I recently came across a rogue security software (aka “Fake AV”) variant Troj/FakeAv-AAL which, in addition to the scareware component, downloads and runs a packet sniffer Troj/Sniffer-R. After peeling away the encryption layers, the credential-sniffing logic is quite simple. The trojan initially sets up a socket to receive all incoming and outgoing packets and sits in a loop, waiting for packets with a source or destination port of 21 — the FTP control port number. It captures the host name, user name and password for any outgoing FTP connections, and checks the user and password combo are valid by parsing incoming FTP traffic for the ‘login success’ status code. Only the credentials which result in a login success are subsequently reported to a remote server — which currently maps to a known malicious domain associated with rogue security software.
The pushers of Fake AV are constantly on the run, and stolen FTP credentials are just one of the tactics used by this wily group of miscreants. The authors are registering new domains and shifting existing domains to new IP ranges on a daily basis — frequently changing the location where their scareware is hosted thereby avoid network blacklists for a short time. They are also stuffing their web pages with bogus keywords on hot topics (see Fake AV and Swine Flu) — driving search-engine users unwittingly to their malicious sites.
As highlighted by the malicious advertisements streamed via the NYTimes, there is much to be gained from the exposure on legitimate sites. First off, the malware author achieves both the new hosting location and search engine traffic by leeching off the existing reputation and user-base of the legitimate site. Secondly, not only is the entire user-base of the website exposed to any embedded malicious links, the users are likely less skeptical while browsing a site they already trust and perhaps more vulnerable to fall victim to the phony scareware warnings.
As suspected with the recent Gumblar SQL injection attacks, stolen FTP credentials can lead to widespread compromise on legitimate sites. Let this be a reminder to all website administrators out there; be a good network citizen — make sure your server and any machine you use to administer your server is secure and up-to-date.