FileZilla Has an Evil Twin That Steals FTP Logins

Nerval's Lobster writes "On the same day the world discovered Western intelligence agencies were siphoning user information from Angry Birds and other popular smartphone apps, a leading antivirus developer revealed hackers are doing the same thing with one of the most popular open-source applications on the Internet. Maliciously modified versions of the popular FTP application FileZilla look and act just like the real thing, but include extra code that steals the login data typed in by users and sends it to an unauthorized server using the same FTP operation launched by the user without going through a firewall that might spot what it's doing, according to an alert posted this afternoon by antivirus developer Avast Software. The malicious version is fully functional, uses the same graphical interface and component file names as the original, and masks itself further by avoiding any suspicious entries in the system registry, overt attempts to communicate with outside servers or other changes, according to the Jan. 27 alert from Avast. The most obvious differences are that the poisoned version of filezilla.exe is 6.8MB smaller than the real thing and there are two DLL libraries included in the fake that are not present in the original. They are labeled ibgcc_s_dw2-1.dll and libstdc++-6.dll, according to Avast. The official version's Nullsoft installer is v2.45-Unicode; the evil twin uses v2.46.3-Unicode. Automatic updates also fail on the poisoned version 'which is most likely a protection to prevent overwriting of the malware binaries,' Avast added."

Also Ran

ibgcc_s_dw2-1.dll appears in GIMP 2 and EaseUS Partition master, libstdc++-6.dll in GIMP 2.

Re:Also Ran

Mostly because these dll's are present in projects compiled with MingW.

Re:Also Ran

So what?

Re:Also Ran

[Anonymice]

Doubtful, but no worries, Flash will save the day!

Blame Source Forge...

...for their new installer

Re:Blame Source Forge...

it wouldn't surprise me that if it were SourceForge's own "custom downloader" that's the one pushing the altered versions with login stealing functionality... it's been pushing adware and other crap too and FileZilla especially has been hit by this. Here's a short selection of complaints from the FileZilla forums:

https://forum.filezilla-project.org/viewtopic.php?f=2&t=30240
(this one has screenshots documenting the EXE installer hijacking done by SourceForge)

or this one: https://forum.filezilla-project.org/viewtopic.php?f=1&t=31127
and more... https://forum.filezilla-project.org/search.php?keywords=sourceforge+adware

Re:Blame Source Forge...

[SFnetTeam]

Hi Folks,

SourceForge is aware of the malformed FileZilla FTP and are no way associated with or responsible for this malicious program posing as FileZilla.

The FileZilla installer on SourceForge is a stub that encapsulates the actual FileZilla installer to ensure the original FileZilla software is delivered. All offers that are presented when downloading FileZilla are optional and go through a rigorous verification and strict compliance process to make sure they are not malicious and virus free. No personally identifiable information is ever collected.

Best regards,

The SourceForge Community Team

Re:Blame Source Forge...

Your SFInstaller is the most annoying thing ever, and I actively encourage open-source projects to leave SourceForge because of its existence, whether it is supposedly voluntary or not.

Re:Blame Source Forge...

when the download from sourceforge can't be trusted
is it so strange that people try to download the software from elsewhere?

(When sf came to filezilla wanting them to join in on this stupidity, filezilla should have stood up, said "Hell no!!" and quickly moved the project elsewhere, and maybe maybe sf would have scrapped the idea altogether "ok this was perhaps not a good idea after all"... but it is too late now. the damage is done, sf is dead in my eyes)

Re: Blame Source Forge...

So sourceforge has gone rogue. It's a pity because in the past I trusted downloads from it but if you're selling out and pushing scumware then it's useless to me and I will no longer use projects hosted on it - hope the best ones find a new host soon.

Re: Blame Source Forge...

My god.. I know that project leads can be a bit touchy but that guy comes across as a complete asshole.

Not the same thing

The NSA listens to data that the original, unmodified games and apps send. The FileZilla "clone" is manipulated software. If you use the original, your data is not sent to some hacker and hackers have no way of intercepting your data (use of properly encrypted protocols presumed, so not FTP).

What about GNU/Linux ?

I am under the assumption that these dll's (ibgcc_s_dw2-1.dll and libstdc++-6.dll) indicate that this version may have been compiled with MingW. (I am not sure about this, please correct me if I'm wrong) This would mean that it would be safe to assume that there could easily be a Linux version of that FileZilla Evil Twin out there...

Re:What about GNU/Linux ?

[gl4ss]

what I find funny is that the poisoned extra payload version is several megabytes smaller than the clean one!

Re: What about GNU/Linux ?

Probably the poisoned one is compiled with size opt and dynamic link.

Re:What about GNU/Linux ?

filezilla.exe is smaller, but it also includes libgcc and libstdc++ - they're several megabytes and probably statically linked in the official version.

Re:What about GNU/Linux ?

[Remus+Shepherd]

Sounds like they cut out the auto-update code. That would drop a few megabytes.

Re:What about GNU/Linux ?

[gl4ss]

filezilla.exe is smaller, but it also includes libgcc and libstdc++ - they're several megabytes and probably statically linked in the official version.

yeah that would probably explain it.

(the only reason why I'd have doubts still is.. well, it's filezilla. it's a fucking godzilla. it works just enough to work, the ui is just good enough to work and .. well, that's why it killed off cuteftp maybe, but it's not great by any means)

Firewall

[Dan+East]

I'm not fully understanding the "sends it to an unauthorized server using the same FTP operation launched by the user without going through a firewall that might spot what it's doing" part. It's posting the stolen credentials via http, not FTP. If FileZilla is only given access to the FTP port then it should block this behavior, correct? I'm just not understanding what's magical about this - any app that is already given blanket permission to access the network in a general way can send data to places it shouldn't go without being blocked by firewalls. They make it sound like there's something special or exotic it's doing to avoid the firewall and I'm not understanding exactly what that is.

Re:Firewall

More importantly, any app which legitimately needs access to an internet-enabled DNS resolver can exfiltrate data without permission to access the internet on its own. What you need in order to catch this kind of thing is an IDS, not a firewall.

Re:Firewall

I believe it's using FTP's ability to do server to server transfers. Usually called FXP. This causes the user's server to connect a remote server.

Re:Firewall

[mwvdlee]

As long as an app can connect to a random IP, there is a way to send data.
No need for any particular port access if you control the receiving server.

Re:Firewall

[jones_supa]

The summary claims that it's using "same FTP operation launched by the user" to send the credentials. FXP would require establishing another connection to the FTP server. Besides the FXP feature is turned off on most FTP servers anyway.

Re:Firewall

[Dan+East]

That would indeed be a bit more exotic, but from what I can tell it's just doing a simple http get to the Russian server with the encoded credentials. From the Avast report:
https://blog.avast.com/wp-cont...

The DNS lookup to the Russian server and the http get are there as plain as day.

Re:Firewall

A few things, even though I believe it uses https to do the nasty. See other replies.

1. I believe it is possible to setup a FTP server/client or write one yourself that would allow any incoming port connection to be accepted. You could even use the port numbers and multiple commands as a way of encoding the login. A pit of coding and you have nice list of logins
2. Yes, most public FTP servers forbid FXP for guests. But many allow it for privileged users.

Re:Firewall

[mysidia]

If FileZilla is only given access to the FTP port then it should block this behavior, correct?

