MSRT October 2013 – Shiotob
This month the Malicious Software Removal Tool (MSRT) is giving some special attention to two malware families - Win32/Foidan and Win32/Shiotob.
We are targeting these families due to their increased prevalence.
Lately, we’ve been adding and improving our detections for the Shiotob family. Shiotob is a family of trojan spyware that steals system information and user credentials by monitoring network activities. These were first seen in 2011, yet are still managing to trouble people today.
The family can use several installation methods, and we’ve seen them spreading as an email attachment. Shiotob trojans are capable of gathering email addresses from an infected system and sending them to the trojan server, at which point the collected addresses are sent emails with the malware as an attachment.
Here are some example attachment file names:
- DHL_Express_POST-NOTIFICATION_<some strings>.zip
- Booking_Hotel_Reservation_Details_<some strings>.zip
- DHL-International-Delivery-Notification_<some strings>.zip
- DHL_ONLINE_SHIPPING_PREALERT_<some strings>.zip
- DHL-Worldwide-Delivery-Notification-<some strings>.zip
In this case <some strings> are random and can include dates and random text, for example DHL_Express_POST-NOTIFICATION_28FEB_4S1XFSR9.zip.
When the trojans run, they inject themselves into legitimate processes and then terminate their own process. We’ve seen them inject themselves into:
- csrss.exe
- svchost.exe
- iexplore.exe
- explore.exe
This makes them hidden from the user when viewing processes in Task Manager or other process-viewer tools.
The injected code is also capable of modifying and monitoring the start-up registry by creating the following entries:
In subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\userinit.exe
Adds value: "Debugger"
With data: "<malware path>"In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Adds value: "random value name"
With data: "<malware path> -autorun"
If the modified entry is deleted, the malware will re-create it.
The Win32/Shiotob family is capable of sending information about the infected machine to a hacker using HTTP POST. This information can include details about the:
- OS version
- Service pack
- IP address
- User Access Control (UAC) status (on or off)
- Email addresses from Windows Address Book (WAB)
- FTP credentials
- Email accounts
It does this by injecting its code to the following processes which belong to browsers, email clients and FTP client applications:
- Avant.exe
- Ccftp.exe
- Chrome.exe
- Coreftp.exe
- Filezilla.exe
- Firefox.exe
- Ftpte.exe
- FTPVoyager.exe
- Iexplore.exe
- Maxthon.exe
- Mozilla.exe
- Msimn.exe
- Myie.exe
- Opera.exe
- Outlook.exe
- SmartFTP.exe
- Thebat.exe
- Totalcmd.exe
- WinSCP.exe
It then hooks the following Windows APIs from the above-mentioned injected processes to execute its malicious routine:
- Closesocket
- Connect
- HttpOpenRequestA
- HttpOpenRequestW
- HttpQueryInfoA
- HttpQueryInfoW
- HttpSendRequestA
- HttpSendRequestW
- InternetCloseHandle
- InternetQueryDataAvailable
- InternetReadFile
- InternetReadFileExA
- InternetWriteFileExW
- Send
These Windows APIs are used by applications to send or receive network data from visited sites or when establishing a connection to a server.
The information gathered by the malware will be saved in encrypted form and stored in the following registry entry:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\<version number>\<Random string>
In value: (default)
With data: "<encrypted gathered data>"
You can find more details about this family in our Win32/Shiotob encyclopedia description.
As always we recommend using a complete antivirus solution to help stay protected from this and similar threats.
Microsoft Security Essentials and Windows Defender detect and remove Win32/Shiotob and a range of other malware and potentially unwanted software.
Jonathan San Jose
MMPC