News broke over the weekend in Japan that police had arrested three people over the past few months in relation to death threats being posted on bulletin boards and sent through email. However, it was also reported that the suspects were subsequently released without charge due to the discovery of a particular malware infection on all of the suspect’s computers that is believed to have been used to make the threats. Examples of some of the threats include a posting to a government website stating that the person posting the threat will commit mass murder in a popular shopping area; a posting to an Internet forum saying that he/she will blow up a famous shrine; an email sent to an airline company threatening to use a bomb to destroy an aircraft; and an email threatening the kindergarten where a child of the royal family attends. Police are currently investigating the connection between the threats and the malware.
From our analysis, we have confirmed that the malware is capable of controlling a compromised computer from a remote location, which is not anything new to malware. Furthermore, from the various functions we have confirmed, the creator has the capability to command the malware to make the threats mentioned above. We have also discovered that a string of characters used to process encrypted communication with the creator is in Japanese and the code is taken from a Japanese website. Therefore, we believe the creator is most likely a person who has a good understanding of the Japanese language.
Figure 1. Japanese found in the code
We have obtained two versions of the threat so far and each version has a version number as shown below:
Figure 2. Version numbers of the variants of the threat we have found so far
Because the numbers are not in sequential order, there could potentially be more versions we are not aware of.
Symantec has confirmed that customers have been protected against this malware by our reputation technology called Insight. Symantec proactively detected the file as Suspicious.Insight and we have also developed a detection, called Backdoor.Rabasheeta, so that customers can identify infections of this particular threat. This detection also protects customers against similar variants that could potentially be in the wild.
Infection appears to be very limited at this time and the broader population of Internet users should be not affected by this malware. Though the file name iesys.exe is the only file name that we have seen or heard of in relation to this threat, other names could possibly be in existence. For Symantec customers attempting to discover if their computer is compromised by this threat, Symantec advises that users search for the file iesys.exe as well as download the latest definition updates before scanning their computers.
To protect against this type of threat, users should be wary when downloading software from unknown sources. Symantec also advises that users ensure that their operating system and software installed on their computer is up-to-date. Last but not least, do not click on suspicious links or attachments in emails as well as links on websites.
To learn more technical information about this threat, please refer to our writeup.
Leave a reply