What "FTP" port? Every FTP transfer requires a control connection and a data connection --- the data connection is established based on a procedure that depends on transfer mode -- there is standard mode, or passive mode (for firewall traversal).

In either case, the destination port number is not a specific FTP port, but a port number dynamically allocated by the server and presented to the client, or vice-versa

In Passive mode, to establish the data connection, the FTP client must open a connection back to the server ON ANY PORT specified by the server, sourced from its ftp-data port.

In Active mode, the client must select an ephemeral port from the 32768 to 65535 range, send it over the control connection, and accept a TCP connection from the server.

Re:Firewall

[fatphil]

Absolutely, side channels are everywhere if all you care about is small packets of data. You don't even need to "connect" to pass the data, as some things happen before the connection you'd think of filtering. Try resolving the domain name fatphil.hunter2.haxorsrus.ru., and when the DNS server for *.haxorsrus.ru. responds with a random address, you never need to connect to it on any port, the payload's been delivered already. You can't filter DNS without breaking way too much of the internet.

Re:Firewall

[Bacon+Bits]

FTP: Still sucking because it was invented with NCP in mind.

Re:Firewall

[fatphil]

Ignore the summary, and *both* links, there's mangled illogic everywhere.

"You canâ€(TM)t find any suspicious behavior, entries in the system registry, communication or changes in application GUI." Apart from the suspicious behaviour and the communication, that is - duh!

If they can't describe what it does, they clearly don't understand what it does.

Just make sure you compare known hashes which you got from a secure (and trusted by you) server when you download binaries. Then this problem mostly disappears (unless the NSA wants in on the action).

Re:Firewall

[Shalaska]

I believe the parent was thinking of the incoming FTP port not the outgoing port. This does show however the common problem that the average person does not understand how most of this technology works, and many of them believe that they have secured themselves with steps such as above when in reality all they have done is made themselves feel safer without any actual security in place.

Re:Firewall

National Car Parks?

Re:Firewall

[fustakrakich]

You can't filter DNS without breaking way too much of the internet.

Nice trick. It's almost as if...

Re:Firewall

Actually, nope.

Unless you're running a DNS server yourself, you don't need to query their DNS for subdomains.

On any other system, you can allow communication on port 53 only with DNS servers you use to close this side channel.

Re:Firewall

[fatphil]

Ahhh, the lack of recursive queries explains why tunnelling TCP over DNS doesn't work, and why this webpage doesn't explain how TCN-over-DNS works: http://analogbit.com/tcp-over-dns_howto

The "DNS servers you use" are the things that do the sneaking information in and out for you - that's their job.

Re:Firewall

[Mdk754]

Subtle bash reference, I like it...

you can go hunter2 my hunter2-ing hunter2

Re:Firewall

fatphil.*******.haxorsrus.ru is not a valid domain name.

Re:Firewall

Oh, indeed. I feel stupid now for not considering everything you can include in the request and reply. At least got an interesting link out of this, thanks.

In penitence, I'm going to block all DNS at my PC and only use HOSTS file based white list, and may APK's ghost help me!

Re:Firewall

[citizenr]

so you have an IDS that can detect timing covert channel?

Re:Firewall

[fast+turtle]

ICTFY - the client connects to an FTP server either on the standard port (21) or a specified port to initiate the connection. The Standard data connection to any FTP server is (23) that's used to communicate with the server in either mode (passive/active)

An error is the ports about 32768 as it's anything abover 1024 that's fair game with the ephemral ports being above 49151- the registered ports
  http://en.wikipedia.org/wiki/L...

Basically, anything above 1024 is classified as the High Range as they're available to a User and not restricted to Administrator/Root privlaged software and I've seen my client (Filezilla no less) use any range of ports above 1024 depending on the server config. Most that allow public/anonomous connections restrict those connections to 32768 and higher for logging purposes. Anyone attempting to connect to a low level port is blocked and logged (FTP.Microsoft.COM) is a good example. Lots of stuff to download there if you need windows patches and such for older versions along with other goodies.

Re:Firewall

[mysidia]

The Standard data connection to any FTP server is (23)

No. Port 23 is the WKP of the Telnet service.

An error is the ports about 32768 as it's anything abover 1024 that's fair game with the ephemral ports being above 49151- the registered ports

The default ephemeral port range in Linux and many operating systems is 32768 to 61000. The remote end is not entitled to make assumptions about what range ephemeral ports may be allocated from by the opposite end. The remote system has free use of all valid port addresses (IP):(PORT). ; many different operating systems have different choices, 4096 to 65534 is also common, and the client is required to support any port number.

Basically, anything above 1024 is classified as the High Range as they're available to a User and not restricted to Administrator/Root privlaged software and I've seen my client

This is a Unix convention. Ports below 1024 are WKP, and by tradition, Unix only allows root to bind() these ports for an outgoing connection, or to listen for an incoming one.

Most that allow public/anonomous connections restrict those connections to 32768 and higher for logging purposes.

There are certainly FTP servers that will restrict the PORT command against using a port in the WKP range.

Re:Firewall

[mlw4428]

Negative Ghost Rider:

http://en.wikipedia.org/wiki/N...

Re:Firewall

[fatphil]

OK, cool; but don't mention his name 3 times, or he may appear... I don't want him on my subthreads, as my time is too valuable to waste even reading his jabberings. He stalked me for a while, and I think was mod-stalking me too (as that happened within days of him starting to stalk me).

Re:Defamation

[Dan+East]

You really think the NSA is sending their data to Russian servers? That's where the article says it's going.

Re:Defamation

[smallfries]

So... am I the only one that thinks the NSA version sounds like the better option? Smaller, newer runtime, other bufixes. Sounds like an upgrade.

ibgcc_s_dw2-1.dll

ibgcc_s_dw2-1.dll

Well done, editors.

Re:Defamation

Yes, because the NSA officially is not allowed to spy on their own citizens, it will send the information to a friendly country like russia. The russian's intelligence agency will then forward this information to the NSA and no harm has been done.

people still use FTP?

WTF? It's 2014. SSH has existed for almost 19 years already.

Re: people still use FTP?

[DVega]

SSH will not help here. A modified SSH client (eg. WinSCP) could do exactly the same. It can even steal your private keys.

Re:people still use FTP?

[hawkinspeter]

Fair point, but is it included in Windows?

Re: people still use FTP?

A genuine copy of WinSCP is signed with a trusted publisher certificate, which Windows will tell you about, when you install WinSCP.

Re:people still use FTP?

[Kazoo+the+Clown]

Yes, and it's more than 10x slower than FTP.

Re:people still use FTP?

[Bert64]

People still use telnet extensively too...
The primary reason for the use of both ftp and telnet instead of ssh, is because windows still comes with ftp and telnet clients but no ssh, so you can be guaranteed that virtually any machine you ever use will have a client.

Re:people still use FTP?

[Blaskowicz]

It's supported by Filezilla, anyway. I use that if I quickly need to transfer files to/from a linux box on a LAN, with only openssh-server needed on the other machine. It's also really easy to use for beginner/non-technical users, and is an apt-get install away on linux too.

Re:people still use FTP?

[Blaskowicz]

I may be particularly lucky but I seem to hit ~10MB/s on a 100Mb LAN constantly, even when both ends are half-decent Pentium 3 level hardware. Seen an ssh transfer slow when using WinSCP, or worse with a ssh server run on *Windows* (I think that one just uses Cygwin)
Even more fun there's Dokan sshfs you can run on Windows : slow but enough to play music and movie files from the linux remote host.

