VisualBreeze or VisualBriz is another malware that is usually sold in forums of malware developers, similar to the ones we mentioned in “Cybercime for saleâ€.
I have recently discovered a server that hosted a new variant of this malware and contained 5.445 logs from infected machines, which take up 2.61 Gigabytes.
After checking the server where it was installed, I noticed that, unlike other variants of Briz, this one was provided with a Parser module that sends the information of the files to a MySQL database managed by a PhpMyAdmin. This way, it will be easier and faster to make searches in the information obtained from the infected users.
This module has several options:
The option “View†shows the logs and allows searches by domain or by text to be made:
The option “Templates†allows patterns to be made in order to filter the information:
The Server was provided with these “Templatesâ€, which were already created:
rapidshare.com
paypal.com
e-gold.com
ftp
ebay.de
yahoo.com
Apart from the information it steals, it allows infected machines to be accessed in order to use them as proxies:
Daily, around 478 new machines are infected.
These are the statistics that the module of proxies displays and that are continuously being updated:
This variant of Trj/Briz has been detected by signature as Trj/Briz.X. But, before detecting it, our TruPrevent Technologies detected and successfully blocked it.
Posted under Malware Alerts
This post was written by Vicente Martinez on May 22, 2007
