Unusual file-infecting malware steals FTP credentials, researchers say

A new version of a file-infecting malware program that’s being distributed through drive-by download attacks is also capable of stealing FTP (File Transfer Protocol) credentials, according to security researchers from antivirus firm Trend Micro.

The newly discovered variant is part of the PE_EXPIRO family of file infectors that was identified in 2010, the Trend Micro researchers said Monday in a blog post. However, this version’s information theft routine is unusual for this type of malware.

[ Security expert Roger A. Grimes offers a guided tour of the latest threats and explains what you can do to stop them in InfoWorld’s “Fight Today’s Malware” Shop Talk video and Malware Deep Dive Report. | Learn how to secure your systems with InfoWorld’s Security Central newsletter. ]

The new threat is distributed by luring users to malicious websites that host Java and PDF exploits as part of an exploit toolkit. If visitors’ browser plug-ins are not up to date, the malware will be installed on their computers.

The Java exploits are for the CVE-2012-1723 and CVE-2013-1493 remote code execution vulnerabilities that were patched by Oracle in June 2012 and March 2013 respectively.

Based on information shared by Trend Micro via email, a spike in infections with this new EXPIRO variant was recorded on July 11. “About 70 percent of total infections are within the United States,” the researchers said in the blog post.

Once the new EXPIRO variant runs on a system, it searches for .EXE files on all local, removable and networked drives, and adds its malicious code to them. In addition, it collects information about the system and its users, including Windows log-in credentials, and steals FTP credentials from a popular open-source FTP client called FileZilla.

The stolen information is stored in a file with a .DLL extension and is uploaded to the malware’s command and control servers.

“The combination of threats used is highly unusual and suggests that this attack was not an off-the-shelf attack that used readily available cybercrime tools,” the Trend Micro researchers said.

The theft of FTP credentials suggests that the attackers are either trying to compromise websites or are trying to steal information from organizations that is stored on FTP servers. However, it doesn’t appear that this threat is targeting any industry in particular, the Trend Micro researchers said via email.