Glendale (CA) - Antivirus specialist Panda Software says it has discovered a "complex malware creation system" that allows individuals to purchase "made-to-measure" trojan horses for a flat fee of $990. The money buys not only the malware, but also a service that monitors the infection rate and provides code modifications, if the trojan is detected by antivirus software.
It has been speculated for some time that virus authors are shifting their activities from using malware for their own purposes to creating a service-based business. For example, large spamming operations are believed to be in close contact with virus authors. Panda Software now has found further evidence for a trend towards a malware service business: The company was able to track down information bits included in a currently spreading virus - and found a network that offers individuals or organizations customized trojan horses for purchase.
The trojan that led to the discovery is called Trj/Briz.A, which is tailored to extract bank details and data from web forms from infected computers. Patrick Hinojosa, chief technology officer at Panda Software told TG Daily that Panda "has been working on this issue for a couple days" and initiated further investigations into the source of the malware after the company had found "suspicious information that led to other servers". Tracking down the source, Hinojosa said that Panda ended up at ordering information for trojan horses as well as details on where malware is housed and what features the software could deliver.
While Hinojosa does not believe that the organization offering the trojan horse service has released other malware so far, he mentioned that Trj/Briz.A is not a proof of concept. "This code is written heavily towards the goal of data theft and aims at extracting personal financial information," he said. "We believe someone may have bought this trojan horse."
According to the promises made by the trojan horse authors, the customer apparently has little to worry, at least for now. The $990 that apparently was paid for Trj/Briz.A also includes the service to get the code modified, as soon as it is identified by anti-virus software.
The infection with Trj/Briz.A is caused by executing the file "iexplore.exe." When it is run, it downloads different files and stops and deactivates Windows Security Center services and Shared Internet Access. It also collects information on programs like Outlook, Eudora and The Bat, which it sends to the attacker, Panda said. To hide its presence and protect the infection, the malware also modifies the hosts file to prevent access to websites related to antivirus products.
Hinojosa told us that Panda has identified the server on which the trojan horse is operating from and is working with "international agencies" to investigate the matter. He mentioned that he was not at liberty to publicly reveal the location of the detected server - which is believed to be a front-end server of a more complex network.
At the time of this writing, it was unclear which damage Trj/Briz.A has caused so far.