|
|
|
Trojan Swipes FTP Credentials for Major Companies in Malware Attack
By: Brian Prince
2009-06-29
Article Rating:  / 12
There are 5 user comments on this Network Security & Hardware story.
Security researchers are tracking a Trojan that has swiped as many as 88,000 FTP credentials for organizations such as Symantec, McAfee, Amazon, Cisco and the Bank of America. According to researchers at Prevx, the compromises are part of an operation that has been in business for more than two years.Security researchers have uncovered a cache of stolen
FTP credentials belonging to a variety of corporations, including Symantec,
McAfee, Amazon and the Bank of America.
According to security vendor Prevx, a Trojan has swiped
some 88,000 FTP credentials as of this morning. The FTP logins were discovered
while the companys researchers were investigating what Prevx CTO Jacques
Erasmus described as a prevalent in-the-wild infection. During their
investigation, they noticed the malware was sending out data to a Web server.
After visiting the URL, the researchers found the cache of unencrypted FTP
logins.
We have contacted many of the organizations, and also
handed the data over to US CERT; we have in the meantime made a Web page where
people can go to check if their ftp logins are in the list, he said. The url
for this is www.prevx.com/ftplogons.asp.
Once on an infected computer, the Trojan harvests all
FTP details it can find. The infection is randomized so different people will
get different components based on where they are, software configuration and
other criteria. According to Erasmus, this all appears to be part of an
operation that has been morphing in different ways for more than two years.
It doesnt target the organizations, what it does do
is when it infects a victim it grabs any stored FTP details from the form cache
and sends it to their drop site, Erasmus explained. A typical example would
be a developer working for amazon.com gets infected on his laptop which he used
to upload some data to the ftp. The Trojan would steal his login details. In
the case of Symantec Mcafee et al, whats happened is partners and
resellers who have privileged access to the ftp site for software downloads
etc., have had their machines compromised, and their login details for these
sites have been compromised.
The
Trojan is a variant of ZBot, which is reported to be receiving the uploaded
FTP credentials in plain text. Recently, the ZBot Trojan was spammed out in an
e-mail claiming to be a critical update for Microsoft Outlook. Once on the
users system, ZBot accesses a Website to download a .bin file with
information referring to where the Trojan can download an updated copy of
itself, and where to send stolen data.
In the Outlook scam, the Trojan logged keystrokes
whenever the victim visited one of the monitored sites and saved the stolen
information in a file and then sent the file to a dedicated server via HTTP
POST.
From what we can tell this group runs various exploit
kits and infects a large amount of people on a daily basis, Erasmus said. By
looking at their operation, we can see that they are not 'amateur' because of
the level of bulletproof hosting they have and the sophistication they are
using to infect people in a very effective way.
With the details in hand, attackers can make a script
that uses these login details to try to log in to each site and inject an iframe
into each html page they find. This iframe could point to an exploit kit
running on the malware distributors servers.
When normal Web surfers visit the Website their
browsing session would be redirected to the Exploit kit url where various types
of exploits would be executed against their browser to try and automatically
infect them, Erasmus said. So you might go to one of these sites looking to
rent a house, but in the end, youre getting a whole lot more.
