Trojanized, Info-Stealing PuTTY Version Lurking Online

One of the best first steps in setting up a Windows machine is to install PuTTY on it, so you have a highly evolved secure shell at your command. An anonymous reader writes, though, with a note of caution if you're installing PuTTY from a source other than the project's own official page. A malicious version with information-stealing abilities has been found in the wild. According to the article: Compiled from source, this malicious version is apparently capable of stealing the credentials needed to connect to those servers. "Data that is sent through SSH connections may be sensitive and is often considered a gold mine for a malicious actor. Attackers can ultimately use this sensitive information to get the highest level of privileges on a computer or server, (known as 'root' access) which can give them complete control over the targeted system," the researchers explained. The Symantec report linked above also shows that (at least for this iteration) the malware version is easy to spot, by hitting the "About" information for the app.

Re:Why?

[ledow]

Any sort of COM port access.
Any sort of SSH access.
Any sort of SSH tunnelling access.

I work in IT, PuTTY is one of the first things I install in every workplace - not "just because" but I'll be damned if I'm going to SSH into a remote server's management module without it or try to use some junky HTTP/Java monstrosity to achieve what one command can achieve on the CLI.

Hell, I've diagnosed mail servers using it by telnetting to the mail port and issuing commands direct for a setting that some Exchange "experts" denied would ever affect anything - when you can show them the entire mail transaction live rather than some convoluted log that purports to tell you everything that happens on the email sending with a junky bounce error, it kinda hurts.

Sure, a lot of stuff is HTTP-managed nowadays but wait until Chrome removes Java and see if the other browsers follow suit. Because then you'll be back on the CLI quite quickly.

The last Cisco switch I installed came only with some absolutely worthless piece of software that only works if you have version X of IE etc. But SSH was a one-tick enable and I could do everything else from there.

Re:For those who don't RTFA

[ledow]

That's just because they compiled without specifying the build number.

That's LITERALLY a ten-second fix and recompile to resolve.

Don't identify software / spam / viruses by "it has X feature that's easily copied", whether that's a registry entry, a process name or an arbitrary string.

Publish the damn checksums at a minimum, or GPG signing key ideallly.

Re:Is it on the main download page?

[Penguinisto]

...what sibling said. Anything can be trojanized, and it's turtles all the way down if you're proposing that by simply using a different application (or suite/kernel/VM/whatever thereof).

In all seriousness, PuTTY is a quick and dirty way of getting a working SSH shell on a Windows box. For the greybeards (like myself), it's also a quick and kick-ass means of plugging an old laptop into a serial port on the back of a Sun/HPUX/IBM-PPC box.

It's a self-contained executable that you can keep on a geek stick. No dependencies, no lengthy installation bullshit like Cygwin, no muss, no fuss. It just works.

In fact, I still keep a copy on my phone just in case, in spite of the fact that I typically use a MacBook Pro nowadays (OSX has a working *nix shell that I can open Terminal with and SSH from all day long, tab the hell out of, have customized nine ways from Sunday for local Git coloring, pre-hooks, branch awareness, etc). That said, I use PuTTY when I find myself stuck with a 'doze box (usually when having to show a 'doze user something on a *nix box from his machine), or when I find myself in a datacenter with only a shitty old laptop and no other useful means of getting some RS-232 love (because let's face it, HyperTerminal sucks donkey balls).