Inside the Clampi Trojan: Using Shellcode to Game Firewalls

By Matthew Hines  |  Posted 2009-10-27 Print this article Print

Many of today's Trojan malware threats utilize sophisticated techniques to circumvent firewall technologies and communicate with their distributors and/or controllers, but researchers with Symantec have peeled back the layers on the widespread Clampi attack to reveal a particularly innovative approach to defeating such defensive mechanisms.

In a recent blog post, Symantec researcher Nicolas Falliere detailed his latest work in examining the Clampi threat, explaining how the attack employs unique methods to achieve "enhanced stealth," therein defeating common firewalls (most commonly Windows Firewall) and generally making discovery and analysis of its code more difficult for security vendors and practitioners.

For starters, to utilize its "unusual" approach to evading firewalls and delivering its payload, the involved versions of Clampi feature the ability to go far beyond the traditional approach of merely adding new entries to a machine's Windows Registry and instead inject their code directly into Internet Explorer.

This approach alone might constitute a significant step forward compared to most Trojans, but Clampi's nefarious genius goes much deeper, the expert contends.

Rather than leaving its code running in the browser where it may also be somehow detected, for instance, the attackers have also designed Clampi to exercise its capabilities only when necessary, using an API proxy and "stubs" of code injected into IE when it decides to send information back outside to its controllers, to further evade discovery.

Additionally, after its initial execution, Clampi creates its own dedicated IE instance hidden from end users, and then uses advanced shellcode manipulation techniques to further avoid detection. This includes the use of methods that allow the attack to quietly retrieve and execute shellcode, as well as encrypt it to bypass any security controls that

might be watching.

The Clampi Trojan then creates memory maps to exchange information with the instance of IE acting as its proxy, and subsequently executes its API, creating a remote thread in the browser through which to execute its shellcode, Falliere said.

After executing the API, the threat goes back and actively deletes the memory maps it has created therein covering its tracks until the next time that its controllers want to carry out their work.

While other Trojan threats may enlist some of the same techniques to have their way with firewalls and endpoint devices and attempt to hide themselves, few do so as effectively and using such technically forward methods, the Symantec researcher concludes.

"The Clampi gang decided to inject their networking code into Internet Explorer, which is granted Web access by any standard firewall configuration out there," Falliere said. "Fair enough--that's another approach, but not a new one. Yet you've seen these guys don't do things the way other malware authors usually do."

And that's what separates the innovators from the masses.

Follow eWeek Security Watch on Twitter at: eWeekSecWatch.

Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWeek and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to |

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel