Introduction

This is an in-depth analysis of a Trojan called Clampi or otherwise known as Ilomo or Clomp. Clampi got quite a bit of press coverage lately. As always, most press reports are not really technically correct and we look at Clampi here from a technical point of view.

The Clampi malware is one of the hardest malware to analyse. Even in the scope of the high-end of sophistication with well-known Trojans such as Mebroot, Silentbanker, Zeus, … Clampi is by far the hardest to analyse. Reasons for this are the multiple VMProtect protection, extensive use of encryption and unique design approaches such as the subversion of the registry to store the malicious files. No payload will ever be written to the harddrive. Clampi will download the encrypted files and store them in an encrypted format on the harddrive.

The way Clampi is setup; it is a very robust Trojan, both in terms of resilience and resistance. It can talk to numerous C&C servers and any payload can be deployed, so Clampi can be used for pretty much every malicious purpose.

Even though Clampi is incredibly sophisticated, there is still room for improvements and we believe there will be soon new variants of Clampi available that are much, much harder to detect as they “fix” the existing limitations.

However Clampi is not a new trojan. It is known since 2007 and the security industry didn’t really grasp the full scale of its badness due to the fact that nobody really knew what it is doing exactly for the reasons mentioned above. We hope we can shed a bit of light into the operation of Clampi and help strengthen the “good” side.

Please note that this public blog doesn’t contain all the technical information and we have an in-depth report of Clampi available for interested parties. Just send an email to labs@trustdefender.com.

Payload

After the installer executes, there will be a newly created file in %UserProfile%\Application Data\, which is either of the following

• svchosts.exe, taskmon.exe, rundll.exe, service.exe, sound.exe, upnpsvc.exe, lsas.exe, logon.exe, helper.exe, event.exe, dumpreport.exe, msiexeca.exe

The filenames look genuine and are pretty much all names from legitimate windows components; however these files are now instrumental for the Clampi infection. Note only the filename changes, the content and the MD5 of the file is always the same (61316320065e85ff4a6a594d7fedf141 in our case). Antivirus detection was fairly average as well with 18/41 AV engines detecting it (http://www.virustotal.com/analisis/21bd2536687790c8318ac5936d4cad37decf0fee808e4f4ca8c619485cbf8a16-1249326956). As with the installer, some big names didn’t detect it (such as AVG, F-Secure, and Kaspersky)

The payload is added to HKEY_CURRENT_USER \Software \Microsoft\Windows\CurrentVersion\Run so that it runs with every start. However it is noted that it will only start for the current user. Clampi will not add this registry to HKLM!

Automated analysis of the payload

Security researchers rely more and more on automated analysis of malware samples; however this automated analysis is still pretty limited as they don’t show anything in this particular case. Virustotal didn’t say anything and Anubis only noted that sound.exe started the Internet Explorer. While this is not suspicious at all, it already hints to one evasion technique of Clampi which we will analyse in more detail later.

• http://www.threatexpert.com/report.aspx?md5=61316320065e85ff4a6a594d7fedf141
• http://anubis.iseclab.org/?action=result&task_id=1e8b7c393794d8b74e9e0e1a02655f8f6&format=html

Execution

First of all, Clampi uses a number of evasion techniques that are quite extraordinary and special. Clampi breaks its functionality up into various parts and is using sophisticated techniques to perform its job and to stay undetected.

When the payload starts, it will automatically start an instance of the Internet Explorer as well.

 While this doesn’t seem too suspicious, a closer look reveals a number of very interesting facts:

• First of all, the iexplore.exe with PID 216 runs in suspended mode, which means that it is not accessible at all.
• Secondly, the iexplore.exe with PID 216 is the “real” and genuine iexplore.exe process, but it has some weird program arguments

This Internet Explorer process is responsible for all outgoing internet communication to the Clampi C&C server. This was clearly also done to evade Personal Firewalls as they would see an internet request from the legitimate Internet Explorer which is obviously allowed.

This also shows a limitation of the Clampi C&C server. Once you stop or kill the Internet Explorer Process, Clampi cannot talk to its C&C anymore and is basically defeated.

