Clampi

Clampi is a network hacking spyware that attacks Microsoft Windows, AOL, Yahoo, Mac, MSN.^[1]^[2]^[3] This infection allows attacker to access personal information such as banking information, passwords, or personal identity (IP Address). It is considered a high security risk and should be removed from the network to avoid popups and any further damages to the host computer or any other devices connected to the network.

Clampi is difficult to detect even with up-to-date antivirus and other security software as it hides itself using stealth techniques. The Clampi Network Worm has become the largest botnet on the Internet: some 3.6 million PCs are said to be infected in the U.S. alone. ^[4]

Infection

Clampi attempts to gather login information for FTP sites, Facebook, Skype, and other social media platforms, and any sensitive financial data as well.^[5] It uses compromised computers to build a peer-to-peer botnet. A compromised computer contacts other compromised computers to receive commands in a peer-to-peer fashion. The botnet is used to install additional pay-per-install malware on the compromised computer and hijack search queries to display advertisements. Its peer-to-peer topology is also used to show fake messages to other users for the purpose of expanding the botnet.^[6] It was first detected in December 2008 and a more potent version appeared in March 2009.^[7] A study by the Information Warfare Monitor, a joint collaboration from SecDev Group and the Citizen Lab in the Munk School of Global Affairs at the University of Toronto, has revealed that the operators of this scheme have generated over $2 million in revenue from June 2009 to June 2010.^[5]

Clampi originally spread by delivering Facebook messages to people who are 'friends' of a Facebook user whose computer had already been infected. Upon receipt, the message directs the recipients to a third-party website (or another Clampi infected PC), where they are prompted to download what is purported to be an update of the Adobe Flash player. If they download and execute the file, Clampi can infect their system. It can then commandeer the computer's search engine use and direct it to contaminated websites. There can also be links to the third-party website on the Facebook wall of the friend the message came from sometimes having comments like LOL or YOUTUBE. If the link is opened the trojan virus will infect the computer and the PC will become a Zombie or Host Computer.

Among the components downloaded by Clampi are a DNS filter program that blocks access to well known security websites and a proxy tool that enables the attackers to abuse the infected PC. At one time the Clampi gang also used Limbo, a password stealing program.

Several variants of the worm have been identified:

Worm:Win32/Clampi.gen!F^[8]
Net-Worm.Win32.Clampi.a, which attacks MySpace
Net-Worm.Win32.Clampi.b, which attacks Facebook^[9]
WORM_Clampi.DC, which attacks Twitter^[10]
W32/Koobfa-Gen, which attacks Facebook, MySpace, hi5, Bebo, Friendster, myYearbook, Tagged, Netlog, Badoo and fubar^[11]^[12]
W32.Clampi.D^[13]
OSX/Clampi.A, a Mac version which spreads via social networks such as Facebook, MySpace and Twitter.^[14]

In January 2012, the New York Times reported^[15] that Facebook was planning to share information about the Clampi gang, and name those it believed were responsible. Investigations by German researcher Jan Droemer^[16] and the University of Alabama at Birmingham's Center for Information Assurance and Joint Forensics Research^[17] were said to have helped uncover the identities of those responsible.

Facebook finally revealed the names of the suspects behind the worm on January 17, 2012. They include Stanislav Avdeyko (leDed), Alexander Koltyshev (Floppy), Anton Korotchenko (KrotReal), Roman P. Koturbach (PoMuc), Svyatoslav E. Polichuck (PsViat and PsycoMan). They are based in St. Petersburg, Russia. The group is sometimes referred to as Ali Baba & 4 with Stanislav Avdeyko as the leader.^[18] The investigation also connected Avdeyko with CoolWebSearch spyware.^[16]

The Clampi threat is also the subject of many hoax warnings designed to trick social networking users into spreading misinformation across the Internet. Various anti-scam websites such as Snopes.com and ThatsNonsense.com have recorded many instances where alarmist messages designed to fool and panic Facebook users have begun to circulate prolifically using the widely publicized Clampi threat as bait.^[19]^[20] The "Barack Obama-Clinton Scandal" hoax which was popular in 2010 is an example.

