msgbartop
Unmask Parasites - Check your web pages for hidden links, iframes, malicious scripts, unauthorized redirects and other signs of security problems.
msgbarbottom
Loading site search ...

10 FTP Clients Malware Steals Credentials From

   23 Sep 09   Filed in Tips and Tricks

This year, most successful malware attacks against legitimate websites used stolen FTP credentials. I always suggest that you don’t store passwords in your FTP programs where they are easily accessible by any program running on your computer (including malware). For example, in FileZilla, FTP passwords are stored as plain text in configuration files. And FileZilla is not the only FTP client malware authors target in their hunt for website credentials.

In the recent post about Quicksilver malware network, you can read that the trojan behind the infamous iframe injection attack “looks for all kinds of configuration files of ftp programs in their default install paths“. I contacted the researcher and asked if he had a full list of the FTP clients this malware looks for.

And here’s the list:

  1. CoffeeCup Direct FTP
  2. TransSoft FTP Control 4
  3. Core FTP
  4. GlobalScape CuteFTP
  5. Far Manager (with FTP plugin)
  6. FileZilla
  7. FlashFXP
  8. SmartFTP
  9. FTP Navigator
  10. Total Commander

The list looks trustworthy. The same FTP programs can be found on the screenshot of a trojan code from Kaspersky’s article (in Russian) about the same attack.

So what if you are using one of these FTP client?

Keep using it. Just don’t save your passwords there. Enter passwords every time you connect to remote servers. Or invest some time to read your program’s documentation and find out what they can offer to security-minded webmasters. Some clients support public key authorization, some offer encrypted site managers, etc.

Just to be on the safe side, scan your computer for malware. Then scan your site for signs of break-ins (you might want to start with Unmask Parasites checks). If you have any suspicion, change all passwords ASAP.

And don’t think if you are using some other FTP client you can safely store your passwords in it. There may be another trojan that specifically targets your favorite program.

Move to secure file transfer protocols.

BTW, in my previous post you could see a link to an article about another trojan that sniffs FTP traffic and steals credentials. If you use FTP, you can’t hide your passwords from this trojan – FTP protocol doesn’t support any encryption.

The answer to this problem is secure protocols: like SFTP or FTPS. Most FTP clients support these protocols, so you don’t need to find a new program. However, if you are on a shared server, make sure that your hosting plan includes any of these secure protocols.

Similar posts:

Reader's Comments (20)

  1. |

    [...] 10 FTP Clients Malware Steals Credentials From 今年の大規模なFTPアカウント情報(credentials)の漏洩を受け、私は FTP [...]

  2. |

    [...] is a list of 10 FTP Clients, Malwares are betting upon to get your userid and [...]

  3. |

    [...] http://blog.unmaskparasites.com/2009/09/23/10-ftp-clients-malware-steals-credentials-from/ http://blog.unmaskparasites.com/2009/09/01/beware-filezilla-doesnt-protect-your-ftp-passwords/ Comments (0) [...]

  4. |

    Very useful. I will include this in our customer support documentation.

    -Chad

  5. |

    Thank you!

    My hosting, HOSTGATOR, gave me this link. My website got infected several times. When I visited my site, my PC got infected. Imagine the users/public!

    These malicious people who create such malware should be in jail the rest of their life.

    Thanks for the info.

  6. |

    Besides FTP there are other options such as Accellion which uses SSL which provide more security for file transfer.

    Rajiv Doshi, Social Media Marketing Manager,

  7. |

    [...] y también esta otra de unmaskparasites http://blog.unmaskparasites.com/2009/09/23/10-ftp-clients-malware-steals-credentials-from/ [...]

  8. |

    probably unintentionally, this article creates the impression that switching to secure ftp will help with this problem – it won’t!

    if your computer is compromised and sending your ftp credentials to “the bad guys”, using secure ftp is only locking the barn door after the horse is long gone.

    step 1 should be: kill the trojan! unless your computer is secured, it will send them off, no matter which protocol you use.

    step 2 should be: don’t store ftp credentials on your computer. see number 1!

    switching to secure ftp protocols is a good, but entirely different, subject.

    • |

      Probably unintentionally, this comment creates the impression that reading articles before commenting is not necessary ;-)

      step 1 should be: read the blog post
      step 2 should be: if you didn’t read the post, see #1.

      The post says, that webmasters should remove malware from their computer and then change passwords and keep them secure.

      Secure protocols were mentioned as a best practice since there are (other) trojans that sniff FTP traffic.

      Anyway, your comment is absolutely correct. Thanks.

    • |

      Thank you Tom……..This is what I thought, but too many posts lead you to belive that simply switching to secure ftp solves the problem.

  9. |

    [...] que alguien tenía los datos de mis conexiones. Sigo investigando y el problema radica en que los perfiles de cuentas o credenciales de los clientes FTP son perfectamente "robables". O sea hay troyanos que se instalan en tu PC y que envían toda esta información de [...]

  10. |

    I’m using WinSCP, it encrypts stored sessions by using a master password. Much more secure than Filezilla.

  11. |

    [...] Merci aux sympathiques twittos qui m’ont conseillés sur twitter, au final j’ai fait une réinstalle de mon OS, un scan complet, modifié mon password FTP et maintenant je ne conserve plus en mémoire mes identifiants/password dans mon client FTP, en effet ils sont lisibles en dur dans un fichier XML, je ne le savais pas, le malware si! Lire à ce sujet cet article très intéressant. [...]

  12. |

    Total Commander 7.50 uses Master password to encode its FTP passwords.

  13. |

    We had 22 websites hacked a couple days ago… Some of them were not backed up. Thank you SmartFTP, and goobye (your queuing system sucks anyway). Thanks to Text Workbench we managed to delete the injected js in all html, php and js files ; and re-uploaded using filezilla. Unfortunately it crashed a couple times – does not like huge amounts of data- so I ended here. I’m trying WS FTP from ipswitch, apparently they have a secure encryption built in. Without support it’s not that expensive (just a tad more than smartftp).

  14. |

    Wow, good to know! When transferring confidential data, you really should be using a managed file transfer software instead of P2P or FTP. Thanks!

  15. |

    You may add SPEEDCOMMANDER to the list.
    I used that soft for FTP and store some passwords in it – exactly these sites got hacked two days ago….
    The Trojan stealing the info from my PC was Agent.biiu , which seems to have a good system to hide against Avira….

  16. |

    [...] li ho indirizzati al mio post, dove avevo descritto come il malware rubasse le password e tutti i dettagli dei login memorizzati nei 10 client FTP più popolari (es. Filezilla, CuteFTP, [...]

  17. |

    [...] Your FTP password is not safe sitting around in FileZilla or any number of other FTP programs. In FileZilla, for example, password are stored as plain text. This makes them accessible by any malware that is running on your computer. You could try a secure FTP program like WinSCP. [...]