VisualBreeze or VisualBriz is
another malware that is usually sold in forums of malware developers, similar to
the ones we mentioned in “Cybercime for sale”.
I have recently discovered a server
that hosted a new variant of this malware and contained 5.445 logs from infected
machines, which take up 2.61 Gigabytes.
After checking the server where it
was installed, I noticed that, unlike other variants of Briz, this one was
provided with a Parser module that sends the information of the
files to a MySQL database managed by a PhpMyAdmin. This way, it will be easier
and faster to make searches in the information obtained from the infected
users.
This module has several
options:
The option “View” shows the logs and
allows searches by domain or by text to be made:
The option “Templates” allows
patterns to be made in order to filter the information:
The Server was provided with these
“Templates”, which were already created:
rapidshare.com
paypal.com
e-gold.com
ftp
ebay.de
yahoo.com
Apart from the information it
steals, it allows infected machines to be accessed in order to use them as
proxies:
Daily, around 478 new machines are
infected.
These are the statistics that the
module of proxies displays and that are continuously being updated:
This variant of Trj/Briz has been
detected by signature as Trj/Briz.X. But, before detecting it,
our TruPrevent Technologies detected and successfully blocked
it.