Slowest I've seen was downloading files with scp under MS-DOS, it was like 80KB/s but there was something wrong with that stupid TSR networking going on, as I had done the same 10x-20x faster on a slower PC before.
If ssh is that slow for you you're maybe doing something wrong (like using a piece of shit Raspberry with data on ntfs-3g, inescapable USB networking and storage? I never tried that set up but it would be comical)

Re:people still use FTP?

[hawkinspeter]

So, windows still doesn't include the world's most used connection/command/control software despite it being ancient and you have to use some 3rd party software just to get windows up to the same level as almost any other OS?

Re:people still use FTP?

[Blaskowicz]

Microsoft seems to have the decency of not including telnet by default these days. I remember being pissed by that once. Thanksfully about the only legitimate reason to use telnet was to login to your modem or router and this has been superceded by web interfaces. Or so I hope ;), maybe some people rely on it in the enterprise - in a segregated control network to access whatever stuff, or in industry to access embedded/industrial stuff, not on the internet either. It's so crude I think of it as kind of a serial cable.

ftp is/ought to be considered deprecated, too. It will probably linger for ages because of legacy but I could read a nice detailed argument (and fun rant about security and creaking'oldness) that it's not even needed. http or ssh can do the job instead. There seems to be plenty (more tempered, concise) results with a "don't use ftp" Google search.
Maybe ftp can be used for world readable, guest-user public archives and that's all.

Re:people still use FTP?

[Blaskowicz]

What do you mean? it comes with the Microsoft RDP client, sometimes a RDP server named "Remote Assistance" and of course Internet Exploiter :D
Can even share a directory over the network by right-clicking on it. Well, if it was not buried by more wizards and login errors, I dunno.

Re: people still use FTP?

[Kazoo+the+Clown]

It is possible to tune ssh better but most people aren't aware of it and just use some off-the-shelf client as delivered. Even so, the best I've seen ssh clocked is at 1/2 the speed of FTP. If you're moving gigabytes of data, FTP is still the ticket. If you need encryption, do it first on the data files.

Re:people still use FTP?

[pr0fessor]

I know telnet sucks and everyone wants to disable ICMP everywhere too but it's so easy... does it resolve, ping, trace, telnet, yes/no here is the most likely cause.

Re:people still use FTP?

[PRMan]

FTP is commonly used in business to send files from one business to another. They just drop it in a specified folder on the FTP server and the server polls the file system every minute or so to find new files. These systems have been around for decades. Even getting them to upgrade the security to secure FTP was difficult enough.

Re: people still use FTP?

[cbiltcliffe]

If you're moving gigabytes of data, FTP is still the ticket. If you need encryption, do it first on the data files.

That does nothing to prevent your password from being sniffed.
However, like the GP, I've managed 8-10 MB/s to a Pentium 3 server on a 100Mb network, which is barely slower than FTP on the same hardware. It certainly loads the processor more than FTP does, so if you're trying to do multiple client connections on a Gigabit network with a low end processor in the server, you might slow things down. Maybe that's what your use case is?

What we need is a mechanism

[vikingpower]

to compile your own binaries from source, and then letting you compare its fingerprint with "official" pre-compiled binaries. No, not a simple hash. Various fingerprints, spread over security-sensitive parts of the software. No idea if such a thing exists, although I remember having seen a discussion here on /. last year.

Re:What we need is a mechanism

What you seem to want is Gentoo.

Re:What we need is a mechanism

[MrBingoBoingo]

These things actually do indeed exist. You know in the *NIX and Open source universe things that approach this are rather standard.

Re:What we need is a mechanism

[mwvdlee]

Then the problem shifts from getting your binaries from the right website to getting your sourcecode from the right website.

Re:What we need is a mechanism

[vikingpower]

No need to be condescending. I use FOSS all the time. Yet, AFAIK, there is no such mechanism that lets a developer introduce security fingerprints which "tag" a critical section of code, and which the compiler adds to the binaries, in such a way that after compiling source locally, you can check critical parts of your binaries on compliance with the "official" fingerprints. Or am I mistaken ?

Re:What we need is a mechanism

[vikingpower]

Correct. That, however, can be in part dealt with by taking hashes....

Re:What we need is a mechanism

[gnasher719]

No need to be condescending. I use FOSS all the time. Yet, AFAIK, there is no such mechanism that lets a developer introduce security fingerprints which "tag" a critical section of code, and which the compiler adds to the binaries, in such a way that after compiling source locally, you can check critical parts of your binaries on compliance with the "official" fingerprints. Or am I mistaken ?

There is no mechanism in most compilers/linkers that allows you to recreate the exact same executable that someone else built, byte by byte. You would need a compiler to be hundred percent deterministic. I could imagine some optimisation algorithms working better with some randomisation, so that wouldn't be possible. a+b could sometimes translate to "load a, add b" and sometimes "load b, add a". Things like the __FILE__ macro in C or C++ include the full path of the file, which is different on your machine than on mine. And of course you'd need the exact same build environment. Exact same version of every library that is used.

Re:What we need is a mechanism

hashes do not help, if somebody compromised the source, they can also compromise the hashes by changing them to match
if you had been reading the news since last summer, you would see that injection/impersonation/etc. attacks on HTTP (and other protocols) are confirmed to be in use in the wild, and even before that, many malware/viruses have been found redirecting traffic (albeit in a more hacky way)

the same way that a few years ago one had to be careful with diskettes and where had they been and where were they coming from, now it is the internet, and arguably is a much harder problem, with internet you need to trust the router, the ISP, and all the routers that led you to the server, in addition to the server. That's too much trust to be put spread on many things you cannot control.
When computers were not connected the risk of data exfiltration was much lower than today.

OSs and they security models are totally outdated, and/or based on a trust model that is hardly true today. What we need is an OS whose security model allows fine grain access/deny (deny should be "stealth", that is, processes should not be able to know they are being denied) permissions on EVERY i/o a program possibly make, whether it is network access to a given port, access to a contact/calendar database, access to files, access to sensors, etc.
Would that prevent exfiltration? not 100%, but it would make it harder, right now it is trivial for any app to harvest data and then send it to some other place we were attempting to connect to.
Right now the OS trusts and gives too much freedom to processes.

that still does not helps the trust issue on the net though.

Re:What we need is a mechanism

[ppanon]

It doesn't exist because the results of your compilation would depend on the version of the compiler you used to do the compilation and what optimization flags you used (due to target object code and optimizations performed). Either you compile from source which you can first check against a known cryptographic checksum, or you run binaries that have been cryptographically signed by the developer. What you are suggesting would require unnecessary added complexity for no gain in security.

Re:What we need is a mechanism

[camperdave]

What you seem to want is Gentoo.

Gentoo? I've only got an 8 core machine with 64G of RAM.

Re:What we need is a mechanism

[Arancaytar]

The binary is never going to be identical - it contains all kinds of platform- or compiler-dependent stuff, as well as timestamps. Depending on optimization flags, the compiler may even restructure it differently, with no practical way to isolate security-relevant portions that should remain unchanged. And a malicious payloads could be basically anywhere in the executable, so every part is security-relevant.

The approach is still good, but since it already involves distributing the source code, it would make more sense to sign the source instead of the binary.

