Slashdot Mirror
FileZilla Has an Evil Twin That Steals FTP Logins
Nerval's Lobster writes "On the same day the world discovered Western intelligence agencies were siphoning user information from Angry Birds and other popular smartphone apps, a leading antivirus developer revealed hackers are doing the same thing with one of the most popular open-source applications on the Internet. Maliciously modified versions of the popular FTP application FileZilla look and act just like the real thing, but include extra code that steals the login data typed in by users and sends it to an unauthorized server using the same FTP operation launched by the user without going through a firewall that might spot what it's doing, according to an alert posted this afternoon by antivirus developer Avast Software. The malicious version is fully functional, uses the same graphical interface and component file names as the original, and masks itself further by avoiding any suspicious entries in the system registry, overt attempts to communicate with outside servers or other changes, according to the Jan. 27 alert from Avast. The most obvious differences are that the poisoned version of filezilla.exe is 6.8MB smaller than the real thing and there are two DLL libraries included in the fake that are not present in the original. They are labeled ibgcc_s_dw2-1.dll and libstdc++-6.dll, according to Avast. The official version's Nullsoft installer is v2.45-Unicode; the evil twin uses v2.46.3-Unicode. Automatic updates also fail on the poisoned version 'which is most likely a protection to prevent overwriting of the malware binaries,' Avast added."
Mostly because these dll's are present in projects compiled with MingW.
I'm not fully understanding the "sends it to an unauthorized server using the same FTP operation launched by the user without going through a firewall that might spot what it's doing" part. It's posting the stolen credentials via http, not FTP. If FileZilla is only given access to the FTP port then it should block this behavior, correct? I'm just not understanding what's magical about this - any app that is already given blanket permission to access the network in a general way can send data to places it shouldn't go without being blocked by firewalls. They make it sound like there's something special or exotic it's doing to avoid the firewall and I'm not understanding exactly what that is.
Better known as 318230.
You really think the NSA is sending their data to Russian servers? That's where the article says it's going.
Better known as 318230.
So... am I the only one that thinks the NSA version sounds like the better option? Smaller, newer runtime, other bufixes. Sounds like an upgrade.
Slashdot: where don knuth is an idiot because he cant grasp the awesome power of php
1. package manager of your distro (ie. trust someone trustworthy to curate)
2. git clone; make (ie. get it from the developers directly)
Anything else is basically eating candy you found on the street.
From TFA
Stolen data is sent to the IP 144.76.120.243 that belongs [to a] server hosted in Germany.
"We found 3 domains that link to same IP:
go-upload.ru created 2012.09.23
aliserv2013.ru created 2013.09.09
ngusto-uro.ru created 2013.09.19
Unfortunately, domains are registered through the infamous Russian domain registrar Naunet.ru, which is associated with malware and spam activities. This registrar hides client contact info and ignores requests to suspend illegal domains.
No need to be condescending. I use FOSS all the time. Yet, AFAIK, there is no such mechanism that lets a developer introduce security fingerprints which "tag" a critical section of code, and which the compiler adds to the binaries, in such a way that after compiling source locally, you can check critical parts of your binaries on compliance with the "official" fingerprints. Or am I mistaken ?
There is no mechanism in most compilers/linkers that allows you to recreate the exact same executable that someone else built, byte by byte. You would need a compiler to be hundred percent deterministic. I could imagine some optimisation algorithms working better with some randomisation, so that wouldn't be possible. a+b could sometimes translate to "load a, add b" and sometimes "load b, add a". Things like the __FILE__ macro in C or C++ include the full path of the file, which is different on your machine than on mine. And of course you'd need the exact same build environment. Exact same version of every library that is used.
What you seem to want is Gentoo.
Gentoo? I've only got an 8 core machine with 64G of RAM.
When our name is on the back of your car, we're behind you all the way!
The question is really do you have SSD. It only takes a few days to build gentoo on some architecture which actually benefits from it, like a K6... with a laptop drive. On a modern machine with a SSD you ought to be able to knock it out in actually quite reasonable time.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
it wouldn't surprise me that if it were SourceForge's own "custom downloader" that's the one pushing the altered versions with login stealing functionality... it's been pushing adware and other crap too and FileZilla especially has been hit by this. Here's a short selection of complaints from the FileZilla forums:
https://forum.filezilla-project.org/viewtopic.php?f=2&t=30240
(this one has screenshots documenting the EXE installer hijacking done by SourceForge)
or this one: https://forum.filezilla-project.org/viewtopic.php?f=1&t=31127
and more... https://forum.filezilla-project.org/search.php?keywords=sourceforge+adware
Stop all this filesize / filename nonsense.
Either publish signed hashes of the good version or don't bother at all. If it takes more than a minute to change the filesize / filenames to something arbitrary of your choice as a malware author, I'll be amazed, especially when you could easily make it be the same size as the official one in this case by just padding with zeroes.
Please stop using these things are identifiers for malware. Same for "check for this registry entry". Any idiot with a copy of the virus can modify the strings in it to use a different reg entry / server / filename / filesize but what they CAN'T do easily is make a file with the same hash as something official.
And given that I couldn't even see a GPG key or hash value on the download page of FileZilla at all, pretty much this kind of thing is to be expected.
what I find funny is that the poisoned extra payload version is several megabytes smaller than the clean one!
world was created 5 seconds before this post as it is.
Hi Folks,
SourceForge is aware of the malformed FileZilla FTP and are no way associated with or responsible for this malicious program posing as FileZilla.
The FileZilla installer on SourceForge is a stub that encapsulates the actual FileZilla installer to ensure the original FileZilla software is delivered. All offers that are presented when downloading FileZilla are optional and go through a rigorous verification and strict compliance process to make sure they are not malicious and virus free. No personally identifiable information is ever collected.
Best regards,
The SourceForge Community Team