So you got: Clampi/Ilomo

Posted by admin On June - 18 - 2010

So you got one of the most interesting pieces of Malware I have every had the displeasure of doing IR on…

Multi-Stage, evolving, silent…

It seems to always come from drive-by attacks and silently waits for the C&C to provide instructions…

I drops onto the system and creates a number of registry keys with difficult to anticipate keys, and files with semi random names. That can make it hard to find, but the one key you can count on appearing is,

– HKCU\Software\Microsoft\Internet Explorer\Settings\Gateslist

The most important thing you can do to prevent the spread of Clampi/Ilomo once it is on your network is to do no work with Domain Administrator privileges. One of the most dangerous aspects of Clampi/Ilomo is its ability to log user credentials and use them to spread across your network using legitimate tools like PSEXEC.

@echo off && reg query HKCU\Software\Microsoft\Internet Explorer\Settings\Gateslist /s || echo Does not Exist!!!!

Ilomo Botnet analyzation by TrendMicro

Featured, Research, Updates

You must be logged in to post a comment.

About Us

Path Security is run by Richard E. Baker. Richard has been working with computers since he found an old Apple IIe in the bin outside of his elementary school. One man trash and all, the video connector was soon fixed and soon consumed more time on the TV then the Nintendo. Who else remembers Apple Basic? He is currently refocusing on the Information Security Path. Come and walk the Path.

Security is a Journey, not a destination.

So you got: Clampi/Ilomo

Leave a Reply

About Us

Recent Posts

Recent Comments