Slashdot Mirror
FileZilla Has an Evil Twin That Steals FTP Logins
Nerval's Lobster writes "On the same day the world discovered Western intelligence agencies were siphoning user information from Angry Birds and other popular smartphone apps, a leading antivirus developer revealed hackers are doing the same thing with one of the most popular open-source applications on the Internet. Maliciously modified versions of the popular FTP application FileZilla look and act just like the real thing, but include extra code that steals the login data typed in by users and sends it to an unauthorized server using the same FTP operation launched by the user without going through a firewall that might spot what it's doing, according to an alert posted this afternoon by antivirus developer Avast Software. The malicious version is fully functional, uses the same graphical interface and component file names as the original, and masks itself further by avoiding any suspicious entries in the system registry, overt attempts to communicate with outside servers or other changes, according to the Jan. 27 alert from Avast. The most obvious differences are that the poisoned version of filezilla.exe is 6.8MB smaller than the real thing and there are two DLL libraries included in the fake that are not present in the original. They are labeled ibgcc_s_dw2-1.dll and libstdc++-6.dll, according to Avast. The official version's Nullsoft installer is v2.45-Unicode; the evil twin uses v2.46.3-Unicode. Automatic updates also fail on the poisoned version 'which is most likely a protection to prevent overwriting of the malware binaries,' Avast added."
...for their new installer
The NSA listens to data that the original, unmodified games and apps send. The FileZilla "clone" is manipulated software. If you use the original, your data is not sent to some hacker and hackers have no way of intercepting your data (use of properly encrypted protocols presumed, so not FTP).
I am under the assumption that these dll's (ibgcc_s_dw2-1.dll and libstdc++-6.dll) indicate that this version may have been compiled with MingW. (I am not sure about this, please correct me if I'm wrong) This would mean that it would be safe to assume that there could easily be a Linux version of that FileZilla Evil Twin out there...
Mostly because these dll's are present in projects compiled with MingW.
I'm not fully understanding the "sends it to an unauthorized server using the same FTP operation launched by the user without going through a firewall that might spot what it's doing" part. It's posting the stolen credentials via http, not FTP. If FileZilla is only given access to the FTP port then it should block this behavior, correct? I'm just not understanding what's magical about this - any app that is already given blanket permission to access the network in a general way can send data to places it shouldn't go without being blocked by firewalls. They make it sound like there's something special or exotic it's doing to avoid the firewall and I'm not understanding exactly what that is.
Better known as 318230.
You really think the NSA is sending their data to Russian servers? That's where the article says it's going.
Better known as 318230.
So... am I the only one that thinks the NSA version sounds like the better option? Smaller, newer runtime, other bufixes. Sounds like an upgrade.
Slashdot: where don knuth is an idiot because he cant grasp the awesome power of php
to compile your own binaries from source, and then letting you compare its fingerprint with "official" pre-compiled binaries. No, not a simple hash. Various fingerprints, spread over security-sensitive parts of the software. No idea if such a thing exists, although I remember having seen a discussion here on /. last year.
Religous speak to God. Insane are spoken to by God. When all shut up, one can finally hear Shostakovich in peace
Take a look in
%APPDATA%\FileZilla\sitemanager.xml
Without a doubt this will be used as propaganda against the entire Open Source community. Everything OSS.
I'd bet the Sales & Marketing Dept. at Microsoft and the all the rest will have talking points in their sales peoples hands before the end of the day.
At this moment, there is nothing about this on the Filezilla project's website. GET ON IT people!
An accurate explanation should be front page before the scare tactics have a chance to work.
Plus, users need an instant & easy way to identify if their version is legit to ease their minds.
Now concerning the bad guys... I'd suggest some sort of vigilante justice is in order.
Perhaps identifying the rogue servers and uploading something the local authorities might be interested in.
"Kittens give Morbo gas!"
Stubbed my toe. NSA's fault!!
1. package manager of your distro (ie. trust someone trustworthy to curate)
2. git clone; make (ie. get it from the developers directly)
Anything else is basically eating candy you found on the street.
There's no evidence this is an NSA program.
This dll names look like legal ones atleast in Linux world. I several time install libstdc++ as an dependencies of other packages.
Duh, logic fail. The article does not claim that these particular DLLs provide the malicious code, but are simply some easily observable differences between the friendly and malicious version.
