In-Depth

When SSL Just Isn't Enough

Recent FTP thefts affecting even SSL-encrypted logins are the work of a new Trojan called Zeus; 90,000 logins may have been compromised.

• By Stephen Swoyer
• 07/21/2009

As the Internet buzzes with speculation about the ongoing denial-of-service (DoS) attacks targeting U.S. and South Korean Web sites, security software specialist Prevx highlighted a much more mundane -- but no less vexing -- exploit: the theft of almost 90,000 FTP credentials from a laundry list of prominent corporate sites, including Amazon, Bank of America, and Cisco Systems Inc.

The FTP thefts are the work of a new Trojan called Zeus, according to Prevx, which late last month reported that nearly 75,000 FTP credentials had been compromised. By early July, that tally had climbed to nearly 90,000.

Prevx's Jacques Erasmus, writing on his company's blog, describes the exploit as having "China Syndrome"-like potential -- but what he's describing sounds more like a particularly destructive positive feedback loop.

"It includes a cyclic infection which leverages infected PCs to programmatically modify hi[gh]-volume Web sites to infect additional users who become part of the cycle," he wrote. "[Having] more users leads to more discovery of Web site admin credentials which in turn leads to more Web sites being modified to serve the infection which leads to more infected users." Its perpetrators have by this point accumulated a "massive list of high-value, high-traffic Web sites," Erasmus said.

Industry watcher Gartner Inc. seized on Prevx's discovery to caution against the use of insecure or "unmanaged" FTP implementations. More to the point, Gartner indicated, even using ostensibly secure FTP implementations -- such as encrypted FTP with SSL -- isn't completely safe.

"The FTP credential theft reaffirms that simply using SSL technologies or encrypting the payload is not enough to ensure secure FTP. Malware such as the Zeus trojan is capable of stealing and exporting SSL credentials and exploiting FTP servers as distribution points for malware," write Gartner analysts L. Frank Kenney and Peter Firstbrook in a research blast. "Compromised Web sites already serve as a prime channel for distributing malware to unsuspecting Web site visitors. The FTP focus of this attack indicates that Internet-facing FTP servers may be the next target."

The exploit is troublesome in at least a couple of respects. First, of course, there's the obvious issue of unauthorized access: attackers who harvest FTP credentials can gain access to FTP servers, Web servers, or other sensitive systems. Secondly, however, there's the issue of what might be called parasitism: in the recent exploit, attackers used compromised FTP servers to further distribute the Zeus Trojan.

"[T]he fact that attackers were able to access an FTP site poses sufficient risk," Kenney and Firstbrook continue, writing that "Gaining access to the FTP server enables attackers to host malware on a legitimate, trusted resource." A clever attacker need do little more upload malware with an interest-piquing filename (such as, Kenney and Firstbrook suggest, "Executive_Salary.exe") to ensure propagation.

The potential for malice and mayhem is far reaching, according to the Gartner analysts. "Legitimate FTP servers could also become unwitting vehicles for the trafficking of illicit and pirated media, applications, and data. Data protection is essential, the server and users' credentials must also be safeguarded," they write. "The attraction of a simple, easy-to-use FTP site should not outweigh security considerations, particularly when a plethora of security technologies is available."

Kenney and Firstbrook conclude with caution. "If you have deployed an FTP site that handles high-value data or application areas without proper mechanisms for managed and secure file transfer, data at rest, and file server and client administration, immediately consider deploying a managed file transfer solution with appropriate data loss protection capabilities," they advise.

"Data encryption is mandatory, but is not the end of your responsibilities with regard to file transfer. Consider placing FTP servers behind secure Web gateways to monitor FTP traffic for the upload and download of malicious applications."