Download of 4 (or more) modules

After the original handshake, Clampi then initiates internet requests to the newly C&C servers and will download additional 4-6 payloads (depending on the C&C configuration) . However Clampi will never write these payloads to the harddrive!!! It will write them in encrypted form into the Registry at:

• HKCU\Software\Microsoft\Internet Explorer\Settings\M00
• HKCU\Software\Microsoft\Internet Explorer\ Settings\M01
• …

These payloads are the “real” nasty stuff and the bad news is that they are all encrypted over the wire and also in the registry. However in memory they have to be decrypted, so the encryption is not really the problem… They are all packed with VMProtect which makes analysis almost impossible! (see next chapter)

There is actually another module, which gets encrypted only in memory. Now these modules are all VMProtect protected – except M04 which is an exact copy of psexec.exe from sysinternals. We will later come to this in a bit more detail.

Registry layout

As mentioned before, after the initial infection, Clampi will never write anything to the disk anymore. This was clearly done to evade detection from Antivirus Engines that hook harddrive access. Clampi will write all its malicious files directly into the registry in an encrypted format

more detaila are available in the in-depth report.

Usermode Hooks

In the same way other sophisticated malware is “hooking” key windows function and redirecting them to their memory region, Clampi will hook

• HttpSendRequestA
• HttpSendRequestW
• InternetQueryDataAvailable
• InternetReadFile
• InternetReadFileExA

And with these hook, Clampi has access to all internet communication even if it is SSL encrypted. However these hooks will only installed for the Internet Explorer and NOT for Chrome of Firefox.

Location and availability of C&C Servers

available in the in-depth report.

How TrustDefender will protect its customers

TrustDefender will automatically protect all its customers against Clampi in several ways.

Firstly, for our enterprise customers, communication to the C&C servers is cut-off automatically due to our Secure Lockdown feature as part of the client policies.

Secondly, TrustDefender will identify the unknown process that starts the Internet Explorer and will prevent it from doing any harm.

Thirdly, TrustDefender will pickup the Windows Hooks and automatically resolves them so that the Internet Session is encapsulated from Clampi.

And fourthly, the Kernel Forensics Engine makes sure that the transaction is safe.

The following screenshot shows the detection of Clampi. Please note that in the OEM edition, this screen won’t appear and the information is handled by the Enterprise Server.

How to detect that a system is compromised

The detection is pretty easy if you have access to the machine. Simply check for the existence the Clampi Registry keys which are described in the Registry chapter before.  Check for existence HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Setting\GatesList and if you find this, you are infected.

Furthermore, check for a process with one of the following names (svchosts.exe, taskmon.exe, rundll.exe, service.exe, sound.exe, upnpsvc.exe, lsas.exe, logon.exe, helper.exe, event.exe, dumpreport.exe, msiexeca.exe) and check whether they have launched the Internet Explorer with procexp from sysinternals.

HOWEVER, don’t log in to infected workstations using domain administrator credentials as this is how it spreads (using psexec).

How to remove Clampi

Clampi can be fairly easily removed from the system without too much problem. However unlike Mebroot/Torpig, it will not store the stolen credentials on the local machine, so it’s not possible to detect exactly what has been stolen.

To remove Clampi, do the following:

• Kill the sound.exe process (or whatever the filename is) that launches the Internet Explorer.
  • This alone will already kill the C&C communication
  • Remove the file on your harddrive (usually in %UserProfile%\Application Data\)
  • Start the registry editor (regedit) and delete the following keys (make sure you do a backup of the registry before doing it)
    • HKEY_CURRENT_USER \Software\Microsoft\Internet Explorer\Settings\GID
    • HKEY_CURRENT_USER \Software\Microsoft\Internet Explorer\Settings\PID
    • HKEY_CURRENT_USER \Software\Microsoft\Internet Explorer\Settings\GatesList
    • HKEY_CURRENT_USER \Software\Microsoft\Internet Explorer\Settings\KeyM
    • HKEY_CURRENT_USER \Software\Microsoft\Internet Explorer\Settings\KeyE
    • HKEY_CURRENT_USER \Software\Microsoft\Internet Explorer\Settings\M00
    • …
    • HKEY_CURRENT_USER \Software\Microsoft\Internet Explorer\Settings\M

    and

    • HKEY_CURRENT_USER \Software \Microsoft\Windows\CurrentVersion\Run\ (in our case Sound – just look for the one with the right value pointing to the executable in %UserProfile%\Application Data\

Restart the computer and Clampi should be removed.

Further Information

Further information can be obtained from TrustDefender at labs@trustdefender.com as well as the in-depth report of Clampi.