Other misconceptions have spread regarding the Clampi threat, including the false assertion that accepting "hackers" as Facebook friends will infect a victim's computer with Clampi, or that Facebook applications are themselves Clampi threats. These claims are untrue. Other rumours assert that Clampi is much more dangerous than other examples of malware and has the ability to delete all of your computer files and "burn your hard disk." However, these rumours are inspired by earlier fake virus warning hoaxes and remain false.^[19]

References

↑ Lua error in package.lua at line 80: module 'strict' not found.
↑ Lua error in package.lua at line 80: module 'strict' not found.
↑ Lua error in package.lua at line 80: module 'strict' not found.
↑ Lua error in package.lua at line 80: module 'strict' not found.
↑ ^5.0 ^5.1 Clampi: Inside a Crimeware Network
↑ Lua error in package.lua at line 80: module 'strict' not found.
↑ Lua error in package.lua at line 80: module 'strict' not found.
↑ Lua error in package.lua at line 80: module 'strict' not found.
↑ Clampi malware distribution technique - automatic user account creation on FaceBook, Twitter, BlogSpot and others
↑ Lua error in package.lua at line 80: module 'strict' not found.
↑ Lua error in package.lua at line 80: module 'strict' not found.
↑ The Allure of Social Networking, describes Win32/Clampi affecting multiple social networks as described on CA's Security Advisor Research blog
↑ Lua error in package.lua at line 80: module 'strict' not found.
↑ Lua error in package.lua at line 80: module 'strict' not found.
↑ Web Gang Operating in the Open
↑ ^16.0 ^16.1 Lua error in package.lua at line 80: module 'strict' not found.
↑ Lua error in package.lua at line 80: module 'strict' not found.
↑ Lua error in package.lua at line 80: module 'strict' not found.
↑ ^19.0 ^19.1 Clampi - What is it Really? article at ThatsNonsense.com, Retrieved on 26th January 2011
↑ Clampi article at snopes.com website, Retrieved on 30 December 2010

External links

The Clampi malware gang - exposed!, research by Jan Droemer and Dirk Kollberg.
The Real Face of Clampi, analysis by Trend Micro.
Researchers Take Down Clampi Servers, Slashdot article.

[1] Lua error in package.lua at line 80: module 'strict' not found.

[2] Lua error in package.lua at line 80: module 'strict' not found.

[3] Lua error in package.lua at line 80: module 'strict' not found.

[Deibert-4] Lua error in package.lua at line 80: module 'strict' not found.

[iwm-5] 5.0 ^5.1 Clampi: Inside a Crimeware Network

[6] Lua error in package.lua at line 80: module 'strict' not found.

[7] Lua error in package.lua at line 80: module 'strict' not found.

[8] Lua error in package.lua at line 80: module 'strict' not found.

[9] Clampi malware distribution technique - automatic user account creation on FaceBook, Twitter, BlogSpot and others

[10] Lua error in package.lua at line 80: module 'strict' not found.

[11] Lua error in package.lua at line 80: module 'strict' not found.

[12] The Allure of Social Networking, describes Win32/Clampi affecting multiple social networks as described on CA's Security Advisor Research blog

[13] Lua error in package.lua at line 80: module 'strict' not found.

[14] Lua error in package.lua at line 80: module 'strict' not found.

[15] Web Gang Operating in the Open

[sophos-16] 16.0 ^16.1 Lua error in package.lua at line 80: module 'strict' not found.

[UAB-17] Lua error in package.lua at line 80: module 'strict' not found.

[18] Lua error in package.lua at line 80: module 'strict' not found.

[Clampi_-_What_is_it_Really-19] 19.0 ^19.1 Clampi - What is it Really? article at ThatsNonsense.com, Retrieved on 26th January 2011

[20] Clampi article at snopes.com website, Retrieved on 30 December 2010

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]

[13]

[14]

[15]

[16]

[17]

[18]

[19]

[20]

v t e Botnets
Notable botnets	Akbot Asprox Bagle Bredolab Cutwail Conficker Donbot Festi Flame Grum Gumblar Kelihos Koobface Kraken Lethic Mariposa Mega-D Metulji Nitol Rustock Sality Slenfbot Srizbi Storm TDL-4 Torpig Virut Waledac ZeroAccess Zeus
Main articles	Browser security Computer virus Computer worm Malbot Internet security Malware Man-in-the-browser Network security Operation: Bot Roast Trojan horse

Clampi

Infection

References

External links

Navigation menu

Personal tools

Namespaces

Variants

Views

More

Search

Navigation

Tools