The Details of the Rabasheeta Dropper

Last week we reported on a particular piece of malware—detected as Backdoor.Rabasheeta—that is making a stir in the Japanese media.  There are hundreds, if not thousands, of back door malware, but in the last week Japanese media and social networks have been full of discussions about this particular malware. Symantec has discovered the dropper.

Dropper

Figure 1. Dropper and its contents

 

A dropper is a Trojan horse that installs a payload onto the compromised computer. The dropper for Backdoor.Rabasheeta drops a main module and a configuration file. The dropper creates a registry entry so that the main module is executed whenever the compromised computer starts:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"iesys" = "%UserProfile%\Local Settings\Application Data\Microsoft\iesys\iesys.exe"

This dropper also modifies CreationTime, LastWriteTime, and LastAccessTime of the main module with random values to help keep it hidden. Then the dropper will execute the main module before removing itself from the computer.

Graphical user interface

These preceding activities are common for malware. However, there is something that makes this malware stand out from the crowd: both the main module and the dropper have a graphical user interface (GUI). The following figure shows the GUI that is included with this dropper:

Figure 2. Dropper GUI

 

This GUI is hidden from the user of the compromised computer. However, the dropper contains a flag called testMode and if this flag is on, the GUI is displayed. The malware author enables the GUI for debugging purposes, as the GUI allows the malware to be installed and uninstalled by the click of a button to perform many tests repeatedly.

Version numbers

In our previous blog, we showed three variants of the main module, each with version numbers. The following table shows the version numbers with creation dates including the dropper:

 

The time zone is Japan Standard Time (JST) and dependant on the author’s computer time setting. Note that the computer time can easily be modified.

This table shows that the author updated the malware periodically over a one month period. It is likely there are other variants of this malware based on the version numbers we have obtained.

The dropper we examined contains version 2.35 of the main module. Based on the creation dates, this dropper was made 22 days after the module version it contains. We do not know why the author stopped updating the main module in this time period. However, there may be other droppers containing different versions of the main module.

Protect yourself

The structure and functions of Backdoor.Rabasheeta are not advanced compared to modern malware. However, it is still capable of surreptitiously opening a back door on a compromised computer.

To protect against this type of threat, users should use caution when downloading software from unknown sources. Do not click on suspicious links or attachments in emails. Symantec also advises users to ensure their operating system and software is up to date. We detect both the dropper and the main module as Backdoor.Rabasheeta.