Friday, February 05, 2010

The Clampi Trojan says …. Get a Mac

A Windows 2003 server machine I use may, or may not, have been infected with the Clampi trojan (ilomi.b or ilomo.c, which depending on your font, may look a lot like llomi or IIlomi or ILomi).

I say “may not”, because the combination of “Windows 2003” and "antivirus” has a high rate of false positive claims that can wreak as much destruction as the antiviral software.

In researching the Clampi trojan Google suggested I read this summary (emphases mine) …

Clampi/Ligats/Ilomo Trojan - Research - SecureWorks

… Clampi’s recent success in infecting victims is accomplished by using domain administrator credentials (either stolen by the Trojan or re-used, or by virtue of the fact that a domain administrator has logged into an already infected system). Once domain administrator privileges are granted, the Trojan uses the SysInternals tool "psexec" to copy itself to all computers on the domain.

Clampi also serves as a proxy server used by criminals to anonymize their activity when logging into stolen accounts…

… Clampi is operated by a serious and sophisticated organized crime group from Eastern Europe and has been implicated in numerous high-dollar thefts from banking institutions. Any user whose system has been infected by Clampi should immediately change any and all passwords used on that system for any websites, but especially financial credentials.

… Most major anti-virus engines should be able to detect Clampi variants; however there is always a delay between a new Trojan release and the detection time.  Given the prevalence and seriousness of the Clampi Trojan, it is recommended that businesses that carry out online banking/financial transactions adopt a strategy to isolate workstations where these activities are carried out from possible Clampi or other data-stealing Trojan infections.

This may include using a dedicated workstation for accessing financial accounts which is isolated from the rest of the local network and the Internet except for the specific financial sites required to be accessed. Since Trojans can also be spread using removable drives, systems should be hardened against auto run-type threats. Businesses may even consider using an alternative operating system for workstations accessing sensitive or financial accounts.

Home Computer User Protection
SecureWorks CTU recommends that home computer users use a computer dedicated only to doing their online banking and bill pay.  They should not use that computer to surf the web and send and receive email, since web exploits and malicious email are two of the key malware infection vectors. 

As an alternative to operating a secure home PC for all important work, home users could, you know, buy a Mac. They would then have one machine to use for everything.[1]

Maybe Apple is funding Clampi development?


[1] The Mac’s vast security advantage comes from the “faster friend” security philosophy. When you and a friend are being chased by a bear, you don’t have to be faster than the bear, you have be faster than your friend. OS X 10.6 is, in practical terms, fundamentally more secure than XP, but not necessarily theoretically more secure than Microsoft’s very latest foul demon. The big Mac advantage is that the world’s criminals don’t own Apple machines, and have very little interest in targeting Macs as long as the vast majority of banks and corporations run some flavor of Windows. I’ve often wondered, incidentally, if Windows 98 isn’t now a very secure environment. I doubt many Trojans would infect it any more.

1 comment:

mike said...

I doubt that Windows 98 by itself has become safer. OTOH, running a virtual machine with Win 98 would probably give you reasonable browsing capability. Or semi-reasonable -- Win 98 can't deal with IE7 or IE8, which is limiting -- no YouTube, for instance. But you can blow away a bug-infested virtual machine and replace it with a new clean copy in just a couple minutes.