Clomp – using & abusing PsExec

We’ve been following the Clomp family of malware, also known as Clampi, for some time now. It’s a strange beast, and its nasty polymorphic packed code changes with each new release. It also has some slightly unusual features; we’ve already talked about how Clomp injects code into Internet Explorer, and how this helps our HIPS technology spot and stop the malware. Something else that’s interesting is how it spreads across a network – rather than write the code themselves, the authors had a little help from Microsoft in the form of PsExec.

PsExec

PsExec is part of a suite of tools from Sysinternals, which got bought by Microsoft in 2006. It’s a light-weight program that allows you to connect to remote machines and run software. Which coincidentally is exactly what Clomp wants to do.

When Clomp runs (often as a file called 2.exe), it drops a copy of PsExec (usually as 1.exe) and uses it to try to connect to other computers on the network. If it manages to get access (for example if the infected computer is logged in as admin), then it runs itself on that remote machine. Hey presto, Clomp just used PsExec to spread like a worm!

The good news is that we detect PsExec as a potentially unwanted application – clearly it’s a tool that some people are going to want to use on their networks, but not everybody, and not everywhere. By stopping PsExec from running carefree on the network, you effectively cut off Clomp’s ability to spread, while giving an excellent early-warning signal against any new or broken forms of the malware that still use the same technique.

Our detection of the PsExec and the Internet Explorer injection technique shows how Clomp has squarely shot itself in the foot – its “clever features” mean that it announces its presence to anybody who cares to listen.