(Prevx Research) ZBot data dump discovered with over 74,000 FTP credentials

Discussion in 'Prevx Releases' started by PrevxHelp, Jun 29, 2009.

Thread Status:
Not open for further replies.
  1. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
  2. Habakuck

    Habakuck Registered Member

    Joined:
    May 24, 2009
    Posts:
    544
    I read this at your blog and was shocked.

    Very effective method of infecting a lot of users!
     
  3. Threedog

    Threedog Registered Member

    Joined:
    Mar 20, 2005
    Posts:
    1,125
    Location:
    Nova Scotia, Canada
    Nice catch.
     
  4. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,982
    Location:
    California
    Do I assume correctly, that these login credentials were harvested from infected users, and not from the site itself, eg, disney.com?

    EDIT:

    Here is another article - it cleared things up for me:

    FTP login credentials at major corporations breached
    http://www.securecomputing.net.au/N...edentials-at-major-corporations-breached.aspx

    Another question: Is it common to log in to an account using ftp? Why?

    By the way, Note the attack vectors:

    thanks,

    rich
     
    Last edited: Jun 30, 2009
  5. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    The login credentials came from infected employees who had logins directly to the servers (i.e. network administrators/web managers).

    FTP does appear to be popular, and a number of the attacks appear to be targeted and carefully socially engineered which is what makes them more effective.
     
  6. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,982
    Location:
    California
    Can it be determined whether the infected systems were company computers on the network, or employees' personal computers?

    thanks,

    ----
    rich
     
  7. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    I don't think we're able to determine that.
     
  8. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,982
    Location:
    California
    Thanks - just curious because I've been interested in 'targeted' attacks, which usually implies a compromised organization email list. Here is a recent one:

    Targeted e-mail attacks asking to verify wire transfer details
    http://isc.sans.org/diary.html?storyid=6511

    Who knows how many other databases there are out there such as the one you discovered!

    ----
    rich
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.