Security researchers have discovered a new Trojan that has harvested as many as 80,000 unique FTP server logins and is now beginning to target domains, injecting malicious scripts into compromised FTP sites.
So far up to 74,000 unique FTP sites are affected, according to security vendor Prevx, which discovered a server containing the FTP credentials. The list of FTP websites contains some high profile names, including software resellers of security vendors Symantec and McAfee, Bank of America, Amazon.com and others have been compromised.
"The list is now so large we have no way to effectively inform companies in a meaningful timeframe," Jacques Erasmus, director of research at Prevx. "I suspect we'll see an increase in drive by malware in the next day or two."
Prevx set up a website to enable users to check if their FTP credentials have been compromised.
Earlier this month, security vendor Websense Inc. warned that stolen FTP credentials were to blame in a massive attack targeting 40,000 websites. In May, a malware exploit, called Gumblar, spread quickly onto websites through stolen FTP credentials in addition to vulnerable Web applications and poor configuration settings.
Erasmus and other experts are urging FTP website owners to move to secure FTP to cut down on stolen credentials and limit the possibility of infection.
Software is available to allow businesses to securely transfer billing data, funds transfer and large data recovery files. To avoid sniffing and other security issues, FTP clients support SFTP to provide secure file transfer or FTPS, to enable data encryption. Users of FTP can protect themselves by ensuring that login information is not stored in the browser cache.
Symantec issued a statement saying it immediately conducted comprehensive testing and verified that its FTP servers were not affected by the malware. The security vendor said it has processes and procedures in place to verify the security of its infrastructure on a regular basis.