FTP Injection Attacks Are Getting Craftier

injectionIn a previous blog post, IFRAME Injection Attacks via FTP were examined. Back in August and September of 2009, we saw a sharp increase in these type of attacks. In November and December of last year, these attacks appeared to stop altogether. It seems that was the calm before the storm…

What’s happening now?

In the past two weeks, we’ve had several clients whose FTP passwords were compromised. This is often due to malware or trojan “virus-like” software that infects a PC and actively searches for stored FTP credentials in common FTP programs like Filezilla or CuteFTP.

Once these details are obtained, the FTP login information is distributed to an army of compromised servers and other PCs where automated “bots” FTP into the account, download all of the files, and re-upload specific files with malicious code now embedded.

What’s changed?

In the past, these automated bots would simply alter files that had the words main, index, or default in their filenames, and only looked at .htm(l) and .php pages. This made it easy to spot, easy to find, and easy to clean. Additionally, they mostly either inserted a hidden IFRAME or sometimes javascript that tried to load an iframe.

The latest round of attacks has shown more sophistication. In addition to the standard filenames, they are now targeting javascript files (files ending in .js). The code they are inserting is encrypted javascript code that issues a “window.onload” command (which tries to run the malicious code once a page is loaded). The code is often inserted at the end of the file, but can be put in various locations in the file.

To make it more difficult to clean, the code is often randomized so there is no common text between various infected pages. This can result in  a tedious manual cleaning process to remove this malicious code.

What can be done?

Read our IFRAME Injection Attacks via FTP on the Rise Again blog post for a detailed list of things to do when your site is infected.

To prevent this from happening in the first place, only give out your FTP password to trusted people, change it regularly, and most of all, KEEP YOUR PC CLEAN! This means using up to date anti-virus software, keeping Windows updated with the latest patches, and using a separate malware scanner like Malwarebytes.

Please share any other tips or trends you’ve noticed with this new round of attacks.

Photo credit

Looking for a web host that understands ecommerce and business hosting?
Check us out today!

8 Comments

  1. Nick says:

    Hello Rob .. great article

    I have dealt with this issue in the past and am having to deal with it again.

    About a year ago, I had this malicious trojans on my PC and every time i uploaded websites to the server via Dreamweaver the trojans would steal the ftp passwords and inject the iframes.

    I kepth thinking it was the hosting company that was compromised but it was actually my own PC.

    I use AVG and Malwarebytes but got infected again with another trojan recently and the same thing has happened.

    The questions are:

    1. How can you prevent the trojans from infecting your PC in the first place? I mean aren’t the anti-virus software supposed to stop the infections from getting into your PC?

    2. How to secure the FTP information? I use dreamweaver to publish the sites and HAVE TO enter the ftp details to connect to the server, so is there a bettwr way to upload the websites after designing in dreamweavr?

    Anyone who can help will be greatly appreciated.

    • Nick,

      Are you running the paid version of malwarebytes? If so, is it set to run real-time protection, do automatic updates, and daily scans? If not, you will want to set it up to do these things, so it protects your website in real-time.

      These trojans are often on infected websites that you browse to and run malicious code on your computer. Make sure you’re running the latest IE8 or FF 3.6 web browser, and all Windows security updates are applied.

      The trojans often pull the FTP data from applications that store the FTP username and password. A few things you can do:

      – Do not store the FTP details in Dreamweaver. Enter them each time manually.
      – Use FTPS or SFTP instead of regular FTP. The hackers only test FTP connections in most cases. Your host may even be able to disable regular FTP or force FTPS for your account.

      Hopefully between running real time Malwarebytes protection with automatic updates and not storing your FTP details in Dreamweaver, this should help minimize the chance your computer gets re-infected.

  2. Nick says:

    Rob.. thanks for the fast response and great advice :)

    Yes I have the paid version of Malwarebytes and I think it is on real-time protection because i always get these pop messages that say “malwarebytes has successfully blocked malicious IP….etc”

    However, I admit i have not done daily scans thinking that malwarebytes and AVG antivirus would block ALL infections.

    I will now avoid storing ftp info in dreamweaver. However, when i need to publish a site and enter the ftp info manually, wouldn’t the trojan still be able to pick the details up as i enter them ? … meaning at the time i go and publish the site.

    thanks so much again for your help .. i really appreciate it.

    • Yes, setting up daily scans is important so that anything that sneaks past real-time protection (i.e. a threat comes out “zero day exploit” that gets installed and then the next update can detect it) is eventually caught and removed. Malwarebytes can be setup to auto scan each night.

      The latest trojans (the ones that infect websites via FTP) are not full keylogger trojans. They simply scan your computer for common FTP programs and extract the login details. By not storing the details, it minimizes this risk unless your computer has a keylogger, which is more rare. You could save just the username in DW so you only have to enter the password each time you publish.

  3. Nick says:

    Superb .. i will definitely try that from now on … so is it ok for me to leave my computer on 24/7 overnight for the scans to run while i am away ? i usually turn off my computer when i leave the office

    • I typically leave my computers on 24/7, so I schedule the scans at night when I’m not using them. If you would rather turn off your computer each day, then you could schedule the scan during the day when it’s on.

      As long as the extra couple of cents per day in electricity don’t bother you, no harm in 24/7. :)

  4. Pat says:

    Hi, does any one know what is the name of this Trojan? How does the Trojan send out the saved FTP credential? By FTP or HTTP?

    Thanks!

Leave a Reply