There is no equivalent in the Windows world to the signed source repositories of Linux. Windows keeps itself updated through signed updates, but does nothing about the other thousands of applications and libraries that are installed. There's probably a good reason why this rogue FTP app isn't in a repository, those evil library files would have to be included in the dependency manifests for all to see. These things survive in Windows because users are forced to install everything from the untrusted web.
"We receive as friendly that which agrees with, we resist with dislike that which opposes us" - Faraday
People don't know anymore what a trusted installer is. The right way to install software, if you don't use a package manager, used to be to download the installer from the developer's site and verify its authenticity. Then you could be reasonably sure that it installs the right thing. Now so many legitimate programs use malware-bundled installers that users can't distinguish a good installer from a bad one anymore, because all of them have gone bad.
From TFA
Stolen data is sent to the IP 144.76.120.243 that belongs [to a] server hosted in Germany.
"We found 3 domains that link to same IP:
go-upload.ru created 2012.09.23
aliserv2013.ru created 2013.09.09
ngusto-uro.ru created 2013.09.19
Unfortunately, domains are registered through the infamous Russian domain registrar Naunet.ru, which is associated with malware and spam activities. This registrar hides client contact info and ignores requests to suspend illegal domains.
There's no evidence this is an NSA program.
To be honest I really hope there wouldn't be!
SSH will not help here. A modified SSH client (eg. WinSCP) could do exactly the same. It can even steal your private keys.
MOD THE CHILD UP!
Fair point, but is it included in Windows?
You're a temporary arrangement of matter sliding towards oblivion in a cold, uncaring universe
This is why we use AV/Malware tools isn't it? Malware is distributed in a lot of different ways and if you download a corrupted installer or image from a questionable site then you should expect something extra with what you're getting. This is what the AV vendors should be watching out for but also take a few minutes of common sense when downloading, otherwise expect to have your info stolen or your system compromised. While I'm glad the Avast researcher here published the warning, I liken this to stories about the NSA, "One more corrupted installer that installs Malware, read all about it!" Now if he'd found out that the information was being leaked back to Germany for spying then it would have been more interesting.
Harrison's Postulate - "For every action there is an equal and opposite criticism"
Install only from the source. If you install from a third-party source or don't check the md5sum what did you expect?
Tag story as stupid
Hey, I just found a bottle of whisky by the side of the road.... Party! (what could go wrong?)
Dependency upon additional external DLLs? If this was an NSA thing, they'd design it better than that.
Unless they deliberately introduced an obvious substandard design element precisely to make people think someone else did it, of course.
I assume the malicious version appeared from an unreliable site. So, the obvious solution is to simply download Filezilla from source forge and not some random file host site.
I found both of them in TOR browser software and the pro edition of Easeus Partition Master 9.1.1 (legally obtained, not pirated).
So is there something inherently wrong with dll's bearing that name, or are they OK except when they crop up in Filezilla?
I've calculated my velocity with such exquisite precision that I have no idea where I am.
Stop all this filesize / filename nonsense.
Either publish signed hashes of the good version or don't bother at all. If it takes more than a minute to change the filesize / filenames to something arbitrary of your choice as a malware author, I'll be amazed, especially when you could easily make it be the same size as the official one in this case by just padding with zeroes.
Please stop using these things are identifiers for malware. Same for "check for this registry entry". Any idiot with a copy of the virus can modify the strings in it to use a different reg entry / server / filename / filesize but what they CAN'T do easily is make a file with the same hash as something official.
And given that I couldn't even see a GPG key or hash value on the download page of FileZilla at all, pretty much this kind of thing is to be expected.
They are DLL's used by many programs which are compiled with a certain compiler. It's like saying a program comes bundled with msvcrtXX.dll.
The fact that you're even bothering about the names is much more important. What the hell makes you think that the filename is an indicator of its contents? That DLL could be named the same as a harmless file but contain the virus routines. The name is neither here nor there.
The interesting question is "what's the hash?" - is it an official copy of those files, which is innocent but required by the program because of the compiler used? Or is it just something malicious renamed to look like a common harmless file?
