Blog for hpHosts, and whatever else I feel like writing about ....

Tuesday, 29 September 2009

FireEye: Killing the beast...Part 3

In the third part of this series, I'm going to discuss the command and control structure of another famous botnet, Clampi a.k.a ilomo. Clampi is all about data stealing and is famous for its anti-reversing and evasion techniques. The financial damage this information stealer can cause is evident from the fact that it has recently been publicly disclosed of a cyber theft of more than $150,000. Notorious isn't it..?

Like the first two parts where I discussed the command and control structure of the Pushdo and Koobface botnets, I'll start by showing the current geographical distribution of Clampi CnCs, followed by a brief analysis on the chances of shutting down these control servers and hence the complete botnet.

This article is not an in depth analysis of the malware itself but concentrates more on current geo locations of Clampi command and control servers. For detailed in-depth analysis of this malware, one may refer to this.

Let's start with a brief introduction to the Clampi command and control architecture which is not a classical client/server model. As a matter of fact, there are two types of CnC servers involved here.


Read more
http://blog.fireeye.com/research/2009/09/killing-the-beastpart-3.html

References

FireEye: Killing the beast .... Part II
http://blog.fireeye.com/research/2009/06/killing-the-beastpart-ii.html

FireEye: Killing the beast .... Part I
http://blog.fireeye.com/research/2009/06/killing-the-beast.html

No comments: