Slashdot Mirror
FileZilla Has an Evil Twin That Steals FTP Logins
Nerval's Lobster writes "On the same day the world discovered Western intelligence agencies were siphoning user information from Angry Birds and other popular smartphone apps, a leading antivirus developer revealed hackers are doing the same thing with one of the most popular open-source applications on the Internet. Maliciously modified versions of the popular FTP application FileZilla look and act just like the real thing, but include extra code that steals the login data typed in by users and sends it to an unauthorized server using the same FTP operation launched by the user without going through a firewall that might spot what it's doing, according to an alert posted this afternoon by antivirus developer Avast Software. The malicious version is fully functional, uses the same graphical interface and component file names as the original, and masks itself further by avoiding any suspicious entries in the system registry, overt attempts to communicate with outside servers or other changes, according to the Jan. 27 alert from Avast. The most obvious differences are that the poisoned version of filezilla.exe is 6.8MB smaller than the real thing and there are two DLL libraries included in the fake that are not present in the original. They are labeled ibgcc_s_dw2-1.dll and libstdc++-6.dll, according to Avast. The official version's Nullsoft installer is v2.45-Unicode; the evil twin uses v2.46.3-Unicode. Automatic updates also fail on the poisoned version 'which is most likely a protection to prevent overwriting of the malware binaries,' Avast added."
Mostly because these dll's are present in projects compiled with MingW.
I'm not fully understanding the "sends it to an unauthorized server using the same FTP operation launched by the user without going through a firewall that might spot what it's doing" part. It's posting the stolen credentials via http, not FTP. If FileZilla is only given access to the FTP port then it should block this behavior, correct? I'm just not understanding what's magical about this - any app that is already given blanket permission to access the network in a general way can send data to places it shouldn't go without being blocked by firewalls. They make it sound like there's something special or exotic it's doing to avoid the firewall and I'm not understanding exactly what that is.
Better known as 318230.
You really think the NSA is sending their data to Russian servers? That's where the article says it's going.
Better known as 318230.
So... am I the only one that thinks the NSA version sounds like the better option? Smaller, newer runtime, other bufixes. Sounds like an upgrade.
Slashdot: where don knuth is an idiot because he cant grasp the awesome power of php
Without a doubt this will be used as propaganda against the entire Open Source community. Everything OSS.
I'd bet the Sales & Marketing Dept. at Microsoft and the all the rest will have talking points in their sales peoples hands before the end of the day.
At this moment, there is nothing about this on the Filezilla project's website. GET ON IT people!
An accurate explanation should be front page before the scare tactics have a chance to work.
Plus, users need an instant & easy way to identify if their version is legit to ease their minds.
Now concerning the bad guys... I'd suggest some sort of vigilante justice is in order.
Perhaps identifying the rogue servers and uploading something the local authorities might be interested in.
"Kittens give Morbo gas!"
Then the problem shifts from getting your binaries from the right website to getting your sourcecode from the right website.
Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
Stubbed my toe. NSA's fault!!
1. package manager of your distro (ie. trust someone trustworthy to curate)
2. git clone; make (ie. get it from the developers directly)
Anything else is basically eating candy you found on the street.
This dll names look like legal ones atleast in Linux world. I several time install libstdc++ as an dependencies of other packages.
Duh, logic fail. The article does not claim that these particular DLLs provide the malicious code, but are simply some easily observable differences between the friendly and malicious version.
There is no equivalent in the Windows world to the signed source repositories of Linux. Windows keeps itself updated through signed updates, but does nothing about the other thousands of applications and libraries that are installed. There's probably a good reason why this rogue FTP app isn't in a repository, those evil library files would have to be included in the dependency manifests for all to see. These things survive in Windows because users are forced to install everything from the untrusted web.
"We receive as friendly that which agrees with, we resist with dislike that which opposes us" - Faraday
From TFA
Stolen data is sent to the IP 144.76.120.243 that belongs [to a] server hosted in Germany.
"We found 3 domains that link to same IP:
go-upload.ru created 2012.09.23
aliserv2013.ru created 2013.09.09
ngusto-uro.ru created 2013.09.19
Unfortunately, domains are registered through the infamous Russian domain registrar Naunet.ru, which is associated with malware and spam activities. This registrar hides client contact info and ignores requests to suspend illegal domains.
No need to be condescending. I use FOSS all the time. Yet, AFAIK, there is no such mechanism that lets a developer introduce security fingerprints which "tag" a critical section of code, and which the compiler adds to the binaries, in such a way that after compiling source locally, you can check critical parts of your binaries on compliance with the "official" fingerprints. Or am I mistaken ?
There is no mechanism in most compilers/linkers that allows you to recreate the exact same executable that someone else built, byte by byte. You would need a compiler to be hundred percent deterministic. I could imagine some optimisation algorithms working better with some randomisation, so that wouldn't be possible. a+b could sometimes translate to "load a, add b" and sometimes "load b, add a". Things like the __FILE__ macro in C or C++ include the full path of the file, which is different on your machine than on mine. And of course you'd need the exact same build environment. Exact same version of every library that is used.
