A trojan has reportedly been uncovered that is harvesting FTP login data of major corporations, including the Bank of America, BBC, Amazon, Cisco, Monster.com, Symantec and McAfee.
According to a report in the Friday edition of The Register, Jacques Erasmus, CTO at Prevx, an internet security vendor headquartered in the U.K., discovered a site where a trojan is uploading FTP login credentials from more than 68,000 websites.
Once an individual’s PC is infected with the trojan, that user’s stored FTP login credentials are harvested. An attacker can then login to the FTP site. The logins are believed to have been stolen during the last two weeks and some are thought to still be valid.
Erasmus said the compromised sites would then be vulnerable for hackers to upload drive-by download scripts and other malware. A variant of the ZBot trojan, hosted on a server in China, is said to be receiving the uploaded FTP credentials in plain text, making it simple for cybercriminals to gather up the data.
First detected in Sept. 2007, ZBot is already notorious for capturing keystrokes to obtain login credentials, along with credit card or other sensitive information.
“It’s a never-ending battle,” Ivan Macalintal, threat researcher manager at Trend Micro, told SCMagazineUS.com on Friday. Zbot, aka Zeus, is an infamous information stealer that usually comes via a drive-by download on a compromised website, he said. “We’re also seeing it being deployed by email with a malicious link or attachment.”
Recent variants came disguised as an email that claimed to be a critical update for Microsoft Outlook. Some variants of the trojan are also capable of getting snapshots of an infected user’s system, Macalintal said.
The rise in this type of trojan may be due to the fact that kits are being sold in the cyber underground that allow attackers to create their own trojans and customize them to configure what stored information they need, and how it will be sent back to the creator, Macalintal said.
As far as what can be done to defend against attacks, Macalintal listed the traditional antidotes: don’t click on suspicious, unsolicited links; browse safely and securely using good web filtering; update patches; and use safe computing practices. In the case of last week’s scam involving Microsoft updates, he said that end-users should remember that vendors do not send updates via email.