FTP –New Favorite of Hackers

According to researchers at F-Secure, a surge of new exploits have been found that employ File Transfer Protocol (FTP) instead of a malicious e-mail attachment, or a malware-loaded URL, to install their payloads.

According to the security company, the con artists are now making use of the FTP technology of the 70s to deliver bot malware, or as a malicious backdoor onto systems of some organizations that care little to keep their FTP servers locked. FTP today is often an unknown or forgotten hole in an enterprise's security software, with many organizations not caring to keep a watch on it. And bot-herders use it as another means to move malware.

In the first week of March 2008, F-Secure's research team discovered spam messages that were distributing malicious greeting cards of Hallmark with the intention to recruit bots. These e-mails, which provide links to the cards, instead led the potential victims to land on a bot-infected computer serving an FTP Website. The site would then download a code that is a Zapchast mIRC-bot variant, rather than the greeting. According to F-Secure, this way, the user's system is turned into a bot.

Chief Research Officer, Mikko Hypponen, at F-Secure, said that since Hyper Text Transfer Protocol (HTTP) and Simple Mail Transfer Protocol (SMTP) far better filters malware, a virus creator could find FTP as his optimum transport protocol. Hypponen said that the phenomenon is just being observed with the possibility that it would become widespread. Darkreading published this on March 11, 2008.

According to security experts, FTP is far more widely accepted than people know. A large number of people continue to exchange FTP content because of the simplicity involved. And the bad guys find a low possibility of FTP being blocked compared to an IM (Instant Messaging).

For example, nasty people can be on Port 80 and transmit FTP via that port, while no firewall would block it. A few of the Internet gateways monitor for FTP traffic. But a lot of organizations simply neglect to scan for such traffic. This is because they either don't regard it as a danger or don't realize its presence when being used.

Related article: FTP Worms And Viruses Maintain Their Attack

» SPAMfighter News - 3/21/2008