Security researchers are tracking a Trojan that has swiped as many as 88,000 FTP credentials for organizations such as Symantec, McAfee, Amazon, Cisco and the Bank of America. According to researchers at Prevx, the compromises are part of an operation that has been in business for more than two years.
Security researchers have uncovered a cache of stolen
FTP credentials belonging to a variety of corporations, including Symantec,
McAfee, Amazon and the Bank of America.
According to security vendor Prevx, a Trojan has swiped
some 88,000 FTP credentials as of this morning. The FTP logins were discovered
while the company's researchers were investigating what Prevx CTO Jacques
Erasmus described as a "prevalent in-the-wild infection." During their
investigation, they noticed the malware was sending out data to a Web server.
After visiting the URL, the researchers found the cache of unencrypted FTP
"We have contacted many of the organizations, and also
handed the data over to US CERT; we have in the meantime made a Web page where
people can go to check if their ftp logins are in the list," he said. "The url
for this is www.prevx.com/ftplogons.asp
Once on an infected computer, the Trojan harvests all
FTP details it can find. The infection is randomized so different people will
get different components based on where they are, software configuration and
other criteria. According to Erasmus, this all appears to be part of an
operation that has been morphing in different ways for more than two years.
"It doesn't target the organizations, what it does do
is when it infects a victim it grabs any stored FTP details from the form cache
and sends it to their drop site," Erasmus explained. "A typical example would
be a developer working for amazon.com gets infected on his laptop which he used
to upload some data to the ftp. The Trojan would steal his login details. In
the case of Symantec - Mcafee - et al, what's happened is partners and
resellers who have privileged access to the ftp site for software downloads
etc., have had their machines compromised, and their login details for these
sites have been compromised."
Trojan is a variant of ZBot
, which is reported to be receiving the uploaded
FTP credentials in plain text. Recently, the ZBot Trojan was spammed out in an
e-mail claiming to be a critical update for Microsoft Outlook. Once on the
user's system, ZBot accesses a Website to download a .bin file with
information referring to where the Trojan can download an updated copy of
itself, and where to send stolen data.
In the Outlook scam, the Trojan logged keystrokes
whenever the victim visited one of the monitored sites and saved the stolen
information in a file and then sent the file to a dedicated server via HTTP
"From what we can tell this group runs various exploit
kits and infects a large amount of people on a daily basis," Erasmus said. "By
looking at their operation, we can see that they are not 'amateur' because of
the level of bulletproof hosting they have and the sophistication they are
using to infect people in a very effective way."
With the details in hand, attackers can make a script
that uses these login details to try to log in to each site and inject an iframe
into each html page they find. This iframe could point to an exploit kit
running on the malware distributor's servers.
"When normal Web surfers visit the Website their
browsing session would be redirected to the Exploit kit url where various types
of exploits would be executed against their browser to try and automatically
infect them," Erasmus said. "So you might go to one of these sites looking to
rent a house, but in the end, you're getting a whole lot more."