Written by: Oscar Abendan


Variants of the AMBLER malware family steal information from affected systems. Trend Micro detected variants of this malware as early as 2009.�

A malware variant said to have ZeuS-like info-stealing routines (see ZeuS) has also been reported in the media as Sunspot, although TrendLabs has verified that it is another variant of the AMBLER malware family. Trend Micro detects the said malware as TROJ_AMBLER.KA and TSPY_AMBLER.KA.


How does the malware arrive on users’ systems?


Trend Micro detects different worm (WORM_AMBLER), Trojan (TROJ_AMBLER) and Trojan spyware (TSPY_AMBLER) variants under the AMBLER family. As such, users may encounter AMBLER variants via different infection vectors.�

They may be downloaded from malicious or compromised websites unknowingly by a user or by other malware already installed in the system. Other malware may also drop AMBLER Trojans onto an affected system. In some instances, AMBLER Trojans may arrive via attachments to spammed messages.
AMBLER Trojans usually drop a Trojan spyware component, which is responsible for stealing online banking information.�
WORM_AMBLER spread via removable drives. They also drop a Trojan spyware component onto affected systems.�


How does this attack work?


Typically, the AMBLER Trojan or worm component drops the Trojan spyware component onto specific folders in the system. This Trojan spyware component then conducts information theft routines once users access specific websites.�


What is the main risk of the TSPY_AMBLER?


The spyware component of this attack (detected as TSPY_AMBLER) is capable of performing man-in-the-browser attacks which include web injections, page-grabbing, key-logging and screen capturing.�

TSPY_AMBLER steals the following information:�
  • Bank of America user credentials�
  • Certificates�
  • Internet cookies
  • Internet Explorer auto-complete fields
  • Internet Explorer auto-complete passwords
  • Internet Explorer Password-protected sites
  • Microsoft Outlook Express user credentials
  • MSN Explorer login credentials
  • Passwords stored in pstorec.dll
It also has the following capabilities:
  • Delete cookies
  • Delete itself
  • Enumerate drives
  • Log keystrokes
  • Shutdown system


By doing this, the variant steals account, online banking information of the affected user. TSPY_AMBLER then sends these data via HTTP POST to specific URLs.�


Why is this attack noteworthy?


AMBLER variants are known to steal important information related to online accounts in banking and other financial entities. Victims are also asked for other additional identifiable information among these addresses, birth date, driver’s license and answers to security questions.�


How are users affected by this attack?


AMBLER variants are designed to steal sensitive information from users, such as online banking credentials, account information, and other personally identifiable information (PII). These pieces of stolen information maybe used for several malicious activities or sold in the underground market.�

In some cases, stolen credentials are used to initiate unauthorized money transfers, resulting to monetary loss.�


Are Trend Micro users protected from this threat?

Trend Micro product users are protected from this attack via its Trend Micro™ Smart Protection Network™. The File reputation technology effectively detect and delete TROJ_AMBLER, TSPY_AMBLER and WORM_AMBLER variants from affected systems. The Web reputation services immediately block access to malicious URLs where the AMBLER variants may be downloaded from or where they send information.