Malware that can steal credentials from FTP clients counts among the more dangerous ones. The motivation is to gain access to all files on a web server, as those are usually uploaded by FTP. Once the attacker gains access, they can alter existing dynamic content (PHP, ASP etc.) to include harmful code. In doing this, they can compromise visitors' computers via trustworthy website.
There is a large number of FTP clients offering various features. One of them is the ability to save login credentials of visited servers. Most of these applications save the credentials locally and often unencrypted, making this especially enticing for attackers.
How does the malware work?¶
The victim opens an infected email or website. As shown above, you can get infected even on a trustworthy-looking website. That is why you should be using an up-to-date operating system, web browser and antivirus.
After infecting the client's computer, the malware looks for credentials saved in FTP software such as Filezilla, WS_FTP, CuteFTP etc. Then, it sends those credentials to a central server, ran by the attacker, for later use. The credentials are probably shared to third parties.
The central server automatically checks, whether any of the stolen FTP accounts belong to a public-facing website. If they do, it tries to upload a file called "70f70c620045f63c38a2dc3705b7bb80.html", "ftpchk3.php", "ftpchk3.txt" or similarly. It reports back if successful and checks if the file is accessible from Internet afterwards. Finally, it deletes the temporary file to cover its tracks.
How to defend yourself?¶
It is very difficult to defend yourself from this kind of attack. To minimize the risk, you should use up-to-date antivirus and avoid suspicious websites and emails. Ideally, you should not save your passwords unencrypted.