Typically, trojans such as this gets installed when people open infected attachments or even by simply visiting a web page using a vulnerable browser or other applications such flash, pdf, etc. Such web sites that people visit could be intentionally or they may be taken to those web sites unintentionally by clicking on some links on a regular / normal site and that site may have some XSS or other types of vulnerabilities.
In any case, once the trojan gets installed it copies itself as one of the system executable such as svchosts.exe or event.exe in one of the folders. These are legitimate looking applications, so if you look in task manager, it is difficult to identify. However, the key here is that these files gets installed in a folder other than "C:\WINDOWS\system32" (in Windows XP). There are various tools such as "tlist" to identify which application (with the path) launched a process. The Trojan also make many registry changes, so understanding the registry structure and monitoring for changes is key here.
The Trojan then makes connections to various web sites that act as command and control centers and downloads tools that are required for 1) spreading to other machines 2) grab personal information from the machine, encrypt it and send it back the command and control center. One such tool it downloads is psexec, which is used to make connection to other machines in the network and then install the trojan there. In order to identify this behavior, security practitioners should have a good understanding of the normal behavior on the network and block unusual or unnecessary outbound connections from the internal network.
Some of the other key takeaways are:
- Don't use or provide administrative credentials to the regular users, use of administrative credentials enable the ability to install programs.
- Block all or unnecessary outbound access.
- Monitor unusual traffic on the network, should have a good understanding of the baseline traffic.
- Keep open file shares to a minimum or remove it altogether if possible. Periodically scan for open shares and audit it thoroughly.
- Users should be made aware of the dangers of visiting unknown web sites, clicking on unknown links, and downloading unknown files.
- Patch. Follow a strict vulnerability management process.
- Keep the antivirus signatures up to date. Automate identification of infected machines
- Be ready for incidents like this, practice incident response skills
Read some of the interesting write-ups on the Clampi virus / trojan.
http://www.secureworks.com/research/threats/clampi-trojan/?threat=clampi-trojan
http://voices.washingtonpost.com/securityfix/2009/07/clampi_trojan_the_rise_of_matr.html?wprss=securityfix
No comments:
Post a Comment