Watch Out For Malware That May Steal Your FTP Passwords
Updated on December 19, 2016
Malware authors are getting increasingly creative in their attempts to bypass security controls and gain access to critical information by using tools such as password stealer malware to steal credentials and intercept web traffic. Trojan malware is now out there that is specifically designed to steal FTP passwords.
Why would an attacker need to steal your FTP server passwords?
The most likely goal of such an attack would be to gain access to all the files located on a Web server. Web sites are commonly edited and maintained via FTP. If root Web access can be gained, the attacker could then modify existing dynamic (PHP, ASP, etc) Web pages to embed malicious code. By compromising a Web site, an attacker could potentially gain the ability to infect the site’s visitors, all while masquerading as a legitimate site, and spreading his malware even further. Another goal might be to use the Web site in a phishing attack by creating Web pages that appear to be a bank so that a visitor (prompted by a bogus email) would be prompted to provide personal data such as credit card or social security number.
FTP clients are plentiful, and the majority of them offer rich feature sets. One common feature of particular interest to hackers: the ability of an FTP client to remember FTP servers that a user has previously connected to, along with login account usernames and passwords. Most such FTP clients store these details on the user’s local computer. This may also include the last FTP server the user connected to, whether the user saved the password or not. Configuration files often store sensitive details such as user names and passwords in plain text.
Q & A
How will I know if I have been compromised?
The attack sequence might go something like this:
You fall victim to opening an email or visiting a Web site that installs a Trojan on your computer. This was your first mistake, so be extra cautious when opening email and visiting web sites. Use anti-virus and security software and keep it up to date.
The Trojan finds all your FTP site login profiles stored as plain text in config files used by your FTP software such as Filezilla, WS_FTP, CuteFTP or up to 100 other programs.
The gathered FTP account login info is sent back to a central server operated by the hacker and is kept for future use. It is very likely to then be shared among the hacker community, propagating further attacks from other parts of the world.
The central server runs automated scripts to "test" whether any of these FTP accounts is a Webmaster login for publishing to a public Web server. (Again, with FTP Today, this is not the case.)
The script uploads one or more test files with names like "70f70c620045f63c38a2dc3705b7bb80.html", "ftpchk3.php" or "ftpchk3.txt". A successful upload is reported back to the central server.
The script then tries to verify that this HTML document is Web-readable. If so, then this Web server is logged for a future attack to propagate the spreading of further viruses, Trojans, phishing attacks and the like.
The script then deletes the HTML, PHP or TXT file(s) so as to leave no apparent trace of its activity.
If I am the unfortunate victim of having my desktop machine infected by FTP password-stealing malware, will my FTP Today site data files be stolen?
Probably not. These attackers are looking for Web server access and FTP Today does not expose any of your FTP Workspaces or files to the Web (unfortunately, we cannot say the same of many of our competitors). But, you would want to immediately change your password and first remove the Trojan horse from your desktop machine.
Your FTP Today Transfers Report would show the uploads of this type of file, so be on the lookout for any unknown file uploads and let us know if you spot anything. We are also proactively looking for uploads like this and will contact the appropriate site administrator if we discover anything.
If my FTP password is compromised, are my files on the FTP server at risk?
Technically yes, but these automated attacks are not aimed at copying your files; they are looking for the ability to publish content to a Web server. While we at FTP Today have seen a small amount of activity of this nature (uploading and deleting this content), we have not seen it followed up by the downloading of any of our customer's files.
What else can I do?
Favor the use of FTPS over FTP and block FTP port 21 on your FTP Today site. FTP Today is the only such company that gives you the ability to block all un-encrypted FTP access. It is highly likely that the attacker's central servers only use FTP and not FTPS.
The best course of action is not to save your passwords in your FTP client software. That way, even if you end up with such a Trojan on your desktop machine, they won't have the chance to steal your FTP passwords.
Looking for a more secure file sharing software? Try FTP Today and let us start protecting your business.
About Martin Horan
Founder of FTP Today and an expert in secure file transfer and Internet protocols. A software and IT geek since a young age, Martin has successfully led his companies through the digital age by spotting market niches and filling them with quality IT services.