FTP Reloaded: My Website has been hacked!
Posted by: Jacques Erasmus
As you might know if you have been following our blog, last month we blogged about a FTP password stealer that’s spreading in the wild here.
This infector managed to steal many credentials of many large companies, a total of nearly 90,000 logins were found. We worked with local and international law enforcement to get that site shut down and inform as many victims as we could.
Yesterday while roaming the dark depths of the web, Mike "Rambo" Johnson, one of our malware hunting rockstars, managed to find the latest incarnation of this threat.
On this occasion there is not much difference, it’s an entirely new list of domains containing yet again, a bunch of new "big names" which we are in the process of notifying. Overnight the number of stolen credentials went from 624 to 4338.
The infection begins when visiting what appears to be a harmless website hxxp://
Two separate scripts are all this particular url has to offer, there is no legitimate material to be found, unfortunately.
Most of these sites that have been injected, contain what’s called a rotator, where it rotates malware packs purchased by people who want their malware spread.
Script 1 failed to execute on this machine as the IP was blocked due to previous visits throughout that day.
Script 2 is where the FtpBot is launched from, this particular Url is also a rotator and will serve up different malware based on geographic, software installed and time of day.
The exploit kit used by this malware is called FSPACK, there are so many of these around these days that the name really has little value.
So let’s move on to the meaty stuff, on successful exploitation, this is what you could expect to see traffic wise on your machine.
This shows how the pack itself fetch's even more malware on top of the already dropped pieces.
Now, it begins checking for commands....
It tries to connect to a admin panel, however it appears that it’s not configured properly by the malware owners, and doesn't seem to be functioning in terms of statistics gathering.
What happens after this process is complete is that the malware installed on victim machine will harvest ftp details, from known ftp clients, (Total commander, CuteFTP, FlashFXP and a few others) that uploads to a list on the server.
The stolen details get sent to a txt file on the server known as list.txt, and the format of the details are "ftp://username:password@ftp.domain.com".
This then gets dished out to infected clients, who then login to the ftp site and inject an iframe/script into the webpage, the goal of this is to then infect more users who visit these sites using the same exploit pack as shown above.
This is usually where we would finish the blog, pat ourselves on the back and think job done, however we managed to find the site that the people who are responsible for these infections are using to monetize it.
In my opinion the way to protect against FTP login stealers like these are as follows:
- Don't use FTP for anything important, use encrypted protocols
- Don't rely on software such as Total Command, FlashFXP, CuteFTP et al to protect your credentials, the methods used to store the passwords are weak
Prevx 3.0 and Prevx 3.0 Enterprise edition both protect against these threats.
Below is some screenshots, comments and translations from Russian to English.
I think the pictures speak for themselves, however badly they are translated. One thing I can say is that their website isn’t very pretty, but I guess they are getting enough customers with even an ugly looking site!
When we say "Injected" what we mean is that the ftp credentials has been stolen, and an iframe/script has been injected into the html pages of the site
