ZBot data dump discovered with over 74,000 FTP credentials

The story started on Friday. The Register reported that Jacques Erasmus and his research team at Prevx discovered a treasure-trove of FTP credentials, including accounts on domains that are high profile to say the least. Names such as NASA, Monster, ABC, Oracle, Cisco, Amazon, BusinessWeek and more, are all included in the list of potential victims.

The accounts were compromised thanks to the ZBot Trojan, which once it is installed on the system, seeks out stored FTP credentials as well as other information and offloads them to a server similar to the one discovered by Prevx in China.

The Tech Herald spoke to Erasmus, Director of Malware Research at Prevx’s head offices. He told us his team discovered the credentials while investigating a prevalent in the wild infection. The Malware they were investigating was sending data to a web server, and once they followed the trail, the dump file was discovered.

Erasmus showed us the entire list of notable domains, including some that just should not appear on a list of this type.

The domains include: Disney.com, Bloomberg.com, Monster.com, ABC.com, BusinessWeek.com, NDTV.com, Discovery.com, Oracle.com, O2.co.uk, BigFishGames.com, Telefonica.net, NASA.gov, Rightmove.co.uk, Audiable.com, Corbis.com (UK FTP), DHL.com, QLD.gov.au, Primelocation.com (FTP, FTP1, and FTP2), Morningstar.com, Amazon.com, BankofAmerica.com, Symantec.com, McAfee.com, Cisco.com, Kaspersky.com, and Shutterstock.com.

NASA, Cisco, Kaspersky, McAfee, Symantec, Amazon, Bank of America, Oracle, ABC, BusinessWeek, Bloomberg, Disney, Monster, and the Queensland government domain. Those fourteen businesses alone make these credentials tragic, but the list has over 74,000 accounts.

“In some cases like for instance the AV vendors, the logins are from partners that have been infected. Some logins seem like resellers etc.,” Erasmus said.

What makes matters worse, the FTP they were discovered on is still active, as it is hosted using Bulletproof hosting. While Prevx has reported abuse, the fact that the server is sitting in China means the abuse report is more than likely to be ignored. However, Erasmus said that he passed all of the relevant details over to US-CERT and is contacting as many companies as he can.

“The FTP details are from employees of the companies listed, as well as a huge amount of consumer users, where their GeoCities and other such logins have been compromised,” explained Erasmus. He confirmed to us that the data harvested isn’t structured in a way to tell exactly how many users from each company were compromised.

Yet, he is positive what those accounts will be used for. “It is exclusively login data. The purpose of this data is clear to me. They want to use this to inject Iframes into these sites which point to their exploit kit running on the same server, to exploit more people and distribute more Malware. This is a good opportunity for them to target more users that might not get infected via the normal routes.”

The ZBot Trojan has several variants. We’ve used some of them ourselves in recent reviews. The Trojan can come from just about anywhere, Rogue AV installataions, Codec related sites, or as of late, the samples we collected came from email.

ZBot has been seen linked to the emails that offer “Microsoft Outlook Critical Updates” by linking to a long, confusing looking, URL. Once the site loads, a rather poor imitiation of the Microsoft Update page is displayed and a single EXE file is offered. The file itself is a Trojan, more often than not flagged as a variant of ZBot.

Example of a fake Outlook Update URL:
update microsoft com kiffil com mx/microsoftofficeupdate/isapdl/default.aspx?ln=en-us&id=51168819316874756664669014767816637995466048506302358260

Most of the accounts that are in the list shown to The Tech Herald are from Russia and Middle-Eastern countries. However, there are some UK, AU, and US domains, suggesting a rough location for infection.

If you are wondering if your account is on the list, Prevx has created a domain that will allow you to check. http://www.prevx.com/ftplogons.asp

The process to clean up this type of compromise will require a few steps.

The first is to use a recently updated AV program, as well as a secondary scan from applications such as SpyBot Search & Dystroy or MalwareBytes AntiMalware. Once your system is cleaned, make sure you have all of the current operating system and software updates.

