A study of the Ilomo / Clampi botnet

From Botnets.fr
Jump to navigation Jump to search

(Publication) Google search: [1]

A study of the Ilomo / Clampi botnet
Botnet Clampi, Ilomo
Malware Ilomo (injecteur), Ilomo (bot)
Botnet/malware group
Exploit kits
Distribution vector
Operation/Working group
Date 2009 / 20 aug2009
Editor/Conference Trend Micro
Link http://www.trendmicro.com/us/security-intelligence/research-and-analysis/index.html (Archive copy)
Author Alice Decker, David Sancho, Max Goncharov, Robert McArdle


Ilomo has been present in the malware landscape since at least the end of 2005, making it a veteran of the modern malware era. During that time it has changed its code constantly with an emphasis being placed on making the malware very difficult to reverse engineer, and also with the goal of staying under the radar. As with all malware it has picked up several names over that time but the most common are Ilomo, Clampi, Ligats or Rscan – we will use Ilomo in this report.

Evidence of the lengths which Ilomo has gone to in order to make analysis of the threat difficult is immediately clear as soon as a researcher disassembles the malware binary. In addition to its own unusual techniques (such as its method for injecting code into other processes, which we describe in detail) Ilomo employs a commercial obfuscator known as VMProtect. This obfuscator is available for as little as $200, easily affordable for any modern cybercriminal.
Each Ilomo node comes pre-configured with the locations of two Command & Control (C&C) servers, known as “gates” from which it can download updates, receive instructions, and download a larger list of gates. These gates are generally hosted machines (most likely compromised web servers), as opposed to ADSL home connections, more commonly seen in the case of other botnets.
The purpose behind Ilomo is very simple – information theft. Ilomo steals all password details from the infected machine (e.g. those held in protected storage) and also monitors all web traffic from the machine, with the goal of stealing login credentials for online banking, online email accounts, etc. The original origin of Ilomo is unclear. Taking into account our underground research in conjunction with the list of sites targets, it appears that Ilomo predominantly targets US users, and does not appear to be Russia or Eastern European in origin.
We have split this report into five main sections:

  • Firstly, we start with Ilomo Analysis, a section dealing with a step by step analysis of the behavior of the Ilomo malware.
  • The second section, VMProtect Obfuscator, aims to convey the methods of obfuscation used by the VMProtect packer.
  • The third section, Propagation, explains how Ilomo spreads from machine to machine.
  • The fourth section, Ilomo Symptoms, calls out the defining characteristics of Ilomo on one page, helping a system administrator to identify signs of an Ilomo infection
  • The fifth section, Protection, details the various components of Trend Micro’s Smart Protection Network which help defend against the Ilomo malware family.

Lastly, we have also included Appendices, which detail some additional information.
NOTE: All URLs, filenames, etc are correct at time of writing.


 @misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2009BFR860,
   editor = {Trend Micro},
   author = {Alice Decker, David Sancho, Max Goncharov, Robert McArdle},
   title = {A study of the Ilomo / Clampi botnet},
   date = {20},
   month = Aug,
   year = {2009},
   howpublished = {\url{http://www.trendmicro.com/us/security-intelligence/research-and-analysis/index.html}},