|
|
�������xv8 |N�J5]kv;:-iYnKiw7st(�XH6Iyzyy/��7-%3N*m��@ 6����Iș�=!�ǘ[�cӑGoMz�Ijû@�Bi�zNU�sJe>�HwW7n��Q;^��> \?g#Q;Y|��}^~bw��.pѲ
⌳Q�m5x�yK�%y}�u)p}(DsXq@��ǎ�H;�*C'�x8ӽi/DeOIQI�M"x<&j�>wn=݃w2����X]~�j4Lߵ}2
rtD�>8�z
vGx09ry�j5jfL�{n�_%z�0s�w4��:a;6]dU~�7P�L�;g�۾Bdu#$�7=ReQ
�oȱ�o>0@|Ӡd6
2X��c��]vlYVX�liJu��f�!`F� 0{nsG@̀k��fPX��T@A�N)��61t��vf�y�M)o�dz!C�C�Z9nVȨ�U�SA%EI7CD�
r2#~�B(��PHQ��>�z%Ku}7�p#Kʚ�gfeٜ%YWaN
o��\z�cO�'fe..~z�8^%glh|��X.B2iK1PWG5MGRŦc룯fzP���b�(7Z`Lm�,��1,L�tϭ `6 �::�~g�>QÜCݶ�OCGs�>2胎6ml�-Ʃ�裩I��Xn`vt�&Ha;Nh>[W <[
K!PA}x�3V��=H:}m�`�9�5$'CMߟ��-�s#09ww��ښA�<�Q]ӡ4}a�
vhq.pp�yY?90��d}
�w�,�߽9�#z[MK��x�G�zR�N\Q�@Ǣ�dQJ
d�$@�!"�-i]N�P@A�r68��-�8�,rr�d+��+~Gy-#!bTLZ���(6ݞ�H:s&@-KEscMX*QY,�p[/ �Pf%)5{~�F��X�9�yDM�f#�T`B[ụLKa�k`DݜrA+żMCF��qQT8Z�Uj@���˚T7mP9m=�:��sx~ez�pĄ'HwT)%=�^C��͑ �-Is:�yFu&S玈r��?n�zAU E�q-zo"Y3`3s�*4+d9pPsf�<`t�=
�Xud9sc]e|}>�IjKi�S�i
���|kV� S�pć��9E#rQϚX� %<�.�ƲB"5w�c���ʚJJ*$,4�)pd�j�Kw�ݸ^`�"3hqJNbЙB#@)z�QkڞYWo%<4~�k�m�H_T�.MB[+�� ��2%W��}kaԕ %/�E�A
n:bZ�G6�X�}iМ^&dTR4�v3pl=5&5|n�-V/U�OLXZfȣZ�rirX,y|
p�X"�@�7w�
)mT.mT^̇'Χޑ�zд��"s=#S=`zر3 �l�#0�
;u� �J[Y�,,qThjUVz
�Ä끈��f ���%�lDe@u\X:5u{qa?[ZTNZkʮtޔggs)�fo?�{]s\�μ���+�;2E�<&�&{-K��˰"Uzo�}BZ�_(ƨO�ȣCY �V� W�MUm�#Xܘ 0��(E{h�⢉�!H;3����4kpý225\ZS*ٝ'(R~-p;>9
�h0 95-"
?ŤX
�LkQsGŅR�r�Cב]��5}-�dp]U*jAe/y+^�t
n�)5#S��#2�pg��rh)hj*� vϷ�
h#�քY[ў#WX�
xV IQ~kVѲ �ՆgyϤMNU)HW>�>�q ~7�zEP7ƹ�<�sƃ~�ڷB�y@*Z=���9~܄ye`@mbgy@�?}誦�C}2�hSYpQ5c�yu�LY�R�L5Ap5xl�==C}t3wܶ
zWASD�91^%1�.ɹ%w��B֮�v�Zo40p�2Y:9|k5V|�m���4D6�>��;" V�\�tc{~O��
a51t&]ߘ#A5`N>��2V&OB�(JyZ��J�p9Ѓ�u^AQWӛMO �U!TՀN>�O7(~�}$DC>Km�z~L�\TP�Y\|�UMBR%%!^!�[-�0B�S\rOkps.p}�/O &PFͧzMʵ�D�mRx*3na/eg���S? �i��ti qg5�5;a̭�XLh;ʲ�CX�I74c�ְ�J7эj@iUI+T�Z}����=2AatA�*�}/*\F�IvSfG���8@|����^%usC\Դ"Hw
ضRs�?'}D:a�q=C
H\WK{dQ�=Y�@r�r�jT
�r2�RDBZNBq<:N}+�tC��Z6�wOXO�dK!M�o$DDOC�Vj�gX&1W+�ʬڼ _3Z c�C7{{=HL_BP`n�&w,$\�auv��ßy�c(m�'lE])�>)hl{ޗN٧}<�d^}�^A1�Vi? 0WKΟKKx��8>?nk��,Z>~/]whgg~�py- 8@W�~#tKGݳ%?w@-)�^{!z2W#�m6<6M��FV5C�K�)W�f@ t/[X0z!ӱB3ZMUc |
ʢ<���FsY�_aY�,$"0�!
