News Stay informed about the latest enterprise technology news and product updates.

New Trojan stealing FTP credentials, attacking FTP websites

A new Trojan has collected up to 80,000 unique FTP server logins and is injecting malicious code into thousands of FTP websites.

Security researchers have discovered a new Trojan that has harvested as many as 80,000 unique FTP server logins and is now beginning to target domains, injecting malicious scripts into compromised FTP sites.
To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

So far up to 74,000 unique FTP sites are affected, according to security vendor Prevx, which discovered a server containing the FTP credentials. The list of FTP websites contains some high profile names, including software resellers of security vendors Symantec and McAfee, Bank of America, and others have been compromised.

"The list is now so large we have no way to effectively inform companies in a meaningful timeframe," Jacques Erasmus, director of research at Prevx. "I suspect we'll see an increase in drive by malware in the next day or two."

FTP Trojans:
Stolen FTP credentials likely in massive website attacks: The latest website attack techniques use stolen user credentials instead of website vulnerabilities to crack websites and spread malware.

Companies plug FTP holes with secure FTP servers: Some companies are investing in secure FTP suites to give employees and business partners the ability to transfer large files such as large documents, audio, video and photos.

Botnet platform helps cybercriminals bid for zombie PCs: Infected PCs are sold again and again on a new platform that enables cybercriminals to buy and sell victim's machines.

In five minutes one infected client managed to inject malicious JavaScript into 85 FTP websites. Once malicious script is injected into a page, it automatically scans the software running on visitor's machines looking for a way in. If a flaw is found, the script deploys a specially crafted package of malware onto the machine that steals passwords and other sensitive information. The Trojan, a variant of the Zeus family, also scours the machine's stored form cache looking for stored FTP login credentials.

Prevx set up a website to enable users to check if their FTP credentials have been compromised.

Earlier this month, security vendor Websense Inc. warned that stolen FTP credentials were to blame in a massive attack targeting 40,000 websites. In May, a malware exploit, called Gumblar, spread quickly onto websites through stolen FTP credentials in addition to vulnerable Web applications and poor configuration settings.

Erasmus and other experts are urging FTP website owners to move to secure FTP to cut down on stolen credentials and limit the possibility of infection.

Software is available to allow businesses to securely transfer billing data, funds transfer and large data recovery files. To avoid sniffing and other security issues, FTP clients support SFTP to provide secure file transfer or FTPS, to enable data encryption. Users of FTP can protect themselves by ensuring that login information is not stored in the browser cache.

Symantec issued a statement saying it immediately conducted comprehensive testing and verified that its FTP servers were not affected by the malware. The security vendor said it has processes and procedures in place to verify the security of its infrastructure on a regular basis.

Dig Deeper on Malware, virus, Trojan and spyware protection and removal

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.