UPDATE: – Due to a little confusion in the BBC article about this blog entry, I am mistakenly attributed in many stories as saying that this malware is linked with the name Shoen Overns which in turn is linked to ZeuS and Koobface campaigns. This is not the case. When talking to the BBC I was pointing out the parallels in the modus operandi of this threat and a separate recent extortion threat in Europe detailed by Dancho Danchev here. The two are not at all linked to the best of my knowledge.
 

A colleague of mine, Noriaki Hayashi, brought my attention to an interesting Trojan that has begun circulating in Japan. The malware is aimed at extorting money from its embarrassed victims and here’s how it works.
 
The victims are initially hooked when they download what they believe to be illegal copies of games from file sharing networks, in most cases the malware is masquerading  as illegal copies of ”over 18″ hentai-themed games such as the below
 

 
 

Once the installer is launched it brings up a form requiring the user to enter personal information including their full name, date of birth, game password, email address, postal address, gender, annual income, company name and telephone number along with a few other things for good measure.
 
While all this is going on, the malware is also automatically collecting details about the victim’s computer including user account, domain and computer name, OS version information, clipboard content, file use history and Internet Explorer favourites. It also grabs a few screen shots just in case they don’t already have enough dirt.
 

 
All of this information is then subsequently published on a publicly available website and it’s not long before the victim receives a “helpful” email.
 
The email comes from a company calling themselves “Romancing Inc” (who coincidentally also own the domain where the stolen information has been published) and they alert the unfortunate mark to the predicament offering to resolve the “copyright infringement” and get the information removed… For a fee.
 
It may well be that the attackers have a second trap up their kimono as well, the installer also plants a few mp3 files onto the victim machine called Buck Duck, Chukar and Quail. These mp3 files are up for sale at a very high price on a separate website (58 million Yen is about 402 thousand pounds)
 

 
Could it be that once a victim has shown themselves to be extortion-friendly they will get hit with yet another “copyright infringement” notice from Romancing Inc? Japanese copyright law was strengthened this year largely in an attempt to address the problem of illegal downloading
 
This is certainly another illustration of why, in the long run, you may well be better off paying up front for your downloads and steering clear of file-sharing networks.