I�+U:;>����� kJ=!�Vo8n.Κi9�D���
�`E/ԩ
#A�D�rIGzRF�ijQɉ�O/`I�c�1:�*:{ϭ0[L㷜oWȘI;D_q-5�'=?EU[k'�Hl�
Nv��:kq_<�pp"a�]Z�qn{պ�J'S0�QJh"g�8�A�;�)~ڰ{�,�/=�;SL'3U(�4iaEtKb�s�,ȔbJ4:<~d�2Y$iYMzJ,bTcH�(PK�I3>�e�ޜ,Hy9Ym@ybZӽM3%ƗHÓ ,-�I+Q$/EiA0GͳP��R�#A��pq�P>�XkI)�j[YUH*?v�Ƈ�)�!\8)H�z@0QHeZA>?j�^wg�Z{m@{�q?Il8�2U�(sXsw{�{eB�s�?݁MO6re>x>IАߚ�=pW&ƭtov;vkm,d�1]foݷ?vcW}; ?-l-8t�砞C�TϏ$ɘ&B�AWU-u+lko(r�Y9sJyOVr;ѡhd�,�#Q�d1ӗ��P2QtI�Js{ĶQ�qe�#?ovƹ�y<�7tϯ2n%~W�J�M݅[i}D)]s"5"�v�ދKq˳ye�j�ГG���m֗Bݽ]ޟ;+�&bi4W3XT=}[fvÏ9&i� �ј@.,vm鼳��2��>
ACVorlK9Grs&�cx�2��HB%�7˶˷Fp7�*gcc3/�F#%k&ϖSϱ�m�@|Րp/�hZ1i�`jcZ'Kpj��ulD[ʷ/'Ɏcr��sf2i��TWeT7/7�__B�!C9O4y˭0LT�/sK[��^]lQߍo%n2-���FM
yu4jQ-)DI=/7:?Yz9+ֻ
]X�0(YS�~9wX�V+ ���x6��P[G�\-d(,|�&�S�Z�X>NU=(}�gI\]'\<~/n!2�렳+�HarBl+d5=D�2Pq�<6:�V
)
��+]1(VB�QU�(�b
[�"v��*F�/3LU�u,Vbg
MdOJ^I?�xE�^\V�k{� ܂0J~��*U�j)N4KkR1$$cy5h�Rf&rHyrd]i/)RB`㱁g<��}0˺E``��]{�'>,V&)\@+J4Z)1Z�3^�fQy5DG =�2Y� e�H�o[P7OER)'c�{4)j o�*rF,�
*&5P ѐrTQ.)O4D=�K;#)�i��w4%2RB|l֯,߃*x�yRRUI-M�ˠ5iMU$LC��3lu~ Rs�ۓR�G͠2U!�^
�#^"'"DÖColW dU۔
/NV�?H���t���HG>ӹ/=7݆N�
AP��"��pC��~��᰾-b���pcO S|q�Ae"R�;p��J̊�
Z%"�%!PLX�&!ĩ�ERJ ^S�^ht�
7�ґ\3U=�1Ct
JA6�T¡��U&�A��#f�
-)+8 -Y\鐲�\iRoQjgX�� C!�
�(R&�̷E[�?�VmlS{+)KJq�ҩ
`:c)R s�w+S�;$�,w5qvX0Y5ϩSR�O]�g xqwwwww|jZ<�˫C�G�H�\RvܛC���LйhKWKXFݏ=�*�'�Xj'�4�B#,XcRޟ�_ܐ^yٺjť&7"o4D -`ؗ.t(:0mK�e �$��bQ o
j5&�oFIBF kčb�0�NzW#¯�/KCܐ_̿ڊ�.�kY@H��nuRO��9�,sB�(#1�UQ�b��<��v�`'3ǰZ�GnS
