ZBot data dump discovered with over 74,000 FTP credentialsby Steve Ragan - Jun 29 2009, 20:19
The story started on Friday. The Register reported that Jacques Erasmus and his research team at Prevx discovered a treasure-trove of FTP credentials, including accounts on domains that are high profile to say the least. Names such as NASA, Monster, ABC, Oracle, Cisco, Amazon, BusinessWeek and more, are all included in the list of potential victims.
The accounts were compromised thanks to the ZBot Trojan, which once it is installed on the system, seeks out stored FTP credentials as well as other information and offloads them to a server similar to the one discovered by Prevx in China.
The Tech Herald spoke to Erasmus, Director of Malware Research at Prevx’s head offices. He told us his team discovered the credentials while investigating a prevalent in the wild infection. The Malware they were investigating was sending data to a web server, and once they followed the trail, the dump file was discovered.
Erasmus showed us the entire list of notable domains, including some that just should not appear on a list of this type.
The domains include: Disney.com, Bloomberg.com, Monster.com, ABC.com, BusinessWeek.com, NDTV.com, Discovery.com, Oracle.com, O2.co.uk, BigFishGames.com, Telefonica.net, NASA.gov, Rightmove.co.uk, Audiable.com, Corbis.com (UK FTP), DHL.com, QLD.gov.au, Primelocation.com (FTP, FTP1, and FTP2), Morningstar.com, Amazon.com, BankofAmerica.com, Symantec.com, McAfee.com, Cisco.com, Kaspersky.com, and Shutterstock.com.
NASA, Cisco, Kaspersky, McAfee, Symantec, Amazon, Bank of America, Oracle, ABC, BusinessWeek, Bloomberg, Disney, Monster, and the Queensland government domain. Those fourteen businesses alone make these credentials tragic, but the list has over 74,000 accounts.
“In some cases like for instance the AV vendors, the logins are from partners that have been infected. Some logins seem like resellers etc.,” Erasmus said.
What makes matters worse, the FTP they were discovered on is still active, as it is hosted using Bulletproof hosting. While Prevx has reported abuse, the fact that the server is sitting in China means the abuse report is more than likely to be ignored. However, Erasmus said that he passed all of the relevant details over to US-CERT and is contacting as many companies as he can.
“The FTP details are from employees of the companies listed, as well as a huge amount of consumer users, where their GeoCities and other such logins have been compromised,” explained Erasmus. He confirmed to us that the data harvested isn’t structured in a way to tell exactly how many users from each company were compromised.
Yet, he is positive what those accounts will be used for. “It is exclusively login data. The purpose of this data is clear to me. They want to use this to inject Iframes into these sites which point to their exploit kit running on the same server, to exploit more people and distribute more Malware. This is a good opportunity for them to target more users that might not get infected via the normal routes.”
The ZBot Trojan has several variants. We’ve used some of them ourselves in recent reviews. The Trojan can come from just about anywhere, Rogue AV installataions, Codec related sites, or as of late, the samples we collected came from email.
ZBot has been seen linked to the emails that offer “Microsoft Outlook Critical Updates” by linking to a long, confusing looking, URL. Once the site loads, a rather poor imitiation of the Microsoft Update page is displayed and a single EXE file is offered. The file itself is a Trojan, more often than not flagged as a variant of ZBot.
Example of a fake Outlook Update URL:
update microsoft com kiffil com mx/microsoftofficeupdate/isapdl/default.aspx?ln=en-us&id=51168819316874756664669014767816637995466048506302358260
Most of the accounts that are in the list shown to The Tech Herald are from Russia and Middle-Eastern countries. However, there are some UK, AU, and US domains, suggesting a rough location for infection.
If you are wondering if your account is on the list, Prevx has created a domain that will allow you to check. http://www.prevx.com/ftplogons.asp
The process to clean up this type of compromise will require a few steps.
The first is to use a recently updated AV program, as well as a secondary scan from applications such as SpyBot Search & Dystroy or MalwareBytes AntiMalware. Once your system is cleaned, make sure you have all of the current operating system and software updates.
These patches and updates would include Adobe Reader, Flash player, Shockwave, browser updates, Windows patches, Winamp, and just about anything you can update that is installed on your computer. If you want a tool to help with patch management, Secunia has a great one that was just released under a new version called Secunia PSI. [Download it here]
After your system is updated, if you have complete control over your FTP access, then delete the account and create a new one with a different password. If you cannot do this, talk with your webhost and ask them to create a new user and password for you.