#####################################
############# WormZilla #############
################ by R3s1stanc3 ######
#####################################
index:
1. introduction
2. extracting the server information
3. conclusion
1. introduction
FileZilla is a very wide spread FTP client that runs on Windows
Linux and Mac. But there is one big problem with FileZilla:
It stores the passwords in plaintext because the developers
say, it's the OS's job to secure and encrypt these files. Well
the user's problem is the VXer's advantage. One is able to read
these files, extract the server information and write a FTP
worm.
2. extracting the server information
The files I were talking about are "sitemanager.xml" and
"recentservers.xml". They can be found in ~/.filezilla (Linux)
or %appdata%/FileZilla (Windows). The structure is in general
somewhat like this:
127.0.0.1
21
[...]
username
123456
[...]
So as you can see, we need to split the -tags first, so
if there are more than one server we have every block on its
own. After that we just need to extract the host, port, user
and password (I did this, using the split function again).
After getting all information, we need, I start uploading a
HTML file and the worm to the FTP.
3. conclusion
I still can't belive, that there are still developers, storing
passwords in plaintext. But it's nice for worms, to play with
these files and try new ways of spreading. If you don't want
worms like mine to spread over your PC, I would recommend you
kryptzilla[0] by Perforin. It encrypts the two XML files and
decrypts them before starting filezilla (only for Linux).
One could even try using some google dorks to find the XML
files online and spread on even more servers.
Links:
[0] kryptzilla http://adamas.ai/cgi-bin/index.cgi?page=permlink&id=62
by R3s1stanc3
Jun 2013 (code: Dec 2012)