FTP Saved Passwords threat

filezilla screenshot
FileZilla : http://filezilla-project.org

Introduction

This is a short post to warn about the dangers of saved passwords in popular FTP Clients. Saved passwords, in most open source software, are a threat since any encryption technique will not protect this sensitive type of data since the source is released to the public and reversing the encryption methodologies renders unproblematic.

The Gumblar botnet

What is known as Gumblar or Troj/JSRedir-R is a malicious threat which comes from PDF documents. Gumblar redirects visitors to a variety of websites containing other malware. The process of infection is undetectable, since the infected PDF is opened by the Adobe Acrobat’s plugin in the browser or by Adobe Acrobat itself, which, then, allows Gumblar to look for the saved passwords files, stored by FTP clients such as FileZilla or Dreamweaver, which are in plain text (either in XML format or other files).

It then connects to the FTP servers and modifies every HTML, JavaScript, XML, CSS file online by appending a JavaScript redirection to a malicious website in order to infect further victims.

Gumblar also sniffs network traffic for FTP passwords as well. (Further Gumblar information is not described in this post).

FileZilla case

The location of the password files varies depending on the operating system. However on windows for example it’s stored in the directory:

%APPDATA%/FileZilla

A sample screenshot of one of the files containing unprotected passwords can be found below:

sitemanager-xml FileZilla
sitemanager-xml File

WinSCP is it a good replacement?

When thinking about a solution for this problem, there is no straight forward method. Furthermore using another FTP client is not the answer! WinSCP stores the saved passwords as registry keys, however it’s in plain text as well.

Conclusion

In case you were infected and Gumblar successfully connected to all your FTP servers and modified all your files (check the Gumblar botnet section above), you have to rollback all your HTML, Javascript, XML, CSS files to a previous clean version. In case you don’t have a previous version, well… A search and replace (via Regular Expressions) becomes your only solution (will not go into details of how to do this, maybe in future posts).

There is no fail-safe method of protecting this type of data, however following the steps below can help reduce the severity of this threat:

1.       Never store your FTP information in any FTP client.

2.       An alternative solution for storing FTP passwords can be found here (http://sww.co.nz/an-alternative-to-storing-passwords-in-filezilla-or-other-ftp-clients/). However use this solution at your responsibility. I have not tested this solution.

This post is in no way a recommendation against using FileZilla or any other FTP client, it is written to warn about the dangers of using stored FTP credentials.

3 thoughts on “FTP Saved Passwords threat”

  1. Also this has really nothing to do with with open source.
    Yes open source will make it easier for the first person to see how the password is saved when he creates his tool but even if it is not open source, some programer in god knows where will crack the storage mechanism anyway and provide a tool for everyone else to use as easily.

    Casi in point a five minutes search is enough to get you programs that will retreive passwords from MSN Google talk CuteFtp and tons of other non open source software.

    I guess the moral of the story is, if you save your password in any client to be used automatically, a rogue software running on your machine will get access to it open source or not.

    1. Well said. In fact FileZilla team claim this is not a bug, it’s a design fault. Not in the design process of FileZilla but in the fact that it is OS dependent and a breach in one platform leads to a breach in most if not all running applications.

Leave a Reply