Author Topic: Inside Trojan.Clampi: The Research Paper  (Read 3645 times)

0 Members and 1 Guest are viewing this topic.

November 10, 2009, 03:01:59 pm
Read 3645 times


  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335

In a nutshell, Clampi is an Infostealer threat. Its executable can be seen as a host for separate modules, containing the real payloads of the threat. These modules are heavily protected from reverse-engineering as well. The functionalities range from banking-site password stealing, to local credential gathering, to a SOCKS proxy. The communication with Clampi’s command & control servers, the “Gates”, uses HTTP and is encrypted. Clampi spawns and uses an Internet Explorer instance as an API proxy to achieve network communication, bypassing firewalls along the way.

One thing we mentioned in passing in the blog entries is that the main executable and the modules are protected from reverse-engineering by VMProtect, a commercial packer used to virtualize executable files. We decided to go a little deeper in the paper, introducing the reader to how VMProtect works, how it affects Clampi, the effort needed to analyze such files, and also present ways to partially reverse the protection scheme in order to allow white-box analysis of this threat.
Ruining the bad guy's day