Friday, February 24, 2006

Trojan Briz.A Steals Web Form Data & Hides As iexplore.exe

PandaLabs has detected a new Trojan called Trj/Briz.A, whose main aim is to steal personal user data from affected computers. This code stands out because it specializes in stealing bank details and data from web forms and that its author customizes the code for hackers.

The code creation system gives hackers the option to generate a Trojan that cannot be detected by any antivirus protection, as the author checks it every day.

In spite of this, TruPrevent(tm) Technologies incorporated in Panda Software's solutions have detected this code without needing to be able to identify it first.

Apart from the code, cyber-crooks that buy this crimeware also get a complex system for controlling the status of the infection caused by the custom Trojan.

This allows the client to get a list containing a large quantity of data about the infected computers: IP addresses, passwords and even the physical location of the computers.

In this way, the cyber-crooks can always have their malicious activity under control. PandaLabs is working, along with other companies to analyze and close all the sites related to this Trojan.

The file that causes the Trj/Briz.A infection is called "iexplore.exe" It uses this name to pass itself off as Internet Explorer.

When it is run, it downloads different files and stops and deactivates Windows Security Center services and Shared Internet Access. It also collects information on programs like Outlook, Eudora and The Bat, which it sends to the attacker.

To make it difficult to detect and disinfect the Trojan, it alsomodifies the hosts file to prevent access to websites related to antivirus products. This Trojan is the most complex example of the business network based onmalware.

Where as hackers used to create malicious code to simply have fun, they now have direct financial goals, designing their creations based on a criminal business model.

This data is reflected in the annual report published by PandaLabs, which is available at http://www.pandasoftware.com/NR/rdonlyres/ADF8E433-3BC3-46A2-AF57-9710CFAF9181/7274/02_Annual_Report_PL_2005.zip .

Luis Corrons, director of PandaLabs, explains that "as authors of Internet threats have changed their objective, which is now financial gain, they have also changed the way they design their threats. Therefore, they try to ensure that their creations go unnoticed, to both users and security companies, for as long as possible.

"For users to protect their computers against these codes, "they need technologies like TruPrevent(tm), with which we have been able to detect a code like Trj/Briz.A, which would otherwise have been very difficult to find," says Corrons.