TSPY_AMBLER


 PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Trojan

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

Infection Channel:

Downloaded from the Internet, Spammed via email, Dropped by other malware

AMBLER variants were first seen in the wild in 2009. It is a family of Trojans, spyware, and worms that are designed to steal sensitive information from users. Some of the information it steals are the following:

  • online banking credentials

  • account information

  • other personally identifiable information (PII)

The stolen information may be used by the cybercriminals for other malicious activities or sold in the underground cybercrime.

This malware family typically arrives as an attachment to spammed messages. It can be downloaded from compromised and malicious websites. Aside from its information-stealing routines, AMBLER variants have the capability to perform man-in-the-browser attacks such as keylogging, screen capturing, and web injections.

  TECHNICAL DETAILS

Memory Resident:

Yes

Payload:

Steals information

Installation

This Trojan drops the following files:

  • %System%\tftb71.dll
  • %System%\vktyfd.dll
  • %System%\giw
  • %System%\iafzb
  • %System%\klgd.bmp
  • %System%\bdf.txt
  • %System%\ccdf.txt
  • %System%\eeef.txt
  • %System%\fsc.txt
  • %System%\ide.txt
  • %System%\lbbf.txt
  • %System%\lrg.txt
  • %System%\xef.txt

(Note: %System% is the Windows system folder, which is usually C:\Windows\System32.)

It drops the following copies of itself into the affected system:

  • {drive letter}:\RECYCLER\recycld.exe

Autostart Technique

This Trojan adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\RunOnce
hihg = "rundll32.exe vktyfd.dll,ID"

It adds the following registry keys to install itself as a Browser Helper Object (BHO):

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\
Browser Helper Objects
{6A79CF97-91F1-40BC-8CAB-44184B496B6D} =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\
Browser Helper Objects
{94EA03C3-5988-4428-A5BF-5AB34C82C806} =

Other System Modifications

This Trojan adds the following registry entries as part of its installation routine:

HKEY_CLASSES_ROOT\CLSID\{6A79CF97-91F1-40BC-8CAB-44184B496B6D}
{default} = "Internet Explorer Plugin"

HKEY_CLASSES_ROOT\CLSID\{94EA03C3-5988-4428-A5BF-5AB34C82C806}
{default} = "Internet Explorer Plugin"

HKEY_CLASSES_ROOT\CLSID\{6A79CF97-91F1-40BC-8CAB-44184B496B6D}\
InprocServer32
{default} = "tftb71.dll"

HKEY_CLASSES_ROOT\CLSID\{94EA03C3-5988-4428-A5BF-5AB34C82C806}\
InprocServer32
{default} = "vktyfd.dll"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{6A79CF97-91F1-40BC-8CAB-44184B496B6D}
{default} = "Internet Explorer Plugin"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{94EA03C3-5988-4428-A5BF-5AB34C82C806}
{default} = "Internet Explorer Plugin"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{6A79CF97-91F1-40BC-8CAB-44184B496B6D}\InprocServer32
{default} = "tftb71.dll"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{94EA03C3-5988-4428-A5BF-5AB34C82C806}\InprocServer32
{default} = "vktyfd.dll"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Active Setup\Installed Components\{E3428D3F-3725-4FE1-986A-57EAE3E08123}
{default} = "IE development helper "

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Active Setup\Installed Components\{E3428D3F-3725-4FE1-986A-57EAE3E08123}
StubPath = "rundll32 vktyfd.dll,laspi"

HKEY_LOCAL_MACHINE\SOFTWARE\Rapport
JGG = "{random characters}"

HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Main
Enable Browser Extensions = "yes"

It adds the following registry keys as part of its installation routine:

HKEY_CLASSES_ROOT\CLSID\{6A79CF97-91F1-40BC-8CAB-44184B496B6D}

HKEY_CLASSES_ROOT\CLSID\{94EA03C3-5988-4428-A5BF-5AB34C82C806}

HKEY_LOCAL_MACHINE\SOFTWARE\Rapport

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{6A79CF97-91F1-40BC-8CAB-44184B496B6D}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{94EA03C3-5988-4428-A5BF-5AB34C82C806}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Active Setup\Installed Components\{E3428D3F-3725-4FE1-986A-57EAE3E08123}