It doesn't exist because the results of your compilation would depend on the version of the compiler you used to do the compilation and what optimization flags you used (due to target object code and optimizations performed). Either you compile from source which you can first check against a known cryptographic checksum, or you run binaries that have been cryptographically signed by the developer. What you are suggesting would require unnecessary added complexity for no gain in security.
Laissez lire, et laissez danser; ces deux amusements ne feront jamais de mal au monde. - Voltaire
There's no evidence this is an NSA program.
To be honest I really hope there wouldn't be!
What you seem to want is Gentoo.
Gentoo? I've only got an 8 core machine with 64G of RAM.
When our name is on the back of your car, we're behind you all the way!
The binary is never going to be identical - it contains all kinds of platform- or compiler-dependent stuff, as well as timestamps. Depending on optimization flags, the compiler may even restructure it differently, with no practical way to isolate security-relevant portions that should remain unchanged. And a malicious payloads could be basically anywhere in the executable, so every part is security-relevant.
The approach is still good, but since it already involves distributing the source code, it would make more sense to sign the source instead of the binary.
The question is really do you have SSD. It only takes a few days to build gentoo on some architecture which actually benefits from it, like a K6... with a laptop drive. On a modern machine with a SSD you ought to be able to knock it out in actually quite reasonable time.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
SSH will not help here. A modified SSH client (eg. WinSCP) could do exactly the same. It can even steal your private keys.
MOD THE CHILD UP!
This is why we use AV/Malware tools isn't it? Malware is distributed in a lot of different ways and if you download a corrupted installer or image from a questionable site then you should expect something extra with what you're getting. This is what the AV vendors should be watching out for but also take a few minutes of common sense when downloading, otherwise expect to have your info stolen or your system compromised. While I'm glad the Avast researcher here published the warning, I liken this to stories about the NSA, "One more corrupted installer that installs Malware, read all about it!" Now if he'd found out that the information was being leaked back to Germany for spying then it would have been more interesting.
Harrison's Postulate - "For every action there is an equal and opposite criticism"
You're over thinking it.
if you're compiling from source, check the hash of the source against an official source of the source.
If you're running a pre-compiled binary, then check the hash of the binary with an official source of the binary.
Install only from the source. If you install from a third-party source or don't check the md5sum what did you expect?
Tag story as stupid
Hey, I just found a bottle of whisky by the side of the road.... Party! (what could go wrong?)
Dependency upon additional external DLLs? If this was an NSA thing, they'd design it better than that.
Unless they deliberately introduced an obvious substandard design element precisely to make people think someone else did it, of course.
I assume the malicious version appeared from an unreliable site. So, the obvious solution is to simply download Filezilla from source forge and not some random file host site.
it wouldn't surprise me that if it were SourceForge's own "custom downloader" that's the one pushing the altered versions with login stealing functionality... it's been pushing adware and other crap too and FileZilla especially has been hit by this. Here's a short selection of complaints from the FileZilla forums:
https://forum.filezilla-project.org/viewtopic.php?f=2&t=30240
(this one has screenshots documenting the EXE installer hijacking done by SourceForge)
or this one: https://forum.filezilla-project.org/viewtopic.php?f=1&t=31127
and more... https://forum.filezilla-project.org/search.php?keywords=sourceforge+adware
Stop all this filesize / filename nonsense.
Either publish signed hashes of the good version or don't bother at all. If it takes more than a minute to change the filesize / filenames to something arbitrary of your choice as a malware author, I'll be amazed, especially when you could easily make it be the same size as the official one in this case by just padding with zeroes.
Please stop using these things are identifiers for malware. Same for "check for this registry entry". Any idiot with a copy of the virus can modify the strings in it to use a different reg entry / server / filename / filesize but what they CAN'T do easily is make a file with the same hash as something official.
And given that I couldn't even see a GPG key or hash value on the download page of FileZilla at all, pretty much this kind of thing is to be expected.
Well, yes, because you have to store and send the original password.
You can't send the hash to a remote FTP server as a login, they won't accept it. And the definition of a hash is basically to make it difficult to "work backwards" to a username from it.
So, somewhere, you either have to store in plaintext or in a file which the program encrypts and has full capabilities and permissions to read. About the only way to do this efficiently and safely is to have a "locked" wallet kind of affair that the user has to supply a global password too.
The problem here is NOT that the passwords are stored (FileZilla is an end-user tool, so the chances of some ISP "losing" thousands of passwords by using it is stupidity itself). It's that the program itself is malware and capable of doing anything that FileZilla has permission to do - e.g. read from the keyboard and connect to remote servers.
They are DLL's used by many programs which are compiled with a certain compiler. It's like saying a program comes bundled with msvcrtXX.dll.
