Slashdot Mirror

← Back to Stories (view on slashdot.org)

FileZilla Has an Evil Twin That Steals FTP Logins

Posted by Unknown on from the install-our-toolbar-today dept.

Nerval's Lobster writes "On the same day the world discovered Western intelligence agencies were siphoning user information from Angry Birds and other popular smartphone apps, a leading antivirus developer revealed hackers are doing the same thing with one of the most popular open-source applications on the Internet. Maliciously modified versions of the popular FTP application FileZilla look and act just like the real thing, but include extra code that steals the login data typed in by users and sends it to an unauthorized server using the same FTP operation launched by the user without going through a firewall that might spot what it's doing, according to an alert posted this afternoon by antivirus developer Avast Software. The malicious version is fully functional, uses the same graphical interface and component file names as the original, and masks itself further by avoiding any suspicious entries in the system registry, overt attempts to communicate with outside servers or other changes, according to the Jan. 27 alert from Avast. The most obvious differences are that the poisoned version of filezilla.exe is 6.8MB smaller than the real thing and there are two DLL libraries included in the fake that are not present in the original. They are labeled ibgcc_s_dw2-1.dll and libstdc++-6.dll, according to Avast. The official version's Nullsoft installer is v2.45-Unicode; the evil twin uses v2.46.3-Unicode. Automatic updates also fail on the poisoned version 'which is most likely a protection to prevent overwriting of the malware binaries,' Avast added."

3 of 197 comments (clear)

  1. Re:Also Ran by Anonymous Coward · · Score: 5, Informative

    Mostly because these dll's are present in projects compiled with MingW.

  2. Update your HOSTS file...yes really. by Bearhouse · · Score: 5, Informative

    From TFA

    Stolen data is sent to the IP 144.76.120.243 that belongs [to a] server hosted in Germany.

    "We found 3 domains that link to same IP:
    go-upload.ru created 2012.09.23
    aliserv2013.ru created 2013.09.09
    ngusto-uro.ru created 2013.09.19

    Unfortunately, domains are registered through the infamous Russian domain registrar Naunet.ru, which is associated with malware and spam activities. This registrar hides client contact info and ignores requests to suspend illegal domains.

  3. Re:Blame Source Forge... by Anonymous Coward · · Score: 5, Informative

    it wouldn't surprise me that if it were SourceForge's own "custom downloader" that's the one pushing the altered versions with login stealing functionality... it's been pushing adware and other crap too and FileZilla especially has been hit by this. Here's a short selection of complaints from the FileZilla forums:

    https://forum.filezilla-project.org/viewtopic.php?f=2&t=30240
    (this one has screenshots documenting the EXE installer hijacking done by SourceForge)

    or this one: https://forum.filezilla-project.org/viewtopic.php?f=1&t=31127
    and more... https://forum.filezilla-project.org/search.php?keywords=sourceforge+adware