Threat Research & Response Blog
There's been talk of a new threat called "Sunspot", which we detect as Win32/Ambler.A (click to read more in our encyclopedia). Like several others in the AV industry, we feel that this threat is not a new ‘crimeware kit’, and is instead just a new variant of a much older threat known as Ambler (also known as ‘Limbo’ and ‘NetHell’ within the security industry). The primary difference with this variant is that it has the capability of performing HTML injection without the need to install a browser helper object. Instead, it will hook directly into the browser process in order to interfere with pages (a technique possibly inspired by Zbot, aka ‘Zeus’).
We suspect that the reason that it's been dubbed "Sunspot" is because this particular variant drops itself in “%APPDATA%\sun”.
The environment variable “%APPDATA%” refers to the path to a folder containing user-specific files that applications install, such as C:\Documents and Settings\Administrator\Application Data\
We've seen other variants of this threat install themselves to a variety of other locations, including “%APPDATA%\bitrix”. Further, the sample that writes a copy of itself to the 'sun' directory has a compiled time stamp of 0x4CF6BB13 (December 1, 2010 21:16:03). This is consistent with our findings, as we first saw a copy of the file on December 18, 2010—essentially proving that this is nothing particularly new.
That said, the newly discovered functionality represents an interesting financial opportunity for the miscreants behind this crimeware kit. There appears to be plenty of money to be made selling crimeware kits, as the criminals behind Zbot and EyeStye (aka ‘SpyEye’) have demonstrated. However, there is also plenty of opportunity to end up in jail.
- Tareq Saade & Tim Liu