Security researchers have uncovered a cache of stolen FTP credentials belonging to a variety of corporations, including Symantec, McAfee, Amazon and the Bank of America.
According to security vendor Prevx, a Trojan has swiped some 88,000 FTP credentials as of this morning. The FTP logins were discovered while the company’s researchers were investigating what Prevx CTO Jacques Erasmus described as a “prevalent in-the-wild infection.” During their investigation, they noticed the malware was sending out data to a Web server. After visiting the URL, the researchers found the cache of unencrypted FTP logins.
“We have contacted many of the organizations, and also handed the data over to US CERT; we have in the meantime made a Web page where people can go to check if their ftp logins are in the list,” he said. “The url for this is www.prevx.com/ftplogons.asp.”
Once on an infected computer, the Trojan harvests all FTP details it can find. The infection is randomized so different people will get different components based on where they are, software configuration and other criteria. According to Erasmus, this all appears to be part of an operation that has been morphing in different ways for more than two years.
“It doesn’t target the organizations, what it does do is when it infects a victim it grabs any stored FTP details from the form cache and sends it to their drop site,” Erasmus explained. “A typical example would be a developer working for amazon.com gets infected on his laptop which he used to upload some data to the ftp. The Trojan would steal his login details. In the case of Symantec – Mcafee – et al, what’s happened is partners and resellers who have privileged access to the ftp site for software downloads etc., have had their machines compromised, and their login details for these sites have been compromised.”
The Trojan is a variant of ZBot, which is reported to be receiving the uploaded FTP credentials in plain text. Recently, the ZBot Trojan was spammed out in an e-mail claiming to be a critical update for Microsoft Outlook. Once on the user’s system, ZBot accesses a Website to download a .bin file with information referring to where the Trojan can download an updated copy of itself, and where to send stolen data.
In the Outlook scam, the Trojan logged keystrokes whenever the victim visited one of the monitored sites and saved the stolen information in a file and then sent the file to a dedicated server via HTTP POST.
“From what we can tell this group runs various exploit kits and infects a large amount of people on a daily basis,” Erasmus said. “By looking at their operation, we can see that they are not ‘amateur’ because of the level of bulletproof hosting they have and the sophistication they are using to infect people in a very effective way.”
With the details in hand, attackers can make a script that uses these login details to try to log in to each site and inject an iframe into each html page they find. This iframe could point to an exploit kit running on the malware distributor’s servers.
“When normal Web surfers visit the Website their browsing session would be redirected to the Exploit kit url where various types of exploits would be executed against their browser to try and automatically infect them,” Erasmus said. “So you might go to one of these sites looking to rent a house, but in the end, you’re getting a whole lot more.”