Password stealing trojan with dash of FTP and a hint of parasite
Tuesday April 29, 2008 at 6:14 am CST
Posted by Romain Levy
Clear protocols such as FTP or SMTP are unsafe. Anyone on the subnet can easily collect login usernames and passwords just by sniffing the network traffic. Even switched networks can be easily attacked to redirect traffic and gather credentials as simply as on a HUB based network. However, FTP is still widely used and often the only protocol provided by hosting providers and it’s for this reason we weren’t so surprised to come across PWS-FerTP – a piece of malware that takes advantage of this situation, collecting FTP credentials and infecting FTP repositories.
To slow down analysis, PWS-FerTP includes some (very simple) anti-debugging tricks and VMWare detection functionality shown below. Not very stealthy though, utilizing some well known VMWare internal mechanisms used mainly by VMware tools to communicate with the host system.
PWS-FerTP bypasses the Windows Firewall (by modifying the registry) and starts to look for three widely used client applications providing FTP support (FAR Manager, CuteFTP and Total Commander). Indeed, these applications unfortunately use weak encryption to save FTP passwords, while other details such as logins and IP addresses are stored in the clear.
In an attempt to gather more FTP credentials, PWS-FerTP switches the first network adapter found on the system to promiscuous mode via the ioctlsocket API call, allowing for a disabling of MAC filtering and thus sniffing all FTP account details passing by the current subnet.
PWS-FerTP sends all gathered credentials within specially crafted HTTP requests to a remote web server.
But PWS-FerTP is more than a password stealer – a quick string search reveals some interesting blocks of obfuscated Javascript as well:
Once decoded, the aim of this script becomes much clearer, redirecting user’s browser via an IFRAME HTML tag pointing to a malicious website.
In fact, PWS-FerTP connects to each previously gathered FTP account and looks for files whose names belong to this list:
- index.htm
- main.htm
- default.htm
- index.php
- main.php
- default.php
When such a file is found, PWS-FerTP retrieves it locally, injects the Javascript code shown above, and put the file back to the FTP repository.
Another good reason to follow well-known best practices: avoid using clear-text protocols and use applications providing strong encryption, like keepass, to store your credentials.