Monday, August 10, 2009

"Virus" steals FTP passwords and inserts iframe-s

This is maybe the malware ("virus") called "Gumbler" or "Nine-Ball"... So, recently the Web sites of two clients started to spread "virus" with iframe-s inserted into the index.html-s. The iframes were inserted after the opening <body> tag, and pointed to places that tried to infect the visitors, something like: <iframe src="" width=125 height=125 style="visibility: hidden"></iframe>

Looking into the FTP logs on the server I could see something logs in with some IP I don't recognize (different IP-s for each operation), and updates the existing index.html-s (actually, all files whose name contains one of the words: default, index, home) both in the top-level directory and the subdirectories of the site. So obviously, some FTP credentials (user name + password) were stolen here.

Later I found the infected computer. NOD was running on it and was up-to-date, the Windows (XP SP3) firewall was on, the Google search results weren't tampered with, etc... the malware worked silently, and according the FTP logs of the first tampering with the index.html-s it was already there for at least 10 days! How did I spot the infected computer then? Simply, I ran TCPView (free) and see that the computer sometimes connects to whatever external IP-s using SMTP protocol (via the services.exe process, but don't blame poor services.exe for that, it's an innocent process normally). That is, most certainly, it spread email spam. BTW, I also found some other odd things... like the installation of the following software has failed with some internal error (like if the installer is wrong): Malware Bites, Adoble Reader 9.1 (Hungarian), and the automatic update to Adoble Reader 8.1.3. I guess the problem of the Malware with the last two was that they fix some juicy vulnerability. But, I installed Spybot Search & Destroy without problem, which found nothing on the infected computer. Maybe that's why the malware didn't mind if I install it...

As it turned out, the malware steals FTP passwords with network sniffing a.k.a. promiscuous mode (at least among other ways, because I heard it can also read the stored passwords of well-know FTP clients). This means, it even steals the FTP user names and passwords that were used from a clean computer, if that computer was in the same Ethernet collision domain as the infected computer, and the password was actually used (i.e. the user has logged in to an FTP account) when the infected computer was on (and hence eavesdropping). In general, if you have some Ethernet hubs as opposed to Ethernet switches in your LAN, then depending on the exact network topology, possibly not only the infected computer is affected. Needless to say, the infected computer itself is always in its own collision domain, so even if you don't store the passwords in your FTP client (and you shouldn't), the malware still steals the password when you log in. The infected computer sends the stolen FTP credentials (and who knows what else it captured) to its masters, so the computer that will update the index.html-s via FTP (maybe hours, maybe days later) will be some random computer from around the world.

Anyway, for now I have put the infected PC out of order, then changed the potentially stolen FTP passwords. Next week it will be formatted + re-installed as far as I'm concerned. Yeah, I wouldn't try cleaning... it's never reliable, you never know if something remain undetected. Infected computers may start downloading additional malware applications after the initial infection, also malware has no official releases plus they often mutate so... you just never know what do you exactly have.

Also, I have double-checked if the spammer PC was indeed the FTP password stealer with a simple trap: On a public Web server I created two FTP accounts with index.html-s in it, each with different root directories and username/password. I turned all computers off in the LAN, except the infected one, plus one that I knew wasn't infected (this could be your laptop). From the clean computer I FTP-ed a bit on the first FTP account, then waited a 10 minutes so that the infected computer has time to send the username and password to his masters. Then I turned all computers on, but turned the infected one off. I FTP-ed again from the surely clean computer, this time using the second account. A few hours later the index.html in the first account was infected, and the index.html in the second account is not infected so far... So the spammer PC was indeed an FTP password sniffer, and certainly it was the only FTP password sniffer in the Ethernet collision domain.

p.s. 1: Regarding C:\Windows\System32\sqlsodbc.chm... at least certain versions of Gumbler change it, as it stores the collected credentials in it. In this infected computer it was original, according to its SHA1 (calculated with FileAlyer) plus the table here (the Hungarian sqlsodbc.chm is missing from that table, it's: SHA1 1ED7D12DEEB09C70D164E247317391FAC23BC1FA, CRC-32 808EE644). But, it was the Israeli version of sqlsodbc.chm. It had to be Hungarian, maybe English. Maybe the user has installed something benign earlier that replaced it with the Israeli version... but maybe (just a wild idea) the operators of the bot network realized that everyone checks if sqlsodbc.chm is original, so they changed the way things work and tried to replace the already changed sqlsodbc.chm with an original, but they didn't have the Hungarian one... again, this last was just a wild guess.

p.s. 2: That your computer is plugged into a switch (as opposed to into a hub) doesn't mean that a hub somewhere higher in the LAN hierarchy doesn't spoil your privacy. Like in this case, the computers of the company X were on a switch, but the switch was eventually connected to the ancient huge hub of the building, which in turn was connected to the Internet gateway. Now some computers of company Y was directly plugged into that hub (even if they didn't know that... they just plug the cable into the wall socket), so the Internet traffic of the innocent company X could be "heard" by the infected company Y computer (but not by the computers of company X). So was the FTP password of company X stolen, although all their computers were clean, and they used a switch.

p.s. 3: I don't know about stealing of POP3/IMAP (i.e., email) credentials, although it would be technically as easy as stealing the FTP credentials. Due to the "forgot my password" (so send me a new one) feature of many Web services, access to the mail accounts of (important) people can be even more useful than ever. Now of course this malware is nothing personal, it just spreads as it can, so this most certainly won't be utilized. But then, one can never be careful enough... If I were the zombie master here, I would collect the email credentials too, after all, maybe I will find something interesting later, so why not. Means, you better change your mail account passwords too, not only the FTP passwords. And whatever passwords to well-known services...

p.s. 4: I can't emphasize enough how pathetic some of the authentication methods are... sending the passwords through the network without any encryption? What were they thinking??? The moral: Do not use plain FTP. Use SFTP or SCP.

p.s. 5: They regularly (about every second day) log in and update the infected HTML-s in the trap FTP account since then. The update consists of changing the src attribute of the iframe. This is needed because the malware spreading sites (where the src points to) don't work for very long as they are quickly identified and closed.


  1. hi Daniel, we are experiencing something very similar. Can you please elaborate on how you detect the infected PC. Thanks!

  2. It's explained in the post, so... exactly where do you stuck?

  3. Thank you for your writeup. I had this infection happen and knowing that it was from an FTP sniffer, as opposed to something potentially worse, helps me in fixing the problem.

  4. Thanks for the post. You have gone deep to discover the way it works. Good job!