(Prevx Research) ZBot data dump discovered with over 74,000 FTP credentials

Discussion in 'Prevx Releases' started by PrevxHelp, Jun 29, 2009.

Thread Status:
Not open for further replies.
  1. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
  2. Habakuck

    Habakuck Registered Member

    Joined:
    May 24, 2009
    Posts:
    544
    I read this at your blog and was shocked.

    Very effective method of infecting a lot of users!
     
  3. Threedog

    Threedog Registered Member

    Joined:
    Mar 20, 2005
    Posts:
    1,125
    Location:
    Nova Scotia, Canada
    Nice catch.
     
  4. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Do I assume correctly, that these login credentials were harvested from infected users, and not from the site itself, eg, disney.com?

    EDIT:

    Here is another article - it cleared things up for me:

    FTP login credentials at major corporations breached
    http://www.securecomputing.net.au/N...edentials-at-major-corporations-breached.aspx

    Another question: Is it common to log in to an account using ftp? Why?

    By the way, Note the attack vectors:

    thanks,

    rich
     
    Last edited: Jun 30, 2009
  5. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    The login credentials came from infected employees who had logins directly to the servers (i.e. network administrators/web managers).

    FTP does appear to be popular, and a number of the attacks appear to be targeted and carefully socially engineered which is what makes them more effective.
     
  6. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Can it be determined whether the infected systems were company computers on the network, or employees' personal computers?

    thanks,

    ----
    rich
     
  7. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    I don't think we're able to determine that.
     
  8. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Thanks - just curious because I've been interested in 'targeted' attacks, which usually implies a compromised organization email list. Here is a recent one:

    Targeted e-mail attacks asking to verify wire transfer details
    http://isc.sans.org/diary.html?storyid=6511

    Who knows how many other databases there are out there such as the one you discovered!

    ----
    rich
     
Thread Status:
Not open for further replies.