New Trojan stealing FTP credentials, attacking FTP websites

By Robert Westervelt, News Editor 29 Jun 2009 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Security researchers have discovered a new Trojan that has harvested as many as 80,000 unique FTP server logins and is now beginning to target domains, injecting malicious scripts into compromised FTP sites.

SearchSecurity.com: To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

So far up to 74,000 unique FTP sites are affected, according to security vendor Prevx, which discovered a server containing the FTP credentials. The list of FTP websites contains some high profile names, including software resellers of security vendors Symantec and McAfee, Bank of America, Amazon.com and others have been compromised.

"The list is now so large we have no way to effectively inform companies in a meaningful timeframe," Jacques Erasmus, director of research at Prevx. "I suspect we'll see an increase in drive by malware in the next day or two."

FTP Trojans: Stolen FTP credentials likely in massive website attacks: The latest website attack techniques use stolen user credentials instead of website vulnerabilities to crack websites and spread malware. Companies plug FTP holes with secure FTP servers: Some companies are investing in secure FTP suites to give employees and business partners the ability to transfer large files such as large documents, audio, video and photos. Botnet platform helps cybercriminals bid for zombie PCs: Infected PCs are sold again and again on a new platform that enables cybercriminals to buy and sell victim's machines.

In five minutes one infected client managed to inject malicious JavaScript into 85 FTP websites. Once malicious script is injected into a page, it automatically scans the software running on visitor's machines looking for a way in. If a flaw is found, the script deploys a specially crafted package of malware onto the machine that steals passwords and other sensitive information. The Trojan, a variant of the Zeus family, also scours the machine's stored form cache looking for stored FTP login credentials.

Prevx set up a website to enable users to check if their FTP credentials have been compromised.

Earlier this month, security vendor Websense Inc. warned that stolen FTP credentials were to blame in a massive attack targeting 40,000 websites. In May, a malware exploit, called Gumblar, spread quickly onto websites through stolen FTP credentials in addition to vulnerable Web applications and poor configuration settings.

Erasmus and other experts are urging FTP website owners to move to secure FTP to cut down on stolen credentials and limit the possibility of infection.

Software is available to allow businesses to securely transfer billing data, funds transfer and large data recovery files. To avoid sniffing and other security issues, FTP clients support SFTP to provide secure file transfer or FTPS, to enable data encryption. Users of FTP can protect themselves by ensuring that login information is not stored in the browser cache.

Symantec issued a statement saying it immediately conducted comprehensive testing and verified that its FTP servers were not affected by the malware. The security vendor said it has processes and procedures in place to verify the security of its infrastructure on a regular basis.

Tags: Malware, Viruses, Trojans and Spyware,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Malware, Viruses, Trojans and Spyware Schneier-Ranum Face-Off: Is antivirus dead? Modern malware, stealthy botnets, adapt quickly, expert says Computer worm infections up, scareware antivirus down, Microsoft says Web-based attacks skyrocket, pirating sites surge, security firms say Mini guide: How to remove and prevent Trojans, malware and spyware Kaspersky system analyzes malicious URLs on Twitter for malware Silon malware intercepts Internet Explorer sessions, steals credentials Breach forces payroll service provider PayChoice to shut down again RSA research underscores problem tracking cybercriminals Conficker analysis finds P2P coding limited, less sophisticated

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bot worm  (SearchSecurity.com) directory traversal  (SearchSecurity.com) government Trojan  (SearchSecurity.com) Kraken  (SearchSecurity.com) man in the browser  (SearchSecurity.com) polymorphic malware  (SearchSecurity.com) RAT (remote access Trojan)  (SearchSecurity.com) RavMonE virus  (SearchSecurity.com) RFID virus  (SearchSecurity.com) Rock Phish  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary