Organisations are being warned to beware of a ferocious piece of malware that has infected up to a million PCs, after a noted botnet researcher said it is stealing a "tremendous" amount of financial information from consumers and businesses.

"Clampi is the most professional thieving pieces of malware I've ever seen," said Joe Stewart, director of malware research for SecureWorks' counter-threat unit. "We know of few others that are this sophisticated and wide-ranging. It's having a real impact on users."

The Clampi Trojan horse has infected anywhere between 100,000 and 1 million Windows PCs, said Stewart - "We don't have a good way of counting at this point," he acknowledged - and targets the user credentials of 4,500 websites.

That's an astounding number, said Stewart, who has identified 1,400 of the 4,500 total. "There are plenty of other banking Trojans out there, but they usually target just 20 or 30 sites."

Hackers sneak Clampi onto PCs by duping a user into opening an emailed file attachment or by using a multi-exploit toolkit that tries attack code for several different Windows vulnerabilities, Stewart said. Once on a machine, the Trojan monitors web sessions, and if the PC owner browses to one of 4,500 sites, it captures usernames, passwords, PINs and other personal information used to log on to those sites, or to fill out forms.

Periodically, Clampi "phones home" the hijacked information to a command-and-control server run by the hackers, who then empty bank or broker accounts, purchase goods using stolen credit card information or simply compile it for future use, said Stewart.

Although that describes most key-logging or spying malware, Stewart said Clampi is different, both because of the obvious scale of its operation and because of the multiple layers of encryption and deception used by its makers to cloak the attack code and make it nearly impossible for researchers to investigate its workings.

Stewart started tracking Clampi in 2007, but began an intensive examination earlier this year. "The packing that Clampi uses is very sophisticated, and makes it really, really difficult to reverse engineer, said Stewart. "I'd say this is the most difficult piece of malware I've ever seen to reverse engineer." Security researchers often will reverse engineer malware - pulling it apart to try to decipher how it works - during their investigations.

"They're using virtual machine-based packers that lets them take code from a virtual CPU instruction set, so that the next time it's packed, it's completely different," said Stewart. "You can't look at Clampi with a conventional tool, like a debugger. It's a real mess to follow, frankly."

The Trojan also encrypts the traffic between hijacked systems and the botnet command-and-control server using multiple methods, said Stewart. Not only is the network communications traffic encrypted in 448-bit blowfish encryption, but the strings inside the attack code binaries are also encrypted. Clampi also uses another unusual tactic to hide from antivirus scanners; its modules -- there are anywhere from four to seven different pieces of the malware -- are stored as encrypted "blobs" in the Windows registry.

The sheer scope of the Clampi operation also separates it from run-of-the-mill financial malware, Stewart argued. "They're targeting not just banking sites, but a wide variety of sites where people put in credentials that help them steal money somehow," said Stewart. Among the 1,400 site he has identified are military information portals, mortgage, insurance, online casino, utility advertising networks and news sites. The sites are hosted in 70 different countries.

"That, in itself, speaks to a vast operation on the back end," Stewart said.