Re:What we need is a mechanism

[drinkypoo]

The question is really do you have SSD. It only takes a few days to build gentoo on some architecture which actually benefits from it, like a K6... with a laptop drive. On a modern machine with a SSD you ought to be able to knock it out in actually quite reasonable time.

Re:What we need is a mechanism

You're over thinking it.

if you're compiling from source, check the hash of the source against an official source of the source.

If you're running a pre-compiled binary, then check the hash of the binary with an official source of the binary.

Re:What we need is a mechanism

[Shinobi]

With 64GiB, he doesn't even need a SSD. Just use a RAM disk for the build process

Re:What we need is a mechanism

[Bert64]

No, but why would you want to do things in such a convoluted way?
Typically you just verify that the sourcecode you build from matches the published source through the use of checksums and/or gpg signatures... Verifying the resulting binaries would be flawed, as all manner of things could change the resulting binaries such as compile time flags, development headers, compiler version, linked libraries, linker/compiler options etc.

Aside from verifying the original source, if there are modifications made to the source from the official version these are typically distributed as small patch/diff files making it very easy to identify what's been changed...

Re:What we need is a mechanism

The internet is not a Trustworthy source by any means, all cables in and out of countries are TAPPED by governments and have been since day 1 of the internet. I know, I had a site at univ during the first internet days and Netscape days... I had hits from CIA domains back then, I logged and checked them.

It is not a new thing that they monitor the internet.

Apps don't have to be modified at the source either to be compromised, they can have libraries and code INJECTED into them, remember the days of P2P music download clients? They were wrapped and injected to give new features in new packaged distributions when there was no source available.

Re:What we need is a mechanism

[Bert64]

Hashes help, but aren't perfect... If the original source of the code was compromised, then the published hashes could be too and any mirror sites would also pick up the backdoored version. But this isn't unique to open source code, the same attacks can be performed on binaries too if you control the original distribution point.
On the other hand, having the source increases the chance that any changed would be detected by third parties.

If someone only compromised a single mirror site, then you should be able to quite easily tell that the hashes on that mirror don't match the ones on other mirrors and/or the main publisher's site and this is the primary type of attack that hashes are supposed to deter.

The main problem in this article is a lack of a trusted central repository for installing software... Windows users need to download and install filezilla manually, so they search for it on their search engine of choice... But how do they verify that the results which come up are genuine? This is not a problem end users should have to deal with, and the vast majority of people are not sufficiently technically literate enough to do so safely.

The security model you're talking about is possible with selinux, but because the control is so fine grained it is extremely painful to manage and becomes impractical for all but the most security paranoid environments.

Re:What we need is a mechanism

[camperdave]

I was going for the +5Funny, but I do have such a machine, and it does have an SSD. I forget whether it is 60G or 120G. (It's sleeping now, I haven't got the Wake On LAN set up yet, so I can't remote in to find out.) Perhaps one day I will try a Gentoo compile to a RAM disk as Shinobi suggests, just to see how long it takes.

Re:What we need is a mechanism

Doesn't TOR somehow pull that off?

Re:What we need is a mechanism

I was going for the +5Funny, but I do have such a machine, and it does have an SSD. I forget whether it is 60G or 120G. (It's sleeping now, I haven't got the Wake On LAN set up yet, so I can't remote in to find out.) Perhaps one day I will try a Gentoo compile to a RAM disk as Shinobi suggests, just to see how long it takes.

better off mining for bitcoins!

Re:What we need is a mechanism

[fast+turtle]

BING BING BING

We have a winner!!!

Hashes are useless for source code as they don't tell you if the code is virgin or not. The only secure method is to use GPG signatures on the source code (apt-get/rpm/emerge) can all check them if configured. In the FLOSS world, you also have distro repositories that are generally trusted as they're controlled by the distro itself and packages are signed with the distro key. Much better then a binary hash.

Re:What we need is a mechanism

[N.+Criss]

Typically you just verify that the sourcecode you build from matches the published source through the use of checksums and/or gpg signatures...

And how do you know that *your compiler* can be trusted? http://cm.bell-labs.com/who/ke... (Reflections on Trusting Trust). Any way you slice it, this is a *hard* problem.

Re:What we need is a mechanism

[drinkypoo]

It's been a long time since I built gentoo, but it really only took me a couple days to get it with a browser on a K6 laptop with 384MB RAM. I would anticipate even a modern vintage installing on such a platform in less than a week. That seems like a long time, and it is if it's your only machine, but if your only machine is a K6 laptop then you can probably upgrade for free :)

I don't much see the point of gentoo on massively powerful hardware. On limited hardware for which there's no builds and which benefit from recompilation, of which again the K6 is the poster child, it makes a lot of sense. You do slightly reduce attack surface by eliminating the unneeded features, right up until you decide you needed them after all and you now need to recompile what you could have simple reconfigured.

Re:What we need is a mechanism

[vikingpower]

Exactly this. This is the point where I wanted to arrive, for starters. Finally someone got it.

Re:Defamation

Yes, because the NSA officially is not allowed to spy on their own citizens, it will send the information to a friendly country like russia. The russian's intelligence agency will then forward this information to the NSA and no harm has been done.

And somehow, this textbook definition of strawman purchase is allowed to happen.

Passwords are stored in plain text anyway

Take a look in
%APPDATA%\FileZilla\sitemanager.xml

Re:Passwords are stored in plain text anyway

[ledow]

Well, yes, because you have to store and send the original password.

You can't send the hash to a remote FTP server as a login, they won't accept it. And the definition of a hash is basically to make it difficult to "work backwards" to a username from it.

So, somewhere, you either have to store in plaintext or in a file which the program encrypts and has full capabilities and permissions to read. About the only way to do this efficiently and safely is to have a "locked" wallet kind of affair that the user has to supply a global password too.

The problem here is NOT that the passwords are stored (FileZilla is an end-user tool, so the chances of some ISP "losing" thousands of passwords by using it is stupidity itself). It's that the program itself is malware and capable of doing anything that FileZilla has permission to do - e.g. read from the keyboard and connect to remote servers.

Re:Passwords are stored in plain text anyway

[Arancaytar]

What else are you going to store? Of course you could use sftp and rely on ssh-agent to manage the key, but then you'd be using Linux instead of Windows with FileZilla.

Re:Passwords are stored in plain text anyway

In my version it is in filezilla.xml but in clear nonetheless.

Re:Passwords are stored in plain text anyway

[KiloByte]

It's a FTP client! If you use passwords there, you're doing it wrong.

It's an ancient protocol that sends logins and passwords over the network in plain text, and you're concerned with storing them on your disk unencrypted?

Re:Passwords are stored in plain text anyway

[CastrTroy]

To be fair, it also supports SSH File Copy (SFTP) and FTP over SSL/TLS (FTPS). Also, FTP can be secure if tunneled over a VPN.

This dll names look like legal ones

This dll names look like legal ones atleast in Linux world. I several time install libstdc++ as an dependencies of other packages.

Re:This dll names look like legal ones

Good software can be used for evil. News at 11.

Re:This dll names look like legal ones

[jones_supa]

This dll names look like legal ones atleast in Linux world. I several time install libstdc++ as an dependencies of other packages.

Duh, logic fail. The article does not claim that these particular DLLs provide the malicious code, but are simply some easily observable differences between the friendly and malicious version.

