentials - either stolen by the Trojan or re-used, or by virtue of the fact that a domain administrator has logged into an already infected system.
Once domain administrator privileges are granted, the Trojan uses the SysInternals tool "psexec" to copy itself to all computers on the domain. In addition, it serves as a proxy server used by criminals to cloak their activity when logging into stolen accounts.