This is a short post to warn about the dangers of saved passwords in popular FTP Clients. Saved passwords, in most open source software, are a threat since any encryption technique will not protect this sensitive type of data since the source is released to the public and reversing the encryption methodologies renders unproblematic.
The Gumblar botnet
What is known as Gumblar or Troj/JSRedir-R is a malicious threat which comes from PDF documents. Gumblar redirects visitors to a variety of websites containing other malware. The process of infection is undetectable, since the infected PDF is opened by the Adobe Acrobat’s plugin in the browser or by Adobe Acrobat itself, which, then, allows Gumblar to look for the saved passwords files, stored by FTP clients such as FileZilla or Dreamweaver, which are in plain text (either in XML format or other files).
Gumblar also sniffs network traffic for FTP passwords as well. (Further Gumblar information is not described in this post).
The location of the password files varies depending on the operating system. However on windows for example it’s stored in the directory:
A sample screenshot of one of the files containing unprotected passwords can be found below:
WinSCP is it a good replacement?
When thinking about a solution for this problem, there is no straight forward method. Furthermore using another FTP client is not the answer! WinSCP stores the saved passwords as registry keys, however it’s in plain text as well.
There is no fail-safe method of protecting this type of data, however following the steps below can help reduce the severity of this threat:
1. Never store your FTP information in any FTP client.
2. An alternative solution for storing FTP passwords can be found here (http://sww.co.nz/an-alternative-to-storing-passwords-in-filezilla-or-other-ftp-clients/). However use this solution at your responsibility. I have not tested this solution.
This post is in no way a recommendation against using FileZilla or any other FTP client, it is written to warn about the dangers of using stored FTP credentials.