Re:This dll names look like legal ones

This dll names look like legal ones atleast in Linux world. I several time install libstdc++ as an dependencies of other packages.

Duh, logic fail. The article does not claim that these particular DLLs provide the malicious code, but are simply some easily observable differences between the friendly and malicious version.

Agreed. But where are the information in article for that something like "these are normal DLLs using for other purposes. They just should not be there as they are not part of official one." Read summary, and a windows user will assume that this DLLs must be have code for hack.

Re:This dll names look like legal ones

[Bert64]

The problem is that this news will now cause legitimate software that just happens to use these libs to be labelled as suspect, and the authors of malware will simply use a different compiler setup that doesn't require these two libs (eg the official bin is much larger most likely because it includes the functionality that the malicious version draws from these libs)

Re:This dll names look like legal ones

[TangoMargarine]

Plus he was making the apparently fallacious assumption that the article writers had any idea what they were talking about.

This is BIGGER than Filezilla

[gooman]

Without a doubt this will be used as propaganda against the entire Open Source community. Everything OSS.
I'd bet the Sales & Marketing Dept. at Microsoft and the all the rest will have talking points in their sales peoples hands before the end of the day.

At this moment, there is nothing about this on the Filezilla project's website. GET ON IT people!
An accurate explanation should be front page before the scare tactics have a chance to work.
Plus, users need an instant & easy way to identify if their version is legit to ease their minds.

Now concerning the bad guys... I'd suggest some sort of vigilante justice is in order.
Perhaps identifying the rogue servers and uploading something the local authorities might be interested in.

Re:This is BIGGER than Filezilla

This is not a big deal really.

This is just infected copy, there are plenty of programs closed source or not, that may have infected copies. People do understand what virus is.

Re:This is BIGGER than Filezilla

[Alarash]

When was the last time you heard Microsoft bash OSS? I'm genuinely curious. I've only seen them pushing code to Git or opening their own specs or frameworks lately (MVC, for instance). I think your point is correct, but I don't think Microsoft is the right example anymore.

Re:This is BIGGER than Filezilla

[oscrivellodds]

Plus, users need an instant & easy way to identify if their version is legit to ease their minds.

How about searching for "ibgcc" on your computer? Seems instant enough.

Re:This is BIGGER than Filezilla

Indeed, what size is the legitimate file and what size is the smaller corrupt one? It's OK going about saying there's a problem but if people don't know how to identify it then how can they do anything about it?

Re:This is BIGGER than Filezilla

I'd bet the Sales & Marketing Dept. at Microsoft and the all the rest will have talking points in their sales peoples hands before the end of the day. ...
Plus, users need an instant & easy way to identify if their version is legit to ease their minds.

Linux Users: You're fine.
Apple Users: You're fine.
BSD Users: You're fine.
Only Windows Users need worry about this attack. Fortunately users of signed software repositories (as on Linux) are assuredly not vulnerable to this type of exploit.

Sounds anti-MS, eh? Well, they could use it to at least push W8 app store as a better model for distributing software -- I'd say a 3rd party software repository system that allows trusting multiple repos like on Linux would be best, but you know, vendor lockin.

Re:This is BIGGER than Filezilla

Windows verifies signed installers from multiple publishers and conspicuously warns you not to install unsigned software. But please, continue spreading your anti-Microsoft propaganda.

Re:This is BIGGER than Filezilla

[Bert64]

And if you're using such crude methods to differentiate between legitimate and malicious binaries, the malware authors will just pad their binaries with zeroes until they're the same size as the legitimate ones.
They will also compile their binaries with the same compilers, so that it uses the same external libraries, and they will compile with more aggressive file size optimization so that their small amount of extra code doesn't result in the binary being any larger (and thus they can pad with zeroes to make it the same size).

Re: This is BIGGER than Filezilla

The problem is that a large proportion of windows software found on the web is unsigned so users get used to clicking away the prompts without actually evaluating the warning. The prompts for signed and unsigned packages look superficially similar and both have an OK button that allows installation to proceed.

Re:Defamation

So... am I the only one that thinks the NSA version sounds like the better option? Smaller, newer runtime, other bufixes. Sounds like an upgrade.

Yes, and I'm sure they can make crypto much more efficient too...by removing all that "excess" code.

Re:This is BIGGER than Open Source

Any software can be malicious, regardless of whether you paid for it or whether you can see the source code. Quick, criminalize the entire software industry. It's the only way to be safe from the terrorists.

D'oh!!

[benjfowler]

Stubbed my toe. NSA's fault!!

Re:D'oh!!

[hb253]

Thanks Obama. >:-(

Two sane ways to install free software.

[Arancaytar]

1. package manager of your distro (ie. trust someone trustworthy to curate)
2. git clone; make (ie. get it from the developers directly)

Anything else is basically eating candy you found on the street.

Re:Two sane ways to install free software.

But, street candy is so sweet!

Re:Two sane ways to install free software.

Anything else is basically eating candy you found on the street.

King.com lawyers will be sending you a cease and desist letter for using that candy themed car analogy.

Re:Two sane ways to install free software.

[fatphil]

"Anything else is basically eating candy you found on the street."

Wow, that's the best description I've heard in a long time. It's 100% bang on. People like candy...

However, downloading the source means that you're trusting the compiler or the virtual machine that's running the code. OK, signed gcc straight from debian, that I trust (but there's no need to follow up with a Thompson Trusting Trust reference, I'm fully aware of the principle). But, to be honest, I don't trust the guys who are trying to push a java VM on me (at least one that will work with a program I was interested in running, but can do without).

Re:Two sane ways to install free software.

Anything else is basically eating candy you found on the street.

This is why you should always get your candy from strangers with dirty vans.

Re:Two sane ways to install free software.

[Bert64]

The same applies for non free software... You need to ensure you've got it from a trusted source.
In fact, non free software is potentially even more dangerous in this regard as you're more likely to be entering credit card details into the site you're purchasing the software from.

Re:Defamation

[SuricouRaven]

There's no evidence this is an NSA program.

Whoever needs a GUI FTP client deserves that.

OK, OK. I've asbestos underwear ;-)

On a more serious note: the problem is of course one of trust and end-user abilities. We need a solution for that. And it ain't easy.

No, walled gardens is not *my* favourite. But whenever I install some random binary on my box and get pwned, I know I (or my trust model) am to blame.

Actually, Windows is partly to blame here

[davide+marney]

There is no equivalent in the Windows world to the signed source repositories of Linux. Windows keeps itself updated through signed updates, but does nothing about the other thousands of applications and libraries that are installed. There's probably a good reason why this rogue FTP app isn't in a repository, those evil library files would have to be included in the dependency manifests for all to see. These things survive in Windows because users are forced to install everything from the untrusted web.

Re:Actually, Windows is partly to blame here

There is. Win8/Store.

Re:Actually, Windows is partly to blame here

Windows software can have digital signatures. WinSCP is third-party software, and its installer is signed.

Re:Actually, Windows is partly to blame here

[hawkinspeter]

There's a world of difference between software having a digital signature and the software installer actually checking the digital signature. Does Windows even have a mechanism to check the signature?

Re:Actually, Windows is partly to blame here

[heypete]

There's a world of difference between software having a digital signature and the software installer actually checking the digital signature. Does Windows even have a mechanism to check the signature?

