We examined a variant of this Clampi family of password stealers (also known as Ilomo) that was second most prevalent within the ThreatFire community. As described in previous posts, malware often injects malicious code into other processes (or hijacks other processes) running on a system for a variety of reasons. Two Win32 apis are most frequently called to do so: WriteProcessMemory and CreateRemoteThread. In the case of Clampi, we see that Clampi creates a new Internet Explorer process. Instead of using the worn out method of writing to the process memory space and then creating a thread on it, these guys pass a non-ASCII string of characters as a parameter to iexplorer.exe. For our fellow researchers, Ilomo’s CreateProcess lpCommandLine string starts like this:
“C:\Program Files\Internet Explorer\iexplore.exe” üë^‹þW¬Zt,AÀàŠØ¬,AêëìXÃèáÿÿÿILOMOIAJAAAAAAJAJAJAJAJAJAJAJAJAFOAPDBLJAIAAAAAAI
The parameter is copied to a region within the process virtual space by the process loader. Clampi’s malicious injector then calls VirtualQueryEx an arbitrary number of times on the Iexplore process until it finds a match on the memory region it is interested in, and then ReadProcessMemory and a lower level memory comparison to find an exact match on the shellcode content passed as parameter and maintained within the iexplore virtual memory space. Upon exact match, CreateRemoteThread is called on that memory location and the injected code runs within iexplore.
These sorts of unusual methods are invariably the result of determined efforts by the malware writers to evade security solutions that base their matches on WriteProcessMemory calls. This evasion is not effective against ThreatFire.
