• Experts Explain: FTP Account Compromise

    This is the third part in a series of posts here at StopTheHacker where we describe the various methods that malicious hackers use to infect benign and legitimate websites with web-malware.

    In this article, we will describe one of the most common reasons why benign websites are hacked and then are infected with malware: FTP password compromise. This particular technique is neither very sophisticated, nor is it recent, nonetheless, it is extremely effective.

    It is estimated that near 30% of all websites that are injected with malicious computer code are the result of stolen credentials, such as FTP passwords. We will delve into some detail about FTP, how to protect yourself and your website from this kind of an attack, and alternate best practice strategies.

    What is FTP?
    File Transfer Protocol (FTP) is a protocol that specifies how to communicate with a computer, such as a web server, in order to access to the files on that computer. FTP is simply a set of rules according to which your computer can talk to a file server, web server or other computers and reliably exchange information.

    This protocol, FTP, is based on another popular Internet protocol called Transmission Control Protocol (TCP). FTP is based on a client server model, wherein the computer that requests data is the client, and the computer supplying the data is the server. Both client and server understand how to “talk” to each other reliably using FTP.

    How is FTP used?
    FTP can be used for a number of purposes, one of the primary uses being for web-masters to upload web pages to web-servers. FTP in general can be used to easily move files from one computer to another. Academic institutions also use FTP to move large data files from experiments onto dedicated computers meant for storing information.

    What is a code injection attack?
    A code injection attack is an unwarranted effort to load malicious computer code onto a website, by exploiting weaknesses in the software that is powering the website or by other means, such as compromised passwords (FTP etc).

    This attack usually manifests itself when a malicious hacker identifies a particular weakness in the way a website handles user input and exploits that weakness to load the malicious computer code, infecting the web pages on the website. This allows the malicious hacker to (1) steal information from the compromised website (2) infect visitors visiting the compromised website and more.

    How do FTP credentials get compromised?
    Credentials, such as FTP username and passwords, can be compromised by Trojans and viruses installed on the computers of unsuspecting users “sniff” the credentials being transferred over the Internet to the web server. FTP transfers credentials and information in clear-text. This means that any person or program that is “listening” in on the transmission of credentials to the FTP server, can do so relatively easily and then steal these credentials.

    There is extensive literature on rootkits, sniffing software, and key loggers on the Internet. A popular Trojan called ZBot was analyzed by Prevx and details were released in this forum entry. This particular Trojan is installed from a number of vectors: Rogue Antivirus advertisements, spam emails, fake codecs, and more. This Trojan is very effective at stealing FTP credentials and passing them to a “master” server that injects malware onto the associated websites.

    How are the FTP credentials used to infect websites?
    Once a Trojan like the one described above acquires FTP credentials, they pass on the information to a master server called a “command and control” server. This command and control server could be present on an IRC chat channel, for example. Once the Trojan has stolen the credentials and notified the master server via the chat channel (automatically), the master server uses the credentials to infect the website with malware.

    How to detect if your site is vulnerable to FTP credential compromise attacks?
    If you use FTP for access to files on your website, you need to be very careful. If you store your FTP usernames and passwords on your local computer using software like FileZilla, your website can be compromised if malicious software or a Trojan is installed on your computer. Never store credentials on your local computer.

    Additionally, you should use SFTP (Secure FTP), SSH (Secure Shell), or SCP (Secure Copy), which uses encryption, instead of FTP. Or, use another method that does not transfer credential information to your server in clear-text (using encryption instead) when communicating with your web server. This technique will avoid credential compromise from “sniffing” attacks.

    FTP credential compromise is a common vector for malicious hackers to exploit and infect websites. We have seen what FTP is, how it is exploited by hackers, and how to protect your website.

    StopTheHacker.com customers have access to resources and services that protect them against these kind of threats and help them recover from compromises should they occur. If you would like more information on how to protect your website, please feel free to contact us. You can also visit our services page to protect your website right now.