Slashdot Mirror

← Back to Stories (view on slashdot.org)

Trojanized, Info-Stealing PuTTY Version Lurking Online

Posted by timothy on from the at-your-command-prompt dept.

One of the best first steps in setting up a Windows machine is to install PuTTY on it, so you have a highly evolved secure shell at your command. An anonymous reader writes, though, with a note of caution if you're installing PuTTY from a source other than the project's own official page. A malicious version with information-stealing abilities has been found in the wild. According to the article: Compiled from source, this malicious version is apparently capable of stealing the credentials needed to connect to those servers. "Data that is sent through SSH connections may be sensitive and is often considered a gold mine for a malicious actor. Attackers can ultimately use this sensitive information to get the highest level of privileges on a computer or server, (known as 'root' access) which can give them complete control over the targeted system," the researchers explained. The Symantec report linked above also shows that (at least for this iteration) the malware version is easy to spot, by hitting the "About" information for the app.

16 of 216 comments (clear)

  1. Is it on the main download page? by danbob999 · · Score: 3, Insightful

    And if not, why should I care?

    1. Re:Is it on the main download page? by mwvdlee · · Score: 5, Insightful

      In this particular situation; because at first glance the main download page, site and URL doesn't look "official" at all.
      http://www.chiark.greenend.org...
      It would be pretty easy to confuse a slightly more modern looking page for the "main download page".

      --
      Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
    2. Re:Is it on the main download page? by jones_supa · · Score: 5, Insightful

      That's a good point actually.

    3. Re:Is it on the main download page? by danbob999 · · Score: 4, Insightful

      I agree however http://www.putty.org/ links to this page and is the first result on google. The second result is this page. As long as scammers can't get their trojanized putty on google's first page I don't think there is much of a risk.

    4. Re:Is it on the main download page? by operagost · · Score: 3, Insightful

      So if someone wants to install a single GUI tool instead of a app compatibility layer and a command line tool, they're an idiot?

      What if they installed one of those Heartbleed-vulnerable versions of openssl? Are they smart?

      --

      Gamingmuseum.com: Give your 3D accelerator a rest.
    5. Re:Is it on the main download page? by bluefoxlucid · · Score: 3, Insightful

      No, because putty is ballsacks that can't be properly scripted, uses weird key files that need special conversion (it doesn't use an openssh key, but a putty identity key that you can convert to openssh using another program), and handles all kinds of terminal interactions in such a wrong way that you may as well be using Microsoft Word with a VB script to send commands across ssh. Start in a real terminal, where 27 sessions is C-a " instead of "oh fuck which alt-tab icon is it?!"

      --
      Support my political activism on Patreon.
    6. Re:Is it on the main download page? by ahodgson · · Score: 4, Insightful

      Because SSH is mostly used to talk to Linux servers. Since when has Microsoft ever done anything to make Windows easier to use with other systems?

    7. Re:Is it on the main download page? by Coren22 · · Score: 3, Insightful

      Windows has that, it is called the Microsoft Store.

      --
      APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?
    8. Re:Is it on the main download page? by Ben+Hutchings · · Score: 4, Insightful
      I know that's the official site, but:
      • I'm supposed to download binaries that don't have Authenticode signatures, from a web server that doesn't support TLS.
      • And then I have to download (and somehow verify) a copy of PGP or GnuPG, in order to verify the signatures they do provide. (I also have to know and remember the fingerprint of the genuine PGP signing key.)
      • Finally, I have to trust that no-one has cracked a 1024-bit PGP key.

      I can only assume that almost all downloads from the official site are vulnerable to MITM'ing. And, as PuTTY is such a popular tool, it is surely a prime target for that.

  2. Putty domain by watermark · · Score: 3, Insightful

    I never did like that you had to download putty from a "random" domain. The putty.org website takes you to some greenend.org.uk domain. If you google for putty, it takes you directly to the greenend.org.uk domain. The official binary really should be hosted on the putty.org domain, or at the least have the actual download link on the official domain, using that greenend.org.uk domain as a CDN for the binary.

    1. Re:Putty domain by red_dragon · · Score: 5, Insightful

      greenend.co.uk is the official domain for PuTTY (specifically, www.chiark.greenend.co.uk). Simon Tatham has hosted it there from the start. I'd be more suspicious of putty.org, honestly.

      --
      In Soviet Russia, Jesus asks: "What Would You Do?"
    2. Re:Putty domain by Anonymous Coward · · Score: 2, Insightful

      Yes, but a newcomer would find www.chiark.greenend.co.uk more suspicious than putty.org.

  3. Best first steps by ArcadeMan · · Score: 4, Insightful

    One of the best first steps in setting up a Windows machine is to install PuTTY on it.

    The best first step is to install Steam, because Windows is only used for gaming.

    How does it feel to be on the other side of a generalization, timothy?

    --
    Get free satoshi (Bitcoin) and Dogecoins
    1. Re:Best first steps by Sarten-X · · Score: 1, Insightful

      I just rebuilt my Windows desktop at home.

      The first thing I did was to install Google Chrome, because I'd rather not tolerate IE while fetching other stuff. Next was Steam, mostly so I could get it downloading a game immediately. Once my game was underway, I downloaded PuTTY, followed by a few other utilities.

      From my perspective, you're all very close, but wrong nonetheless.

      --
      You do not have a moral or legal right to do absolutely anything you want.
  4. Re:Dear DICE by aaaaaaargh! · · Score: 4, Insightful

    /. works fine for me (except that, yes, it sucks more and more and seems to have become a generic news aggregator).

    Anyway, why don't you just use an ad-blocker like uBlock or Adblock Edge?

  5. Re:WTF by camperdave · · Score: 3, Insightful

    Don't you think that a person who is making a malicious version of Putty is also capable of putting MD5 checksums of the malicious code on their download site? Checking MD5 sums against those published by the author is useless. You need to check against publicly verified, independently published checksums.

    --
    When our name is on the back of your car, we're behind you all the way!