Yes. Many (most?) installers for Windows check the signature when you open the installer. This has been the case for ages, with even Windows XP checking signatures (though not for nearly as many things as Windows Vista/7/8 do).

If a program wants admin rights (and many installers do), Windows will check the signature and display a different prompt for signed and unsigned code (see here for an example).

Re:Actually, Windows is partly to blame here

[hawkinspeter]

So, it's the software that you download that verifies itself? Or, does Windows have a list of checked software along with their signatures?

I had a quick look in your link to the UAC and couldn't see much relevance as it all seemed to be about elevating privileges rather than authenticating 3rd party software. I've never seen Windows do any checking except for drivers.

Re:Actually, Windows is partly to blame here

[fatphil]

> These things survive in Windows because users are forced to install everything from the untrusted web.

Deeper - they survive in Windows because users don't give a damn 99.9% of the time, and the only .1% of the time is the short period after a fatal infection, and is quickly forgotten. If you've worked in IT, you'll know that educating users is a futile goal. (As is trying to label all bad things with a "this is bad" label, which is stupidly what all anti-virus programs do.)

Re:Actually, Windows is partly to blame here

Windows checks software certificates with public key cryptography, in the same way that web browsers check SSL certificates. Martin Pikryl's certificate used to sign WinSCP is issued by VeriSign.

Re:Actually, Windows is partly to blame here

No, this is OS level feature.

Any application marked as downloaded from Internet is verified before running and shows a confirmation dialog saying either "The publisher can't be verified. Do you want to run this? [red shield icon] Publisher: unknown" or "Do you want to run this? [yellow shield icon] Publisher: (signature here)".

You can also manually check it by going to Properties - Digital signatures.

And your look at UAC prompt was too quick - did you miss the part where it's different depending on whether a program requesting admin access has a valid signature?

Re:Actually, Windows is partly to blame here

[heypete]

So, it's the software that you download that verifies itself? Or, does Windows have a list of checked software along with their signatures?

The author(s) of individual software programs acquire a code-signing certificate from a certificate authority that Microsoft trusts for that purpose. The author(s) then sign their software using that certificate. Windows verifies the signature and ensures it's from a cert issued by a trusted CA.

I had a quick look in your link to the UAC and couldn't see much relevance as it all seemed to be about elevating privileges rather than authenticating 3rd party software. I've never seen Windows do any checking except for drivers.

Most software requires admin rights to install, so it's sensible that the results of the signature checks show up in the escalation prompt. (If the software is unsigned, it gets a scary yellow warning. If it's signed, it shows up in an ordinary looking prompt that lists the program name and the publisher details, as found in the certificate.)

Additionally, if you try opening unsigned executables Windows will prompt you with a moderately-scary warning. Here's a screenshot of such a warning that I took a few minutes ago.

In short: yes, Windows does check signatures on software but it (for better or worse) gives users the option of easily running or installing software even if the program is unsigned.

Re:Actually, Windows is partly to blame here

[heypete]

Addendum: compare the screenshot of the unsigned program mentioned above with that of a signed program. That check takes place in Windows Explorer when one opens an executable, before the UAC prompt for admin rights to install it.

That functionality has been in Windows since Windows XP.

Re:Actually, Windows is partly to blame here

[hawkinspeter]

I didn't realise that they show a different shield. It's not particularly obvious as even signed software is shown as a security risk. However, I try not to use windows whenever possible as it ruins my brain.

Re:Actually, Windows is partly to blame here

[Bert64]

But given that anyone can get a code signing certificate, and that such a certificate only certifies that a particular organisation or individual created a given binary, how is a non technically literate user supposed to know that "joe smith" isn't a legitimate author to be signing a build of filezilla?

A malicious distributor of malware could easily get his code signed, and also create a legitimate looking website from which to distribute it. How are end users supposed to differentiate between all the different websites? How do they know which is the real site and which ones are full of malware?

Re:Actually, Windows is partly to blame here

[Bert64]

And how does your browser know that http://www.yourbank.com/ which has a verisign issued certificate is your bank, and http://www.scambank.cn/ which also has a verisign issued certificate is not your real bank?

And therefore, how is the end user supposed to know that the binary signed by "Martin Pikryl" and verified by verisign is a genuine copy of WinSCP, and that the binary signed by "John Smith" and also verified by verisign isn't?

Re:Actually, Windows is partly to blame here

[Bacon+Bits]

So, it's the software that you download that verifies itself?

Yes.

It's not particularly different than relying on a repository signature. There's nothing stopping you from adding untrustworthy repositories in Linux, and if a repository is compromised signatures can be modified as well. There's a reason people are cautious about PPAs. Package managers are not immune to security issues, either.

Or, does Windows have a list of checked software along with their signatures?

The mechanism is just a digital certificate. The same as those used for SSL/TLS but with a different flag for use (code signing instead of just identity verification). It's not particularly more or less robust than an external metadata signature.

Windows checks all software, but it doesn't block unsigned software. It simply issues a warning. I'm not certain what it does for a revoked certificate or for a certificate for a program that no longer passes the signature check; I've never seen one. On recent editions of Windows Server, the enhanced IE security prevents executing programs from sites that are not trusted until you manually unblock the file on the properties window.

Re:Actually, Windows is partly to blame here

[tlhIngan]

I didn't realise that they show a different shield. It's not particularly obvious as even signed software is shown as a security risk. However, I try not to use windows whenever possible as it ruins my brain.

I didn't look for a shield, I looked at "Publisher". On signed software, it says the name (E.g., "Microsoft Corporation" or "Adobe" or such). On unsigned software, it just shows up as "Unknown publisher".

Unfortunately, the official FileZilla isn't signed.

Interestingly, OS X Gatekeeper warns you when this happens as well as it'll be unsigned software (i.e., not obtained from Mac App Store, NOR has the developer bothered to buy a signing cert from Apple ($99) to sign it). OS X will pop up an alert and unless you hold down CTRL and launch it, OS X won't even launch it no matter the option. (You could disable Gatekeeper, or you can hold down Control to impose a per-app override without disabling).

Of course, Gatekeeper is seen as a way to wall the garden (even though it's not possible for various reasons, including say, development).

Re:Actually, Windows is partly to blame here

How do they know which is the real site and which ones are full of malware?

Easy. The ones that are full of malware exists in the real world while the so-called real site without malware only exists in some magical fairy tale world.

Malware installers are to blame

People don't know anymore what a trusted installer is. The right way to install software, if you don't use a package manager, used to be to download the installer from the developer's site and verify its authenticity. Then you could be reasonably sure that it installs the right thing. Now so many legitimate programs use malware-bundled installers that users can't distinguish a good installer from a bad one anymore, because all of them have gone bad.

Re:Malware installers are to blame

[TangoMargarine]

Problematic for anything that doesn't host its own installer files, yes. Now a lot of OSS projects are on SourceForge, which tries to entrap you into downloading one of their other installers.

Update your HOSTS file...yes really.

[Bearhouse]

From TFA

Stolen data is sent to the IP 144.76.120.243 that belongs [to a] server hosted in Germany.

"We found 3 domains that link to same IP:
go-upload.ru created 2012.09.23
aliserv2013.ru created 2013.09.09
ngusto-uro.ru created 2013.09.19

Unfortunately, domains are registered through the infamous Russian domain registrar Naunet.ru, which is associated with malware and spam activities. This registrar hides client contact info and ignores requests to suspend illegal domains.

