Unusual file-infecting malware steals FTP credentials, researchers say

About 70 percent of computers infected with this threat are in the US, according to antivirus firm Trend Micro

A new version of a file-infecting malware program that's being distributed through drive-by download attacks is also capable of stealing FTP (File Transfer Protocol) credentials, according to security researchers from antivirus firm Trend Micro.

The newly discovered variant is part of the PE_EXPIRO family of file infectors that was identified in 2010, the Trend Micro researchers said Monday in a blog post. However, this version's information theft routine is unusual for this type of malware.

The new threat is distributed by luring users to malicious websites that host Java and PDF exploits as part of an exploit toolkit. If visitors' browser plug-ins are not up to date, the malware will be installed on their computers.

The Java exploits are for the CVE-2012-1723 and CVE-2013-1493 remote code execution vulnerabilities that were patched by Oracle in June 2012 and March 2013 respectively.

Based on information shared by Trend Micro via email, a spike in infections with this new EXPIRO variant was recorded on July 11. "About 70 percent of total infections are within the United States," the researchers said in the blog post.

Once the new EXPIRO variant runs on a system, it searches for .EXE files on all local, removable and networked drives, and adds its malicious code to them. In addition, it collects information about the system and its users, including Windows log-in credentials, and steals FTP credentials from a popular open-source FTP client called FileZilla.

The stolen information is stored in a file with a .DLL extension and is uploaded to the malware's command and control servers.

"The combination of threats used is highly unusual and suggests that this attack was not an off-the-shelf attack that used readily available cybercrime tools," the Trend Micro researchers said.

The theft of FTP credentials suggests that the attackers are either trying to compromise websites or are trying to steal information from organizations that is stored on FTP servers. However, it doesn't appear that this threat is targeting any industry in particular, the Trend Micro researchers said via email.

Join the PC World newsletter!

Error: Please check your email address.

Tags trend microsecurityExploits / vulnerabilitiesmalwareOracle

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Most Popular Reviews

Deals on PC World

Deals on PC World


Latest News Articles


GGG Evaluation Team

Kathy Cassidy


First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni


For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell


The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi


The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott


My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.


Latest Jobs


Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?