The fact that you're even bothering about the names is much more important. What the hell makes you think that the filename is an indicator of its contents? That DLL could be named the same as a harmless file but contain the virus routines. The name is neither here nor there.
The interesting question is "what's the hash?" - is it an official copy of those files, which is innocent but required by the program because of the compiler used? Or is it just something malicious renamed to look like a common harmless file?
Filenames mean nothing. Service names mean nothing. Process names mean nothing. Registry entry names mean nothing. They can all be changed in seconds and have no correspondence to the CONTENT of those files (hell, you can load a DLL that's called fred.jpg, if you really want).
It's a FTP client! If you use passwords there, you're doing it wrong.
It's an ancient protocol that sends logins and passwords over the network in plain text, and you're concerned with storing them on your disk unencrypted?
The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
The number of times I have accidently clicked on an ad Download button instead of the actual download button on sites I am not familiar with is astounding. I always have caught on quickly, stopped the incorrect download and then gone looking for the correct one, but as a Comp Sci PhD candidate and computer security practitioner, the fact that it can fool me even for a minute is astounding. Sites really should remove ads that confuse where you should be clicking to download what you came there for.
Never attribute to malice that which is adequately explained by stupidity.
Yes, and it's more than 10x slower than FTP.
what I find funny is that the poisoned extra payload version is several megabytes smaller than the clean one!
world was created 5 seconds before this post as it is.
People still use telnet extensively too...
The primary reason for the use of both ftp and telnet instead of ssh, is because windows still comes with ftp and telnet clients but no ssh, so you can be guaranteed that virtually any machine you ever use will have a client.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
No, but why would you want to do things in such a convoluted way?
Typically you just verify that the sourcecode you build from matches the published source through the use of checksums and/or gpg signatures... Verifying the resulting binaries would be flawed, as all manner of things could change the resulting binaries such as compile time flags, development headers, compiler version, linked libraries, linker/compiler options etc.
Aside from verifying the original source, if there are modifications made to the source from the official version these are typically distributed as small patch/diff files making it very easy to identify what's been changed...
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
filezilla.exe is smaller, but it also includes libgcc and libstdc++ - they're several megabytes and probably statically linked in the official version.
To be fair, it also supports SSH File Copy (SFTP) and FTP over SSL/TLS (FTPS). Also, FTP can be secure if tunneled over a VPN.
Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
So, windows still doesn't include the world's most used connection/command/control software despite it being ancient and you have to use some 3rd party software just to get windows up to the same level as almost any other OS?
You're a temporary arrangement of matter sliding towards oblivion in a cold, uncaring universe
Microsoft seems to have the decency of not including telnet by default these days. I remember being pissed by that once. Thanksfully about the only legitimate reason to use telnet was to login to your modem or router and this has been superceded by web interfaces. Or so I hope ;), maybe some people rely on it in the enterprise - in a segregated control network to access whatever stuff, or in industry to access embedded/industrial stuff, not on the internet either. It's so crude I think of it as kind of a serial cable.
ftp is/ought to be considered deprecated, too. It will probably linger for ages because of legacy but I could read a nice detailed argument (and fun rant about security and creaking'oldness) that it's not even needed. http or ssh can do the job instead. There seems to be plenty (more tempered, concise) results with a "don't use ftp" Google search.
Maybe ftp can be used for world readable, guest-user public archives and that's all.
Sounds like they cut out the auto-update code. That would drop a few megabytes.
Genocide Man -- Life is funny. Death is funnier. Mass murder can be hilarious.
I use telnet to debug different servers. For example, I may telnet on port 80 to verify that httpd is running and is properly configured, or to get the real error message hidden by the "helpful" message by my email client.
Why would the nsa need to steal FTP logins this way? Aren't FTP logins already done in plain text, meaning they could scarf them up as the traffics going through routers they control?
Hi Folks,
SourceForge is aware of the malformed FileZilla FTP and are no way associated with or responsible for this malicious program posing as FileZilla.
The FileZilla installer on SourceForge is a stub that encapsulates the actual FileZilla installer to ensure the original FileZilla software is delivered. All offers that are presented when downloading FileZilla are optional and go through a rigorous verification and strict compliance process to make sure they are not malicious and virus free. No personally identifiable information is ever collected.
Best regards,
The SourceForge Community Team
Doubtful, but no worries, Flash will save the day!
Your SFInstaller is the most annoying thing ever, and I actively encourage open-source projects to leave SourceForge because of its existence, whether it is supposedly voluntary or not.
when the download from sourceforge can't be trusted
is it so strange that people try to download the software from elsewhere?
(When sf came to filezilla wanting them to join in on this stupidity, filezilla should have stood up, said "Hell no!!" and quickly moved the project elsewhere, and maybe maybe sf would have scrapped the idea altogether "ok this was perhaps not a good idea after all"... but it is too late now. the damage is done, sf is dead in my eyes)