Filenames mean nothing. Service names mean nothing. Process names mean nothing. Registry entry names mean nothing. They can all be changed in seconds and have no correspondence to the CONTENT of those files (hell, you can load a DLL that's called fred.jpg, if you really want).
https://forum.filezilla-projec...
https://forum.filezilla-projec...
https://forum.filezilla-projec...
Anyone using Source Forge should walk the fuck away right now and never go back. They are the ones responsible for this.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
This one example why Open Source sites need to take the threat of Advertsm mimicking download buttons on their sites.
Instead they are still glossing over the risks.
http://sourceforge.net/blog/ha...
Yes, and it's more than 10x slower than FTP.
People still use telnet extensively too...
The primary reason for the use of both ftp and telnet instead of ssh, is because windows still comes with ftp and telnet clients but no ssh, so you can be guaranteed that virtually any machine you ever use will have a client.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
Seriously, read the fucking Avast's blog.
This malware version comes from third party sites, not Sourceforge. What SF did that time is unethical, but at most questionable bundling of optional crapware, not replacing installers with outright malware.
It's supported by Filezilla, anyway. I use that if I quickly need to transfer files to/from a linux box on a LAN, with only openssh-server needed on the other machine. It's also really easy to use for beginner/non-technical users, and is an apt-get install away on linux too.
Why is there no yum repository for Windows or OSX. It seems like there is plenty of motivation for them to exist.
Thinking that you will be secure by putting bad domain names into your host file will tead to tears of failure because:
a) it's attempting to enumerate badness. There's always new badness, you can't enumerate it all. New badness can be created quicker than you can update your hosts file.
b) bad software can happily use a randomly or dynamically generated name which you cannot add to your hosts file, as it can't be known in advance, and may only be used once.
Also FatPhil on SoylentNews, id 863
I may be particularly lucky but I seem to hit ~10MB/s on a 100Mb LAN constantly, even when both ends are half-decent Pentium 3 level hardware. Seen an ssh transfer slow when using WinSCP, or worse with a ssh server run on *Windows* (I think that one just uses Cygwin)
Even more fun there's Dokan sshfs you can run on Windows : slow but enough to play music and movie files from the linux remote host.
Slowest I've seen was downloading files with scp under MS-DOS, it was like 80KB/s but there was something wrong with that stupid TSR networking going on, as I had done the same 10x-20x faster on a slower PC before.
If ssh is that slow for you you're maybe doing something wrong (like using a piece of shit Raspberry with data on ntfs-3g, inescapable USB networking and storage? I never tried that set up but it would be comical)
So, windows still doesn't include the world's most used connection/command/control software despite it being ancient and you have to use some 3rd party software just to get windows up to the same level as almost any other OS?
You're a temporary arrangement of matter sliding towards oblivion in a cold, uncaring universe
The problem is that this news will now cause legitimate software that just happens to use these libs to be labelled as suspect, and the authors of malware will simply use a different compiler setup that doesn't require these two libs (eg the official bin is much larger most likely because it includes the functionality that the malicious version draws from these libs)
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
Microsoft seems to have the decency of not including telnet by default these days. I remember being pissed by that once. Thanksfully about the only legitimate reason to use telnet was to login to your modem or router and this has been superceded by web interfaces. Or so I hope ;), maybe some people rely on it in the enterprise - in a segregated control network to access whatever stuff, or in industry to access embedded/industrial stuff, not on the internet either. It's so crude I think of it as kind of a serial cable.
ftp is/ought to be considered deprecated, too. It will probably linger for ages because of legacy but I could read a nice detailed argument (and fun rant about security and creaking'oldness) that it's not even needed. http or ssh can do the job instead. There seems to be plenty (more tempered, concise) results with a "don't use ftp" Google search.
Maybe ftp can be used for world readable, guest-user public archives and that's all.
What do you mean? it comes with the Microsoft RDP client, sometimes a RDP server named "Remote Assistance" and of course Internet Exploiter :D
Can even share a directory over the network by right-clicking on it. Well, if it was not buried by more wizards and login errors, I dunno.
Plus he was making the apparently fallacious assumption that the article writers had any idea what they were talking about.
Unity? Screw that: XFCE. Slashdot Beta? Screw that: SoylentNews. Australis? Screw that: Pale Moon. UX developers DIAF
It is possible to tune ssh better but most people aren't aware of it and just use some off-the-shelf client as delivered. Even so, the best I've seen ssh clocked is at 1/2 the speed of FTP. If you're moving gigabytes of data, FTP is still the ticket. If you need encryption, do it first on the data files.
