Inside Trojan.Clampi: Network Modules

Today, we’ll discuss the two remaining Clampi modules used for replication and traffic relay capabilities. The SOCKS module is very straight-forward—it’s a SOCKS proxy server. Normal SOCKS proxy servers act as a connection relays and are used for many purposes, such as connection filtering, passing traffic through firewalls, or to maintain anonymity.
The server’s code is injected into an instance of Internet Explorer. It then listens for incoming connections on a random TCP port above 5000. The SOCKS module is activated in response to a control server’s command. The client then sends the port it’s listening on for inbound connections to the proxy server:

In the above example, the SOCKS server will be listening to port 38329 (which is 0x95B9 in hexadecimal base).
Usually, relay servers like this one expect authentication from the user’s side. In this case, it doesn’t, which means that anyone can virtually connect to an compromised computer and have its traffic relayed through it (assuming the target is not hidden behind a NAT), once they find out which port the proxy is listening on.
The remaining module is codenamed SPREAD, and again, its name is self-explanatory. Similarly to the ACCOUNTS module, this module is a dropper for a legitimate software tool that will use to do the work on its behalf. These dropped programs are part of SysInternals’ (continue reading...)