hB��Q�`"`6җw
�9�#bЗ0+0,�Mc='C65r$dG�'��At)vp@nOEKyoH`/�&}#E.�х1.涧^�.2�OK-p�XW>#LX-U˘���* 1�7�]e#�#ac5(/ERhl0
D��L,\%�@BGi��5NL[ 熄r~"�Ό�9Wx�I-��[-�Z��Q�$·#V_�IQRxk
�tߥ��#'PGmf߯�_'o|[[�m>pț�qu�j�5UUUUjV\kt@y�!2��R|l^�.15bXRB>u/
�@$���i"�}aأao:Ʀ5_߭nL��h_�1zw�zv�Oz�t
��_qz8D�5֕|ii4M9u\bВ.�Jz�Ñ1:i�*1�D0
I'�k�0Eg�>}-�~
BB\<��'ռ�$u�C�Z\kH�CXO+88�N@"��n&DҍA�e{\hzmǤlċ5�@kZ�M/ǧTx7mae vg'G ƍ.d8zI� ��*i<��G0;q�}.jF}p۠m5N~G����d"ÏFp��VjζD0c��hG%��5L�)�̆XO�H
�K�ظ$� X~{X
�<4Z^A&-.b1EKl���@.h��]L~K0&»3}9lߓĠx+N�S,SٿcgF^S�`nJ�ƵV�xr�Mv��m�_�@ǵ�X��ΐ[?qñŃ�M_/�O$֯'8.
2ä= ̒�?�К-Y?`C䷿T}dۼ1V^sj2U�S
Q�?D쐟̙xn��?𤟂R�M:�_���E��/!
<��5�օ=k}=�y ��_n�O:9���2*(5���A>Uxyl?mLEHX(t��^q��w᫉PX0�8!n'�9pѰ��LX�8~܉"A1�Rhs05̈G�b�v ��mz^CFJ[7�^"6�.W@O[jkwhDP"ͪNDJ`h*|
hʓ%-* ;,��͝[� ��d�Z��Sp-�|ri?�*ܪzB��9wdI�fӸjR�rzw(1a˾#�F̯R߃q}#|�#+M6XoU!Tg r��ιVČ�\>dF+iFS�OW1hc >F�+P��S�C7��,6M$Ae�Ѓ5T?�0jнn#n�ZU}{GКXP�t BJ nZ,_E1Ǽ/>�oI c
Odr�t�&7�e\S[�a8���@��`m¼ϴ@B�SxW���؛a�̥7f?= .N��9��ǃ�"Ba=X@*>Io��HX%]�U#�`�x'O��Flu.{a�C�p(M$=w:�}GL��F0u�Z
�d��26g�|tH ]TW 3��� 7-=�p5:&fVк�|U?�
|9[CG)W��9Ĕ#X�כQuԔ�1"�'0�枩`V1,4)�k�M(q�i+8 MꪂO�J�2,��=VR"<�>A~gu~^"_ǹӄ\I�\A]��/ �PIZ�
�W{uK1�u0 }a3B}3xd�͋O{I"E='5¶V-r5�u�v?�u/>[�~qbzx*~lL_db(�L',C rr촘283ޢKs!Yx�9�K��xU�,
/�EL�yx&�Ó0o��E_VC�Ĩҫci�슍?z
Ǘ^OV\k)h?=VՑt.?.9r�Χ�&Q}uR�\js���@1@C|k{5Bx_m�9e��埡sF%_/?j�63ʻP(GJ/?���2ʏh} $�?3#\_~5NǹF8��g�vF?r�OPi}�?ˀ�ڮɘ�1�d�v2�t2Ӂw2�dg�賓Aȣ�?S(?(�#�坌r=�9sB�fȟ.ȗn|�Ƞ�x"K�{�{��3/(@_�3