There are tonnes of packages that are available for free for windows. Winscp, putty, etc, But currently there is no one way to just say "gimme that". Other than google/browse/download without verify. There is a system under cygwin to download software and maybe that is what most people use. But I dont think it covers everything.
Unfortunately, it's not that easy to remove "all" of those annoying, misleading, "download now" ads. My website shows ads through Google AdSense (i.e. the biggest ad network out there) and despite my going through every week or two to ban entire misleading advertiser accounts, there are always new "Download" ads waiting in the queue from new accounts. I've literally blocked hundreds of accounts by now - 5 or 10 every week for a year or two.
I feel bad for my random users that get caught by the adware (or worse) that is available on these sites; but, there's not much I can do about it.
I think it's time Google did some work on this - there must be hundreds of AdSense users like myself blocking off advertisers, they should be using their magic to disable accounts entirely from their system after a few people flag bad ads...
I know telnet sucks and everyone wants to disable ICMP everywhere too but it's so easy... does it resolve, ping, trace, telnet, yes/no here is the most likely cause.
If you trust solution (1), then you can just as easily trust solution (2) if you clone from a gpg-signed git tag.
Thanks for the information. I've found that a heads-up on certain file names can be quite helpful, however. If a particular file name has been targeted by nasty people, I'll just submit the one on machine for analysis by one of the many on-line anti-malware sites that attend to such things.
As it works out, I've learned that according to several sources the specific DLL's on my system are OK. They're where they belong, they're exactly the right size and contain exactly what they should contain...nothing more, nothing less.
I've calculated my velocity with such exquisite precision that I have no idea where I am.
I get it from Ninite.
FTP is commonly used in business to send files from one business to another. They just drop it in a specified folder on the FTP server and the server polls the file system every minute or so to find new files. These systems have been around for decades. Even getting them to upgrade the security to secure FTP was difficult enough.
Peter predicted that you would "deliberately forget" creation 2000 years ago...
I use telnet to debug different servers. For example, I may telnet on port 80 to verify that httpd is running and is properly configured, or to get the real error message hidden by the "helpful" message by my email client.
Why would the nsa need to steal FTP logins this way? Aren't FTP logins already done in plain text, meaning they could scarf them up as the traffics going through routers they control?
I get it from the repos.
Doubtful, but no worries, Flash will save the day!
I've also had to spend an extraordinary amount of time fighting to keep the naughty "download" Google ads off one of my sites. I eventually gave up - I'd rather throw random affiliate ads at people even if they pay poorly, rather than risking visitors who think that just because my site is trustworthy, that the Google-provided download link must be too. The 10 cents I might get from that 1 ad is probably costing someone else 3 hours of time to scrub the spyware from the all the corners of the victim's computer.
I think it's time Google did some work on this - there must be hundreds of AdSense users like myself blocking off advertisers, they should be using their magic to disable accounts entirely from their system after a few people flag bad ads...
I completely agree. Actually, they already have the tools to trigger manual reviews before an ad is approved (try creating an add in AdWords with "prescription" in it). The only thing stopping them from adding "download" type terms to that system seems to be their move away from the Don't Be Evil mantra to the We Like Money mantra. Ads for spyware-ridden stuff have been out of hand for a while, and I'm sure they know it. I suspect they like it that way, as it keeps minimum bids high. If you have a program and you want it to rank in the ads for it's own search terms , you have to pony up a lot of money even if you offer the program itself for free.
To be fair, Bing isn't any better here. But I think there's a reasonable expectation that Google should be the one trying to set the positive trends, since the others will generally follow.
If you're moving gigabytes of data, FTP is still the ticket. If you need encryption, do it first on the data files.
That does nothing to prevent your password from being sniffed.
However, like the GP, I've managed 8-10 MB/s to a Pentium 3 server on a 100Mb network, which is barely slower than FTP on the same hardware. It certainly loads the processor more than FTP does, so if you're trying to do multiple client connections on a Gigabit network with a low end processor in the server, you might slow things down. Maybe that's what your use case is?
"City hall" in German is "Rathaus" Kinda explains a few things......