Malware Domain List

Malware Related => Malware Analysis => Topic started by: SysAdMini on November 10, 2009, 03:01:59 pm

Title: Inside Trojan.Clampi: The Research Paper
Post by: SysAdMini on November 10, 2009, 03:01:59 pm

In a nutshell, Clampi is an Infostealer threat. Its executable can be seen as a host for separate modules, containing the real payloads of the threat. These modules are heavily protected from reverse-engineering as well. The functionalities range from banking-site password stealing, to local credential gathering, to a SOCKS proxy. The communication with Clampi’s command & control servers, the “Gates”, uses HTTP and is encrypted. Clampi spawns and uses an Internet Explorer instance as an API proxy to achieve network communication, bypassing firewalls along the way.

One thing we mentioned in passing in the blog entries is that the main executable and the modules are protected from reverse-engineering by VMProtect, a commercial packer used to virtualize executable files. We decided to go a little deeper in the paper, introducing the reader to how VMProtect works, how it affects Clampi, the effort needed to analyze such files, and also present ways to partially reverse the protection scheme in order to allow white-box analysis of this threat.