Call it Ilomo, Clampi, Rscan, or Ligats—whatever you call it, it’s getting a fair share of the security spotlight due to recent discussions at Black Hat.
So what is Ilomo?
Ilomo is essentially an “old” botnet Trojan dating back to 2007, which primarily targets the banking industry via a two-pronged attack:
• Step 1: it lures unsuspecting users to a seemingly benign website.
• Step 2: it harvests user login credentials and uses them to inject itself into the browser code and assimilate the user’s machine into a borg by downloading miscellaneous malware.
• The end result: your machine becomes a zombie that has a new master. And its new master is set on sabotaging your network’s security from the inside out.
The perpetrators behind Ilomo are motivated by money. By targeting banking sites, they are able to use the information that they harvest to easily steal funds from online bankers. And, to make matters worse, Ilomo is also designed to keep an eye out for domain administrator credentials (the keys to the castle) making it even more of threat. If Ilomo captures the credentials of a privileged account on the network, it can use PsExec (part of the PsTools suite) to login to all other machines on the network, and invite them to join in on the fun…
The good news: Since Ilomo has been around for a while, virtually all major antivirus vendors have reliable signatures for detecting it.
The bad news: Every business has those one or two vulnerable machines lurking somewhere in the dark corners of their network. You know the ones. The machines that have somehow escaped our careful calculation and have painfully out-of-date signature files, no antivirus software running, or even worse, have had the antivirus service disabled by some rogue admin so he can play Elf Bowling…
Ilomo can spread at a rapid rate. If your network becomes infected, TriGeo can help. TriGeo’s correlation and active responses (such as the ability to automatically kill a process like PsExec) will alert you to this activity and stop the spread of the infection. TriGeo can also keep an eye out for unusual login attempts, like the Elf Bowler’s account suddenly trying to login to sensitive servers. In addition, TriGeo can monitor Web traffic and can warn users if a machine visits a known “bad” site associated with the virus.
TriGeo has released several new rules that are specifically designed to monitor and respond to Ilomo-like activity on the network – helping midmarket businesses shut the door on Ilomo and thieves that are trying to access sensitive information.
TriGeo customers can download Ilomo rules for free from the TriGeo Portal, or by clicking here.
As always, if you have any questions, feel free to contact Technical Support.
Leave a Reply