Back in October 2012, we published a couple of blogs about Backdoor.Rabasheeta, a back door Trojan that was used to make numerous death threats from compromised computers, resulting in four wrongful arrests. The saga may have come to an end for the malware author who had been taunting the Japanese authorities for months. On February 10, the Tokyo Metropolitan Police arrested Yusuke Katayama, a 30-year-old Tokyo resident who works for an IT company, on suspicion of forcible obstruction of business by posting anonymous online threats, although the accused has denied any wrongdoing. Katayama was also arrested and convicted in 2006 for making similar online threats to a record company for a copyright issue regarding Noma-Neko, a popular cat character on a Japanese forum. Since October, the series of incidents has made national headlines in Japan, and the sordid story may now be reaching its climax.
Let me describe the sequence of events so that you can get a better understanding of what transpired.
Summer, 2012
The author of the malware fooled innocent people on message boards into installing software that turned out to be a back door Trojan. After the malware was executed, the attacker took control of the compromised computers and made various death threats, either through emails or by posting comments on message boards. The attacker also exploited a cross-site request forgery vulnerability to write a death threat on a message board from a compromised computer. The attacker used Tor, software used to stay anonymous on the Internet, to cover his or her tracks. The attacker’s criminal acts led to four wrongful arrests by the police.
October, 2012
After it was publicized that malware was used to remotely perform the crime, someone purporting to be the malware author came forward, sending an email to a lawyer who specializes in Internet legal issues. The author also sent emails to a few others, claiming to be the culprit who made death threats on 13 different occasions. He, or she, also provided other details as well as a “How-to” manual to prove that they were the perpetrator of the crimes.
November, 2012
The same person then sent the same lawyer, as well as some journalists, an email stating that they had made a mistake that would enable the authorities to track him or her down. The email contained an attachment of an image hinting that he or she was going to commit suicide. The image contained false exchangeable image file format (Exif) details in an attempt to fool the police. Searches by the police ended with no one suspicious being found anywhere near the location listed in the Exif data.
Figure 1. Email image attachment with false Exif data
December, 2012
The National Police Agency, Japan's central law enforcement body, offered a reward of three million yen for information leading to the arrest of the culprit.
January 1, 2013
As soon as the New Year began, the perpetrator again sent an email inviting the media to participate in a series of puzzles, with the winner’s prize being the source code of the malware, along with a message that included the motive and an FAQ. Solving the puzzles led to a location in the mountains where a memory card was supposedly buried, but even when the puzzle was solved, the card was not there.
Figure 2. Images displayed after solving puzzle
January 5, 2013
The perpetrator started another round of puzzles and this time they led to a memory card that was placed on a cat’s leash; apparently the cat is popular amongst tourists on Enoshima, a small island near Tokyo. The police actually found an SD card on the cat and confiscated it. According to media reports it contained the malware source code, as well as other unconfirmed files.
Figure 3. Images displayed after solving puzzle
The perpetrator, by leaving the virtual world and entering the real world, may have been the cause of their own undoing, as surveillance cameras on the island allowed the police to track the suspect down. The Internet has tools like Tor to help people stay anonymous or at least close to it, however, staying hidden in the real world is difficult to do. According to media reports, the police are investigating one incident where Tor may not have been used to perpetrate one of the crimes.
This may be the end of the saga for the culprit if he is found guilty, but it is just the beginning for the police and the prosecutors as they must gather as much evidence as they can to prove that he committed the crime and punish him accordingly.