PDA

View Full Version : (Prevx Research) ZBot data dump discovered with over 74,000 FTP credentials

PrevxHelp
June 29th, 2009, 02:53 PM
In case anyone hasn't seen this yet, we stumbled upon quite a dangerous heap of data harvested from a trojan infection - article below:

http://www.thetechherald.com/article.php/200927/3960/ZBot-data-dump-discovered-with-over-74-000-FTP-credentials
Habakuck
June 29th, 2009, 04:04 PM
I read this at your blog and was shocked.

Very effective method of infecting a lot of users!
Threedog
June 29th, 2009, 04:35 PM
Nice catch.
Rmus
June 30th, 2009, 02:04 AM
{QUOTE-> In case anyone hasn't seen this yet,

"The Register reported that Jacques Erasmus and his research team at Prevx discovered a treasure-trove of FTP credentials, including accounts on domains that are high profile to say the least." <-QUOTE}Do I assume correctly, that these login credentials were harvested from infected users, and not from the site itself, eg, disney.com?

EDIT:

Here is another article - it cleared things up for me:

FTP login credentials at major corporations breached
http://www.securecomputing.net.au/News/148759,ftp-login-credentials-at-major-corporations-breached.aspx

Another question: Is it common to log in to an account using ftp? Why?

By the way, Note the attack vectors:

{QUOTE-> The Trojan can come from just about anywhere, Rogue AV installataions, Codec related sites, or as of late, the samples we collected came from email. <-QUOTE}

thanks,

rich
PrevxHelp
June 30th, 2009, 09:22 AM
The login credentials came from infected employees who had logins directly to the servers (i.e. network administrators/web managers).

FTP does appear to be popular, and a number of the attacks appear to be targeted and carefully socially engineered which is what makes them more effective.
Rmus
June 30th, 2009, 10:02 AM
Can it be determined whether the infected systems were company computers on the network, or employees' personal computers?

thanks,

----
rich
PrevxHelp
June 30th, 2009, 12:17 PM
I don't think we're able to determine that.
Rmus
June 30th, 2009, 04:05 PM
Thanks - just curious because I've been interested in 'targeted' attacks, which usually implies a compromised organization email list. Here is a recent one:

Targeted e-mail attacks asking to verify wire transfer details
http://isc.sans.org/diary.html?storyid=6511

Who knows how many other databases there are out there such as the one you discovered!

----
rich