Re:Update your HOSTS file...yes really.

Care to share the SHA-256?

Re:Update your HOSTS file...yes really.

The whois information of the IP 144.76.120.243 gives a German address, a telephone number and an abuse email address. So the hoster can be contacted and the server can be shutdown.

Re:Update your HOSTS file...yes really.

Maybe Pirate Bay could move their domain there?

Re:Defamation

[Chrisq]

There's no evidence this is an NSA program.

To be honest I really hope there wouldn't be!

Re:Defamation

[Joce640k]

You really think the NSA is sending their data to Russian servers? That's where the article says it's going.

That's exactly what the NSA wants you to think...

Isn't this what Malware/AV tools are for?

[Virtucon]

This is why we use AV/Malware tools isn't it? Malware is distributed in a lot of different ways and if you download a corrupted installer or image from a questionable site then you should expect something extra with what you're getting. This is what the AV vendors should be watching out for but also take a few minutes of common sense when downloading, otherwise expect to have your info stolen or your system compromised. While I'm glad the Avast researcher here published the warning, I liken this to stories about the NSA, "One more corrupted installer that installs Malware, read all about it!" Now if he'd found out that the information was being leaked back to Germany for spying then it would have been more interesting.

File under 1001 Bleeding Obvious Things

[Demonoid-Penguin]

Install only from the source. If you install from a third-party source or don't check the md5sum what did you expect?

Tag story as stupid

Hey, I just found a bottle of whisky by the side of the road.... Party! (what could go wrong?)

Re:File under 1001 Bleeding Obvious Things

[ArsenneLupin]

Hey, I just found a bottle of whisky by the side of the road.... Party! (what could go wrong?)

Hey, I know a guy who regularly does this.

But, nowadays, after the pee incident, he carefully sniffs the bottle before he drinks...

Re:Defamation

[SuricouRaven]

Dependency upon additional external DLLs? If this was an NSA thing, they'd design it better than that.

Unless they deliberately introduced an obvious substandard design element precisely to make people think someone else did it, of course.

obvious solution

[edxwelch]

I assume the malicious version appeared from an unreliable site. So, the obvious solution is to simply download Filezilla from source forge and not some random file host site.

Re:obvious solution

[Bert64]

How is a non technical end user supposed to know that sourceforge is the official site of filezilla, and that other sites are not?

Re:obvious solution

I assume the malicious version appeared from an unreliable site. So, the obvious solution is to simply download Filezilla from source forge and not some random file host site.

Sourceforge serves a "safe" malicious installer too though. That people are looking for alternative downloads of Filezilla is partly SourceFore's fault.

That's not the only place you'll find these dll's

[hyades1]

I found both of them in TOR browser software and the pro edition of Easeus Partition Master 9.1.1 (legally obtained, not pirated).

So is there something inherently wrong with dll's bearing that name, or are they OK except when they crop up in Filezilla?

Please

[ledow]

Stop all this filesize / filename nonsense.

Either publish signed hashes of the good version or don't bother at all. If it takes more than a minute to change the filesize / filenames to something arbitrary of your choice as a malware author, I'll be amazed, especially when you could easily make it be the same size as the official one in this case by just padding with zeroes.

Please stop using these things are identifiers for malware. Same for "check for this registry entry". Any idiot with a copy of the virus can modify the strings in it to use a different reg entry / server / filename / filesize but what they CAN'T do easily is make a file with the same hash as something official.

And given that I couldn't even see a GPG key or hash value on the download page of FileZilla at all, pretty much this kind of thing is to be expected.

Re:Please

FileZilla is a Windows program. The people using it, by definition, are not security-literate.

Re:Please

[Shalaska]

Exactly, the hashes are the best way to tell the two apart and anyone downloading software from the internet should learn how to check them.

For reference you can find FileZilla's hashes at:

http://sourceforge.net/project...

Or to get their yourself go to Download, then click on "Show additional download options" and it will be the last one in the list.

Re:Please

[MMC+Monster]

Errr....

It has native binaries for OS X and most Linux flavors. It's also in the repositories for several Debian derivatives.

In fact, I went to Filezilla because it was the only reliable FTP/SFTP app on OS X that I didn't have to pay an arm and a leg for. I still use it to transfer files on Linux and Mac systems.

Re:Please

[eriodega]

And if you need the sha512 on a Windows machine, here's a powershell script to get it get-hashes.ps1: Get the hashes (sha256, md5, whatever) for a file

Re:That's not the only place you'll find these dll

[ledow]

They are DLL's used by many programs which are compiled with a certain compiler. It's like saying a program comes bundled with msvcrtXX.dll.

The fact that you're even bothering about the names is much more important. What the hell makes you think that the filename is an indicator of its contents? That DLL could be named the same as a harmless file but contain the virus routines. The name is neither here nor there.

The interesting question is "what's the hash?" - is it an official copy of those files, which is innocent but required by the program because of the compiler used? Or is it just something malicious renamed to look like a common harmless file?

Filenames mean nothing. Service names mean nothing. Process names mean nothing. Registry entry names mean nothing. They can all be changed in seconds and have no correspondence to the CONTENT of those files (hell, you can load a DLL that's called fred.jpg, if you really want).

Source Forge is responsible for this

[Khyber]

https://forum.filezilla-projec...
https://forum.filezilla-projec...
https://forum.filezilla-projec...

Anyone using Source Forge should walk the fuck away right now and never go back. They are the ones responsible for this.

Sourceforge download ads

[Martin+S.]

This one example why Open Source sites need to take the threat of Advertsm mimicking download buttons on their sites.

Instead they are still glossing over the risks.

http://sourceforge.net/blog/ha...

Re:Sourceforge download ads

[Shalaska]

The number of times I have accidently clicked on an ad Download button instead of the actual download button on sites I am not familiar with is astounding. I always have caught on quickly, stopped the incorrect download and then gone looking for the correct one, but as a Comp Sci PhD candidate and computer security practitioner, the fact that it can fool me even for a minute is astounding. Sites really should remove ads that confuse where you should be clicking to download what you came there for.

Open source is more secure?

But now they have the source, can modify, rebuild it and redistribute it EASIER!

This proves to me that we cannot trust PRE-COMPILED open source. Pre-compiled OPEN SOURCE is an anti-security pattern.

Whabuh?

[geminidomino]

People are still using FileZilla after the sourceforge scumware installer issue?

"Amazing..." -- Harry Hoo

Re:Whabuh?

[EmagGeek]

I get it from Ninite.

Re:Whabuh?

[CronoCloud]

I get it from the repos.

Mod parent "-1, RTFA, Moron"

Seriously, read the fucking Avast's blog.

This malware version comes from third party sites, not Sourceforge. What SF did that time is unethical, but at most questionable bundling of optional crapware, not replacing installers with outright malware.

Re:Mod parent "-1, RTFA, Moron"

[Khyber]

Try again when you've had an infection come from SF's installer, like I have, moron.

Re:Mod parent "-1, RTFA, Moron"

Try again when you provide actual evidence of "infection" forced on you by Sourceforge, not shitty optional bundles like in the links you gave.

Also, try again after you RTFA and notice that neither of sites they mention is remotely related to SF.

I used to wonder about that

[Marrow]

Why is there no yum repository for Windows or OSX. It seems like there is plenty of motivation for them to exist.

