Threat Research & Response Blog
This month the Malicious Software Removal Tool (MSRT) is giving some special attention to two malware families - Win32/Foidan and Win32/Shiotob.
We are targeting these families due to their increased prevalence.
Lately, we’ve been adding and improving our detections for the Shiotob family. Shiotob is a family of trojan spyware that steals system information and user credentials by monitoring network activities. These were first seen in 2011, yet are still managing to trouble people today.
The family can use several installation methods, and we’ve seen them spreading as an email attachment. Shiotob trojans are capable of gathering email addresses from an infected system and sending them to the trojan server, at which point the collected addresses are sent emails with the malware as an attachment.
Here are some example attachment file names:
In this case <some strings> are random and can include dates and random text, for example DHL_Express_POST-NOTIFICATION_28FEB_4S1XFSR9.zip.
When the trojans run, they inject themselves into legitimate processes and then terminate their own process. We’ve seen them inject themselves into:
This makes them hidden from the user when viewing processes in Task Manager or other process-viewer tools.
In subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\userinit.exeAdds value: "Debugger"With data: "<malware path>"
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\RunAdds value: "random value name"With data: "<malware path> -autorun"