ʯa|W��]e�ʯʁ~3�ڿh�:N2�73y�S*�ÌRqA/2ȋ+OY射:?(Ay<++PA/nt3�؋�<�?3_�2��̭L틣qr]!,.5P�UZk�/Y[3ݴ�q c-���{}ih}0�^Z�/ޤ��|
SG0��ӚܴO]8ŭhg?>/�ydֺWWV�5Vl�NA6KEҿN^�j{��$o�qA��z�C�Ӄ2���J�nƍ:X�ZG�/Oi�i]7��-О��>gA7gn"��B8�C�`�%ɠ1z�I]�U�
;wI-=C�O�7�nޣ97p�?L�g��n�F�$usC\ԴZjRs�?'dQGDd�Ԉ�5ɪ"+Uw9 ط��V++R�0�X\����^9Q(Fuo*%K0nhy�=q̐g�a��1Vo1�BDO"�щ7zF]We",d��ȢȗᄽNگ�!�ā`
�}pTB�Pcgq�
=q�
�YI��0�?b{I�2hؐM�ؒ9NحQ0�
#|Nl�35<>tv��^�G�`iB�O^yN;ǻ�80~.6�Y�H�!K쀽S�Vݎ��nlb5)"R� �Ivm4
_x�>}r �1)-6�틷D#iZ#&CɘP/I>3�u�;o�s{Lx��#ÄW,|Ŷ�/F٣_BDO�vL�0�|s `?94Ǟ0ـ�O� X+.Ġ/�>''4WB)*3Up&
iኃC4!��_8�9ao5RFXk[nLZԝ:6ZdWN�k.|c� So�?�>V@U}��C�1,��'J�:�7%)^Ռ]#|F�WMPL?O=j"6�p��Άl'/Rq1^�R�[aʹD6v[욽VAxԲ'x*�DHYUҎ;@B��!#R.ܐO�F�{)B�,��Kl`v��B�`0)խ`*���s��=~ݸ*lٹi�UhH�m[��:�UE�z�?ĵ��
cwH�V�k0֪T�gU|�l>cx G�5&Tc� *|�?��O�e �Mwt8?@&s �ܐ}lI5�CO��?�Fq:h
/�A.�sl�
6�[� +"�����J-ˬ>s¹"UXJَ�
,�� ~:3-r
Φ;x����ϖWtm:yDt�z-�E{�Ofu�ݎ2J�tmk�]Kl�!CcmR>EK�
]'[٧3�й?-{�W/��7��m7#�Tt1
�%` GY�U`�r�8ǩ3b�huq#��1t��VB\
(c��tAL?Q1?cm'nFQuF:¶u4-���eѩ�&�oߩ�n^SQa[_<�tc
b�,ۙB
ya1 g'{y�{~k�C'>�kwxq|
2^9FB~ea��gZͼ*?҂g'�Q\�F$30(�y��lH�K9��m5G0X�1'��N�R�Qf7}@ '�Ɣ
ϰ"�- s�.��=p�Ϣy9r�g2�jV0�U9u,�jW6x�ozc|>[zD,5bb:(�=��z��k|XK��c.&Ա`=br8Lte4Q3|�J�Km)轋�ȝgz�^4}j}�X��C *#f"�C*��*`Ng��VX�vQ��Jeǐy6�=x�L�
_M4V*w�VVtƢ�I26pzRSF0�1{6J܆mJPUN9�VKI+^�iLN�Ƈ̎c�>tgLt�)�2)v}ml-c6�C-�;?LL,��
|
Network Security & Hardware 
