geek speak

A treasure-trove of more than 74,000 hijacked FTP credentials, which includes accounts on high profile domains such as Amazon, Cisco, NASA, and others, are spreading Malware. The dump was discoverd by Jacques Erasmusand, Director of Malware Research, and his research team at Prevx. While early counts had the domain list at 68,000 hijacked credentials, since the FTP dump where they were stored is still active, (thanks to bulletproof hosting), more accounts have been added, bring the number to 74,000.

Most recent reports claim that 85 of the hijacked domain credentials are spreading malware.

According to Erasmus, “The list is now so large we have no way to effectively inform companies in a meaningful timeframe. We rate this infection as CRITICAL. The infection has a ‘china syndrome’ potential. It includes a cyclic infection, which leverages infected PCs to programmatically modify hi-volume web sites to infect additional users who become part of the cycle. More users leads to more discovery of web site admin credentials which in turn leads to more web sites being modified to serve the infection which leads to more infected users.

No doubt there are thousands of infected clients already injecting these scripts into the list of growing compromised ftp sites.

Using the clients to inject the script into the ftp sites ensures that the criminals remain anonymous. Besides that, they have a massive list of high value, high traffic websites that they can target. This means that potential visitors to the sites will then get infected because of the presence of the script.

As said before, this is not the only Malware that the exploit kit serves out; there are various other password stealers, rootkits, et al that get distributed.

Once there is a succcessfull infection various Malware packages will be downloaded onto the machine based on Geolocation, installed applications and various other pieces of criteria. Additionally, there is another component used, which acts as a script injector. This makes a call to a certain script on the server in the Cayman Islands, using domain goooodbill.cn”

The Malware is a variant of Zeus family (ZBot). Once installed, it scours the host system searching out stored FTP credentials. Once stored credentials are discovered, the Malware uses HTTP_POST to send the data to a server in the Cayman Islands.

This script gives the infected client a url in the format:

[USERNAME: PASSWORD@FTP.ADDRESS.COM] the client then logs in to the given FTP site and modifies all index pages (ASP,PHP,HTML) and injects the script. Once injected all visitors of the modified domain potentially become part of the infection network/cycle,” Erasmus explained.

The best defense is to patch your systems, update your AV products, and if your FTP credentials were exposed, delete the FTP account and create a new one with a different password.

Hackers Can Also Control Your Webcam

18 May 2009 - Reformed hacker Jacques Erasmus from security firm Prevx takes control of a computer by infecting it with trojan software.

The infection allows him to view whatever is on the victim’s screen and record his key strokes.

Jacques Erasmus’ company downloaded the trojan for research purposes.

The trojan and bank accounts used in this video are real.

The ‘victim’ in this simulated attack gave permission for his laptop to be infected for the filming.