Re:I used to wonder about that

[_anomaly_]

Yeah, me too, and I would bet that Microsoft moves to incorporate the Windows app store into desktops. The app store could easily be expanded to offer desktop versions of software, in addition to tablet and phone versions. It would be a way for Microsoft to have more control over what gets installed on desktops running their OS... and having more control is definitely what they want.

No, don't bother... yes really

[fatphil]

Thinking that you will be secure by putting bad domain names into your host file will tead to tears of failure because:

a) it's attempting to enumerate badness. There's always new badness, you can't enumerate it all. New badness can be created quicker than you can update your hosts file.

b) bad software can happily use a randomly or dynamically generated name which you cannot add to your hosts file, as it can't be known in advance, and may only be used once.

Re:No, don't bother... yes really

b) bad software can happily use a randomly or dynamically generated name which you cannot add to your hosts file, as it can't be known in advance, and may only be used once.

Shame that the host file doesn't understand wildcards in hostnames.

Re:No, don't bother... yes really

[cbiltcliffe]

Thinking that you will be secure by putting bad domain names into your host file will tead to tears of failure because:

a) it's attempting to enumerate badness. There's always new badness, you can't enumerate it all. New badness can be created quicker than you can update your hosts file.

b) bad software can happily use a randomly or dynamically generated name which you cannot add to your hosts file, as it can't be known in advance, and may only be used once.

How do we know that the malware uses a domain name in the first place? Maybe it just uses the IP address, which of course, cannot be blocked by modifying the hosts file, regardless of what apk will tell you.

Yes to verify the binary other people use is OK

What we want to be able to do here is verify that the binaries that is available on the webpage (and that most people use) actually is compiled from the source code the webpage say it is compiled from.

Otherwise the programmer might have a nice and clean source for people to inspect, but in reality the binary people use is made from another evil source.

Problem Bigger Than Solution

1. package manager of your distro (ie. trust someone trustworthy to curate)
2. git clone; make (ie. get it from the developers directly)

Anything else is basically eating candy you found on the street.

git clone; make is an absurdly fallacious "solution". It would be just as easy for the malware distributors to offer up infected git repositories as it is for them to offer up infected binaries. There's no way for the end user to know if the git repository is any less infected than the binary distribution.

Any claims that the end user can "just" look at the source are even more absurd. Even seasoned programmers would largely fail to identify malicious code from real code and most end users are not programmers at all.

The only solution, that I can see is for there to be a single trusted source for the binaries and the source code. It's still not perfect as an intrusion at the source could infect everything, but getting your software directly from the developer(group) versus all sorts of SEO pushed crap sites is the end user's only/best chance.

Unfortunately Googling for Filezilla gives the end user lots of choices including CNet, Source Forge, File Hippo...

What they really need is Filezilla This sadly redirect to source Forge.

Re:Problem Bigger Than Solution

[verbatim_verbose]

If you trust solution (1), then you can just as easily trust solution (2) if you clone from a gpg-signed git tag.

Actually, I was talking about freeware/shareware

[Marrow]

There are tonnes of packages that are available for free for windows. Winscp, putty, etc, But currently there is no one way to just say "gimme that". Other than google/browse/download without verify. There is a system under cygwin to download software and maybe that is what most people use. But I dont think it covers everything.

Re:"Download Now" ads...

[WoTG]

Unfortunately, it's not that easy to remove "all" of those annoying, misleading, "download now" ads. My website shows ads through Google AdSense (i.e. the biggest ad network out there) and despite my going through every week or two to ban entire misleading advertiser accounts, there are always new "Download" ads waiting in the queue from new accounts. I've literally blocked hundreds of accounts by now - 5 or 10 every week for a year or two.

I feel bad for my random users that get caught by the adware (or worse) that is available on these sites; but, there's not much I can do about it.

I think it's time Google did some work on this - there must be hundreds of AdSense users like myself blocking off advertisers, they should be using their magic to disable accounts entirely from their system after a few people flag bad ads...

Re:That's not the only place you'll find these dll

[hyades1]

Thanks for the information. I've found that a heads-up on certain file names can be quite helpful, however. If a particular file name has been targeted by nasty people, I'll just submit the one on machine for analysis by one of the many on-line anti-malware sites that attend to such things.

As it works out, I've learned that according to several sources the specific DLL's on my system are OK. They're where they belong, they're exactly the right size and contain exactly what they should contain...nothing more, nothing less.

FTP?

people still use FTP? Just asking. I haven't logged into an FTP server since the year 2000 or so.

Telnet?

[laie_techie]

I use telnet to debug different servers. For example, I may telnet on port 80 to verify that httpd is running and is properly configured, or to get the real error message hidden by the "helpful" message by my email client.

Re:Telnet?

Professionals use tools like netcat for testing connectivity between systems on specific TCP ports or to ensure there is a service listening.

Now if you need to actually interact with a service in a specific way, for example telnet to an smtp service to send mail, I guess telnet is useful in that case.

Re:Telnet?

[laie_techie]

Professionals use tools like netcat for testing connectivity between systems on specific TCP ports or to ensure there is a service listening.

Now if you need to actually interact with a service in a specific way, for example telnet to an smtp service to send mail, I guess telnet is useful in that case.

Verify that httpd is properly configured and running involves more than seeing if a server is listening on port 80 - it involves sending proper headers and comparing the response with what I'm expecting.

Re: Defamation

[um...+Lucas]

Why would the nsa need to steal FTP logins this way? Aren't FTP logins already done in plain text, meaning they could scarf them up as the traffics going through routers they control?

Fiezilla server or Client

Any word on whether this affects client or server versions of the software or both? I can't seem to find it mentioned anywhere.

Re:"Download Now" ads...

[jdi_knght]

I've also had to spend an extraordinary amount of time fighting to keep the naughty "download" Google ads off one of my sites. I eventually gave up - I'd rather throw random affiliate ads at people even if they pay poorly, rather than risking visitors who think that just because my site is trustworthy, that the Google-provided download link must be too. The 10 cents I might get from that 1 ad is probably costing someone else 3 hours of time to scrub the spyware from the all the corners of the victim's computer.

I think it's time Google did some work on this - there must be hundreds of AdSense users like myself blocking off advertisers, they should be using their magic to disable accounts entirely from their system after a few people flag bad ads...

I completely agree. Actually, they already have the tools to trigger manual reviews before an ad is approved (try creating an add in AdWords with "prescription" in it). The only thing stopping them from adding "download" type terms to that system seems to be their move away from the Don't Be Evil mantra to the We Like Money mantra. Ads for spyware-ridden stuff have been out of hand for a while, and I'm sure they know it. I suspect they like it that way, as it keeps minimum bids high. If you have a program and you want it to rank in the ads for it's own search terms , you have to pony up a lot of money even if you offer the program itself for free.

To be fair, Bing isn't any better here. But I think there's a reasonable expectation that Google should be the one trying to set the positive trends, since the others will generally follow.

That explains it...

My article login at Siemens was locked out after approximately 5K login attempts.

Phuckers.

isn't filezilla evil enough as it is?

I mean with the SourceForge adware shit and all...
every time I think about sourceforge I get sad now :'-(

every time you trust something it betrays you

Download progress

Your download of FileZilla Client 3.7.3 (nsA build) will begin in 10 second,