We are targeting these families due to their increased prevalence.
Lately, we’ve been adding and improving our detections for the Shiotob family. Shiotob is a family of trojan spyware that steals system information and user credentials by monitoring network activities. These were first seen in 2011, yet are still managing to trouble people today.
The family can use several installation methods, and we’ve seen them spreading as an email attachment. Shiotob trojans are capable of gathering email addresses from an infected system and sending them to the trojan server, at which point the collected addresses are sent emails with the malware as an attachment.
Here are some example attachment file names:
- DHL_Express_POST-NOTIFICATION_<some strings>.zip
- Booking_Hotel_Reservation_Details_<some strings>.zip
- DHL-International-Delivery-Notification_<some strings>.zip
- DHL_ONLINE_SHIPPING_PREALERT_<some strings>.zip
- DHL-Worldwide-Delivery-Notification-<some strings>.zip
In this case <some strings> are random and can include dates and random text, for example DHL_Express_POST-NOTIFICATION_28FEB_4S1XFSR9.zip.
When the trojans run, they inject themselves into legitimate processes and then terminate their own process. We’ve seen them inject themselves into:
This makes them hidden from the user when viewing processes in Task Manager or other process-viewer tools.
In subkey: HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution Optionsuserinit.exe
Adds value: “Debugger”
With data: “<malware path>”In subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionRun
Adds value: “random value name”
With data: “<malware path> -autorun”
- OS version
- Service pack
- IP address
- User Access Control (UAC) status (on or off)
- Email addresses from Windows Address Book (WAB)
- FTP credentials
- Email accounts
In value: (default)
With data: “<encrypted gathered data>”