PandaLabs has detected a data theft scam using the new I variant of the Briz Trojan. According to data obtained by PandaLabs from the page the attackers used to control the network, some 2,700 computers spread across more than 120 countries were infected.
The creator -or creators- of this newly uncovered network have been distributing Briz.I from certain web pages, mostly related with illegal or pornographic content. PandaLabs is working alongside other security companies to identify and close down each of the websites related to this network and prevent the threat from spreading.
The emergence of Briz.I could be the consequence of the scam for creating and selling customized versions of Briz, recently discovered by PandaLabs. According to Luis Corrons, director of PandaLabs: “it is possible that the creator of the original Trojan has decided to profit directly using the same Trojans that were sold before, alternatively, Briz.I could be a new version of one of the examples that was sold while the previous scam was still in operation “.
Briz.I infiltrates infected systems under the name “iexplore.exe”, simulating an Internet Explorer process. Once on the system, it downloads a file that sends information -including the IP address or country of the infected computer- to the attacker’s website. Another of its components integrates in Internet Explorer capturing all information entered by users in online forms, such as e-mail passwords or details for entering online banking services. This malware allows the computer to be used as a gateway for connecting to other pages and masking the identity of the attacker, who can also remotely access files on the local computer.
Briz.I is specifically designed to go unnoticed by both users and security companies. It does this by covering its tracks once each of the components has carried out the task. It also modifies the “hosts” file in Windows to prevent users from accessing web pages of security companies and it disables the Windows firewall.
“The current objective of malware developers is to profit from their creations, and so they are concentrating on introducing malware surreptitiously, and, as in this case, trying to capture data and login details in order to commit fraud “, explains Luis Corrons. “Traditional signature-based detection technologies are proving to be insufficient to combat these threats. To prevent this silent epidemic, they need to be complemented with proactive technologies such as TruPreventTM which can detect malware without having previously identified it.”