News broke over the weekend in Japan that police had arrested three people over the past few months in relation to death threats being posted on bulletin boards and sent through email. However, it was also reported that the suspects were subsequently released without charge due to the discovery of a particular malware infection on all of the suspect’s computers that is believed to have been used to make the threats. Examples of some of the threats include a posting to a government website stating that the person posting the threat will commit mass murder in a popular shopping area; a posting to an Internet forum saying that he/she will blow up a famous shrine; an email sent to an airline company threatening to use a bomb to destroy an aircraft; and an email threatening the kindergarten where a child of the royal family attends. Police are currently investigating the connection between the threats and the malware.
From our analysis, we have confirmed that the malware is capable of controlling a compromised computer from a remote location, which is not anything new to malware. Furthermore, from the various functions we have confirmed, the creator has the capability to command the malware to make the threats mentioned above. We have also discovered that a string of characters used to process encrypted communication with the creator is in Japanese and the code is taken from a Japanese website. Therefore, we believe the creator is most likely a person who has a good understanding of the Japanese language.
Figure 1. Japanese found in the code
We have obtained two versions of the threat so far and each version has a version number as shown below:
Figure 2. Version numbers of the variants of the threat we have found so far
Because the numbers are not in sequential order, there could potentially be more versions we are not aware of.
Symantec has confirmed that customers have been protected against this malware by our reputation technology called Insight. Symantec proactively detected the file as Suspicious.Insight and we have also developed a detection, called Backdoor.Rabasheeta, so that customers can identify infections of this particular threat. This detection also protects customers against similar variants that could potentially be in the wild.
Infection appears to be very limited at this time and the broader population of Internet users should be not affected by this malware. Though the file name iesys.exe is the only file name that we have seen or heard of in relation to this threat, other names could possibly be in existence. For Symantec customers attempting to discover if their computer is compromised by this threat, Symantec advises that users search for the file iesys.exe as well as download the latest definition updates before scanning their computers.
To protect against this type of threat, users should be wary when downloading software from unknown sources. Symantec also advises that users ensure that their operating system and software installed on their computer is up-to-date. Last but not least, do not click on suspicious links or attachments in emails as well as links on websites.
To learn more technical information about this threat, please refer to our writeup.
Update [October 19, 2012]
Symantec has acquired a third variant of this threat. The version number of this variant is 2.0. Symantec products already detected this variant as Backdoor.Rabasheeta before the threat was obtained. From our analysis, it is practically identical to version 2.23 and there are no noticeable differences between the two. We have also confirmed that all three files we have acquired to date would have been proactively detected by Symantec's Insight technology as either WS.Reputation.1 or Suspicious.Insight depending on the product used.
The media reports that the number of users that accessed the malware download site was over 20. We consider the number of infections to be extremely limited. Symantec has yet to confirm any infections from our sources. For those who are concerned of a potential infection, please scan your computer with the latest updates. We also make available a free online scanner for those not using Symantec products.
Again, to protect against this type of threat, users should be wary when downloading software from unknown sources. We also advises that users ensure that their operating system and software installed on their computer is up-to-date, and do not click on suspicious links or attachments in emails as well as links on websites.