'Zeus' Trojan Blamed for FTP Thefts

As the Internet buzzes with speculation about the ongoing denial-of-service (DoS) attacks targeting U.S. and South Korean Web sites, security software specialist Prevx highlighted a much more mundane, but no less vexing, exploit: the theft of almost 90,000 FTP credentials from a laundry list of prominent corporate sites, including those of Amazon, Bank of America and Cisco Systems Inc.

The FTP thefts are the work of a new trojan called Zeus, according to Prevx, which late last month reported that nearly 75,000 FTP credentials had been compromised. By early July, that tally had climbed to nearly 90,000.

Prevx's Jacques Erasmus, writing on his company's blog, describes the exploit as having "China syndrome"-like potential, but what he's describing sounds more like a particularly destructive feedback loop.

"It includes a cyclic infection which leverages infected PCs to programmatically modify hi[gh]-volume Web sites to infect additional users who become part of the cycle," he wrote. "[Having] more users leads to more discovery of Web site admin credentials which in turn leads to more Web sites being modified to serve the infection which leads to more infected users."

The exploit's perpetrators have by this point accumulated a "massive list of high-value, high-traffic Web sites," Erasmus said.

Industry watcher Gartner Inc. seized on Prevx's discovery to caution against the use of insecure or "unmanaged" FTP implementations. More to the point, Gartner indicated, even using ostensibly secure FTP implementations, such as encrypted FTP with SSL, isn't completely safe.

"The FTP credential theft reaffirms that simply using SSL technologies or encrypting the payload is not enough to ensure secure FTP. Malware such as the Zeus trojan is capable of stealing and exporting SSL credentials and exploiting FTP servers as distribution points for malware," wrote Gartner analysts L. Frank Kenney and Peter Firstbrook in a research blast. "Compromised Web sites already serve as a prime channel for distributing malware to unsuspecting Web site visitors. The FTP focus of this attack indicates that Internet-facing FTP servers may be the next target."

The exploit is troublesome in at least a couple of respects. First is the obvious issue of unauthorized access: Attackers who harvest FTP credentials can gain access to FTP servers, Web servers or other sensitive systems. Secondly, however, there's the issue of what might be called parasitism: In the recent exploit, attackers used compromised FTP servers to further distribute the Zeus trojan.

"[T]he fact that attackers were able to access an FTP site poses sufficient risk," Kenney and Firstbrook continued. The wrote, "Gaining access to the FTP server enables attackers to host malware on a legitimate, trusted resource." A clever attacker need to do little more than upload malware with an interest-piquing filename (as an example, Kenney and Firstbrook suggested "Executive_Salary.exe") to ensure propagation.

The potential for malice and mayhem is far-reaching, according to the Gartner analysts. "Legitimate FTP servers could also become unwitting vehicles for the trafficking of illicit and pirated media, applications and data. Data protection is essential, the server and users' credentials must also be safeguarded," they write. "The attraction of a simple, easy-to-use FTP site should not outweigh security considerations, particularly when a plethora of security technologies is available."

Kenney and Firstbrook conclude with caution: "If you have deployed an FTP site that handles high-value data or application areas without proper mechanisms for managed and secure file transfer, data at rest, and file server and client administration, immediately consider deploying a managed file transfer solution with appropriate data loss protection capabilities. Data encryption is mandatory, but is not the end of your responsibilities with regard to file transfer. Consider placing FTP servers behind secure Web gateways to monitor FTP traffic for the upload and download of malicious applications."

About the Author

Stephen Swoyer is a Nashville, TN-based freelance journalist who writes about technology.

comments powered by Disqus
Most   Popular