VisualBreeze or VisualBriz is
another malware that is usually sold in forums of malware developers, similar to
the ones we mentioned in “Cybercime for sale”.

I have recently discovered a server
that hosted a new variant of this malware and contained 5.445 logs from infected
machines, which take up 2.61 Gigabytes.

After checking the server where it
was installed, I noticed that, unlike other variants of Briz, this one was
provided with a Parser module that sends the information of the
files to a MySQL database managed by a PhpMyAdmin. This way, it will be easier
and faster to make searches in the information obtained from the infected
users.

This module has several
options:

 

  

The option “View” shows the logs and
allows searches by domain or by text to be made:

 

The option “Templates” allows
patterns to be made in order to filter the information:

 

The Server was provided with these
“Templates”, which were already created:

           
rapidshare.com

            paypal.com

            e-gold.com

            ftp

            ebay.de

            yahoo.com

Apart from the information it
steals, it allows infected machines to be accessed in order to use them as
proxies:

  

Daily, around 478 new machines are
infected.

These are the statistics that the
module of proxies displays and that are continuously being updated:

This variant of Trj/Briz has been
detected by signature as Trj/Briz.X. But, before detecting it,
our TruPrevent Technologies detected and successfully blocked
it.