27,024,307
The Ambler Trojan is a pretty standard BHO-based malware. Apparently it is based on the earlier NetHell/Limbo family, with which it share many properties (including the file formats of the configuration file and the temporary storage file, and their encryption algorithms).
Ambler was observed to be distributed through drive-by infections (particularly a spam message directing the victim to a malicious site, in which the victim’s machine is infected through a PDF exploit). The shell code then retrieves Ambler’s installer from a remote server and runs it. Ambler installs itself as a BHO (it drops a DLL under C:\Windows\system32, and registers it as a BHO). It comes with a configuration file that targets financial websites (many different configuration files were observed in the wild, with a wide range of targets). Ambler is capable of intercepting user form submissions (through subscribing to browser DOM events). It is also capable of replacing various HTML tags and sections with data from its configuration file, thereby injecting HTML to financial website pages.
The interesting bit about Ambler’s behavior is this: unlike its predecessors, when Ambler intercepts a user’s form submission, it does not immediately send the intercepted data to the C&C server. Rather, it accumulates the data to a local file, and sends this file to the C&C server at the next browser restart. Thus, any attempt to correlate the network traffic generated by this malware with the user’s navigation to a financial site is bound to fail. More interestingly perhaps, any attempt to isolate the user’s machine from other sites on the network while the user is browsing a financial site will not achieve its goal in this case, since Ambler will not even try to send the captured data while the user is navigating the financial site. Rather, as explained above, Ambler would wait for browser restart to send this data, resulting in the captured credentials being sent to the C&C server when the user is not navigating the financial site.
This analysis is based on Ambler installer whose MD5 hash is 8de9ebc76c630fac7c25bd89e50468d5.