These patches and updates would include Adobe Reader, Flash player, Shockwave, browser updates, Windows patches, Winamp, and just about anything you can update that is installed on your computer. If you want a tool to help with patch management, Secunia has a great one that was just released under a new version called Secunia PSI. [Download it here]

After your system is updated, if you have complete control over your FTP access, then delete the account and create a new one with a different password. If you cannot do this, talk with your webhost and ask them to create a new user and password for you.


Like this article? Please share on Facebook and give The Tech Herald a Like too!

From our Other Sites

Man Makes Tiny Edible Pancakes with Tiny Kitchen Tools (Video)

This Japanese guy cooks up some pancakes…nothing special there right? Well he uses tiny implements to do it and makes perfect little pancakes. Kinda cool and they look tasty!

What Color is this Dress?

White and Gold or Blue and Black?
Well this one has been trending all over the web, just what color is this dress? It all started in Scotland when the mother of a bride-to-be sent a picture to her daughter asking what she thought of the dress. The bride and groom each saw the image differently, this then got posted online and picked up by some viral sites. The lighting in photo is probably  causing different people to see it as either white and gold or blue and black. Prof Stephen Westland, chair of color science and technology at a University in the UK told the BBC that it was impossible to see what other people see but that it was most […]

McLaren 675LT Pictures

Some great shots of the forthcoming McLaren 675LT. This coupe will get you to 60mph in less than 2.9 second and go all the way to 205mph.

McLaren 675LT Details

McLaren’s 675LT will debut at this year’s Geneva show and promises some eye-popping performance. The coupe only 675LT has a 3.8 liter V8 that will get you from 0-60mph in less than 2.9 seconds and to 124mph in less than 7.9 secondsMore than a third of the parts have been changed compared with its stable mate […]

McLaren 675LT Wallpaper

Some cool McLaren 675LT Wallpaper. The McLaren 675LT is the latest coupe to come from the supercar maker and has a top speed of 205mph.Click on an image to open a page with multiple sizes that you can download to use as wallpaper for your mobile or desktop.More McLaren Wallpaper.

Octopus hunts on land, grabs crab (Video)

This crab is minding its own business searching the rock pools for food when suddenly an octopus leaps out of the water and grabs it. The amazing thing is that the octopus does not just jump on the crab it actually pulls it all the way back to the rock pool it came from. If you check the second video you will see it is not unknown for octopus to come out of the water and the one in the second video has a crab with it, though is not hunting one! Octopus Walks on Land at Fitzgerald Marine Reserve The video was taken by Porsche Indrisie in Yallingup, Western […]

Stunning Mars Rover Selfie

This image by the Curiosity Mars rover is not exactly your typical selfie. It is made up of a bunch of images taken by the rover during January 2015 by the Mars Hand Lens Imager. This (MAHLI) camera is at the end of the robot’s arm. For a sense of scale the rover’s wheels are about 20 inches diameter and 16 inches wide. Check the annotated image below for more information on the surroundings. Also if you really want to see some detail click this very large image, 36mb, at NASA.  

How the Sahara Helps Feed the Amazon (Video)

Sahara to Amazon
This cool video from NASA shows how dust is transferred across the Atlantic to the Amazon rainforest and helps nourish the plants growing there. For the first time scientists have measured the amount of dust and the amount of phosphorus in the dust. The later acts like a fertiliser and helps replenish the phosphorus the rainforest loses each year, around 22,000 tons. Amazing how something we perceive as being desolate like a desert actually has an important role in sustaining somewhere we see as teeming with life. Image and video from NASA’s Goddard Space Flight Center.

Bouncing Laser Guided Bomb (Video)

This amazing video shows a laser guided bomb bouncing back up after hitting its target. We actually think this is a non-explosive bomb designed to test guidance systems but it is still pretty remarkable and somewhat scary.

South Koreans Swallowed by Sinkhole (Video)

Thankfully the couple survived their adventure.
This amazing footage taken from the CCTV on a passing bus shows the moment two pedestrians in South Korea fall down a sinkhole in the street! Rescue workers managed to save the pair, who were treated in a nearby hospital for minor injuries. According to reports the city authorities and the Korean Geotechnical Society are looking into the cause.