Daily cyber threats and internet security news: network security, online safety and latest security alerts
August 24th, 2009

Ilomo Botnet Making A Mockery Of Banks Secure Login Systems

Ilomo has been present in the malware landscape since at least the end of 2005, making it a veteran of the modern malware era. During that time it has changed its code constantly with an emphasis being placed on making the malware very difficult to reverse engineer, and also with the goal of staying under the radar. As with all malware it has picked up several names over that time but the most common are Ilomo, Clampi, Ligats or Rscan.

Ilomo botnet has being active without attracting too much unwanted attention from the security industry. Like Pushdo botnet, the Ilomo threat is quite modular in nature which makes it difficult to see the actions of the overall threat. Added to this is the fact that it uses a commercial virtual machine obfuscator, significantly adding to the effort involved in reverse engineering the malware binaries.

Ilomo has two key components to its business plan. The first is good old fashioned information stealing. Ilomo injects its code into the browser and monitors the internet connection waiting for the user to connect to one of over 4000 banking, financial or webmail sites. Not content with simply stealing the user’s credentials, Ilomo can also “piggyback” on the user’s session – transferring funds from an infected user’s account and making a mockery of the bank’s secure login system. Ilomo will also harvest all other login credentials from the machine – ftp, web servers, local administrators etc. These are then used to spread itself across the network and to take control of web servers online, which it will use to host new versions of the malware.

Ilomo‘s second source of revenue is selling “anonymity as a service”. Every infected Ilomo machine acts as a proxy so that criminals can route their illegal activities through different networks and countries. In addition to hiding the criminals identity this proxy network is very useful for defeating another defense built into many banking sites – namely that they can only be accessed from certain countries. If a criminal needs to access a Brazilian bank, they simply use an infected Ilomo machine in Brazil to route the connection.

More information and detailed technical aspects can be found here.

Credit: TrenLabs Malware Blog By TrendMicro

Share this item with others:

More on CyberInsecure:
  • Educational And Military Networks Under Botnet attacks
  • Spam Volumes Increase Again, Soon To Be Powered By At Least 10 Millions Of Infected Conficker Bots
  • Security Research Shows 75 Percent Of US Bank Websites Have Flaws
  • Camelot Denies SQL Injection Vulnerability On UK National Lottery Website National-Lottery.Co.Uk
  • Torpig Botnet Hijacking Reveals 70GB Of Stolen Credit Cards And Passwords

  • If you found this information useful, consider linking to it from your own website.
    Just copy and paste the code below into your website (Ctrl+C to copy)
    It will look like this: Ilomo Botnet Making A Mockery Of Banks Secure Login Systems

    Leave a Reply

    Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.

    To prove you’re a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.