Slashdot Mirror
FileZilla Has an Evil Twin That Steals FTP Logins
Nerval's Lobster writes "On the same day the world discovered Western intelligence agencies were siphoning user information from Angry Birds and other popular smartphone apps, a leading antivirus developer revealed hackers are doing the same thing with one of the most popular open-source applications on the Internet. Maliciously modified versions of the popular FTP application FileZilla look and act just like the real thing, but include extra code that steals the login data typed in by users and sends it to an unauthorized server using the same FTP operation launched by the user without going through a firewall that might spot what it's doing, according to an alert posted this afternoon by antivirus developer Avast Software. The malicious version is fully functional, uses the same graphical interface and component file names as the original, and masks itself further by avoiding any suspicious entries in the system registry, overt attempts to communicate with outside servers or other changes, according to the Jan. 27 alert from Avast. The most obvious differences are that the poisoned version of filezilla.exe is 6.8MB smaller than the real thing and there are two DLL libraries included in the fake that are not present in the original. They are labeled ibgcc_s_dw2-1.dll and libstdc++-6.dll, according to Avast. The official version's Nullsoft installer is v2.45-Unicode; the evil twin uses v2.46.3-Unicode. Automatic updates also fail on the poisoned version 'which is most likely a protection to prevent overwriting of the malware binaries,' Avast added."
You really think the NSA is sending their data to Russian servers? That's where the article says it's going.
Better known as 318230.
Then the problem shifts from getting your binaries from the right website to getting your sourcecode from the right website.
Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
Stubbed my toe. NSA's fault!!
1. package manager of your distro (ie. trust someone trustworthy to curate)
2. git clone; make (ie. get it from the developers directly)
Anything else is basically eating candy you found on the street.
That would indeed be a bit more exotic, but from what I can tell it's just doing a simple http get to the Russian server with the encoded credentials. From the Avast report:
https://blog.avast.com/wp-cont...
The DNS lookup to the Russian server and the http get are there as plain as day.
Better known as 318230.
There's no evidence this is an NSA program.
To be honest I really hope there wouldn't be!
SSH will not help here. A modified SSH client (eg. WinSCP) could do exactly the same. It can even steal your private keys.
MOD THE CHILD UP!
Stop all this filesize / filename nonsense.
Either publish signed hashes of the good version or don't bother at all. If it takes more than a minute to change the filesize / filenames to something arbitrary of your choice as a malware author, I'll be amazed, especially when you could easily make it be the same size as the official one in this case by just padding with zeroes.
Please stop using these things are identifiers for malware. Same for "check for this registry entry". Any idiot with a copy of the virus can modify the strings in it to use a different reg entry / server / filename / filesize but what they CAN'T do easily is make a file with the same hash as something official.
And given that I couldn't even see a GPG key or hash value on the download page of FileZilla at all, pretty much this kind of thing is to be expected.