A new server hosting a Briz
VisualBreeze or VisualBriz is another malware that is usually sold in forums of malware developers, similar to the ones we mentioned in “Cybercime for saleâ€.
I have recently discovered a server that hosted a new variant of this malware and contained 5.445 logs from infected machines, which take up 2.61 Gigabytes.
After checking the server where it was installed, I noticed that, unlike other variants of Briz, this one was provided with a Parser module that sends the information of the files to a MySQL database managed by a PhpMyAdmin. This way, it will be easier and faster to make searches in the information obtained from the infected users.
This module has several options:
The option “View†shows the logs and allows searches by domain or by text to be made:
The option “Templates†allows patterns to be made in order to filter the information:
The Server was provided with these “Templatesâ€, which were already created:
rapidshare.com
paypal.com
e-gold.com
ftp
ebay.de
yahoo.com
Apart from the information it steals, it allows infected machines to be accessed in order to use them as proxies:
Daily, around 478 new machines are infected.
These are the statistics that the module of proxies displays and that are continuously being updated:
This variant of Trj/Briz has been detected by signature as Trj/Briz.X. But, before detecting it, our TruPrevent Technologies detected and successfully blocked it.
W32/MsnPhoto.A.worm
We have found a new malware that uses instant messaging to deceive users. It arrives as an .exe file disguised as a .jpg. If you open it, you will get infected, and your msn contacts will receive some messages and a file called ”fotos_posse.zip“.
Here it is a picture of how the messages look like. For those of you who don’t know Spanish, here it is the translation “Hello”, “I hope you like the photographs” and the attachment.
It is been quite active, as you can see in the following evolution graphic of the messages received in the lab in the last 72 hours.
Zunker that installs another Bot
Although the first Zunker we talked about was configured to only affect computers with German IPs, this one only affects computers with Russian IPs: This Zunker installs another bot, which we detect as Bck/Barracuda.A. This bot allows DDoS attacks to be launched and turns affected computers into proxies. The following image is displayed when we log in through the control panel: In this screenshot, we can see that there are 14,788 bots, 647 of which were connected at that moment. There are also 3866 proxies, 171 of which were connected at that moment. For example, 12133 bots have been assigned for the attack with ID 661700916; this attack started on the 14th May and would end in three day’s time, on the 17th May. In the screenshot below, we can see how the data to launch DDoS attacks is entered: Selecting this option, we can see the proxies:
More Zunkers!!!
Analyzing the pattern of the binary file installed by Zunker and comparing it with our samples, we have come across 32 similar files.
On the left, the graphical representation of the binary file belonging to the first Zunker we came across and on the right, the graphical representation of the new similar files we have found.
As you can notice, they are alike. If we compare these graphs with the ones belonging to other malware, such as Gaobot.AAF, we will see that they are very different from these ones.
Analyzing the similar files, we have come across 18 different servers where they were installed:
– 6 of them are active at the present moment.
– 4 of them contain files belonging to Zunker but they don’t seem to be working.
– 8 of them are inactive.
Among the servers that are active, different versions of the bot can be found:
ZUnker 1.4.4-1b
ZUnker 1.4.4-1b-10003
ZUnker 1.4.4b
ZUnker 1.4.5b
MPack uncovered!
In
Where is this tool infecting? Well, it is a question very easy to answer:
It also has a list of the latest sites prepared to infect using MPack:
Vicente has been studying it for some time and has developed a fantastic report for us.