Slashdot Mirror


Trojanized, Info-Stealing PuTTY Version Lurking Online

One of the best first steps in setting up a Windows machine is to install PuTTY on it, so you have a highly evolved secure shell at your command. An anonymous reader writes, though, with a note of caution if you're installing PuTTY from a source other than the project's own official page. A malicious version with information-stealing abilities has been found in the wild. According to the article: Compiled from source, this malicious version is apparently capable of stealing the credentials needed to connect to those servers. "Data that is sent through SSH connections may be sensitive and is often considered a gold mine for a malicious actor. Attackers can ultimately use this sensitive information to get the highest level of privileges on a computer or server, (known as 'root' access) which can give them complete control over the targeted system," the researchers explained. The Symantec report linked above also shows that (at least for this iteration) the malware version is easy to spot, by hitting the "About" information for the app.

8 of 216 comments (clear)

  1. Best first steps by ArcadeMan · · Score: 4, Insightful

    One of the best first steps in setting up a Windows machine is to install PuTTY on it.

    The best first step is to install Steam, because Windows is only used for gaming.

    How does it feel to be on the other side of a generalization, timothy?

  2. Re:Is it on the main download page? by mwvdlee · · Score: 5, Insightful

    In this particular situation; because at first glance the main download page, site and URL doesn't look "official" at all.
    http://www.chiark.greenend.org...
    It would be pretty easy to confuse a slightly more modern looking page for the "main download page".

    --
    Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
  3. Re:Is it on the main download page? by jones_supa · · Score: 5, Insightful

    That's a good point actually.

  4. Re:Putty domain by red_dragon · · Score: 5, Insightful

    greenend.co.uk is the official domain for PuTTY (specifically, www.chiark.greenend.co.uk). Simon Tatham has hosted it there from the start. I'd be more suspicious of putty.org, honestly.

    --
    In Soviet Russia, Jesus asks: "What Would You Do?"
  5. Re:Is it on the main download page? by danbob999 · · Score: 4, Insightful

    I agree however http://www.putty.org/ links to this page and is the first result on google. The second result is this page. As long as scammers can't get their trojanized putty on google's first page I don't think there is much of a risk.

  6. Re:Dear DICE by aaaaaaargh! · · Score: 4, Insightful

    /. works fine for me (except that, yes, it sucks more and more and seems to have become a generic news aggregator).

    Anyway, why don't you just use an ad-blocker like uBlock or Adblock Edge?

  7. Re:Is it on the main download page? by ahodgson · · Score: 4, Insightful

    Because SSH is mostly used to talk to Linux servers. Since when has Microsoft ever done anything to make Windows easier to use with other systems?

  8. Re:Is it on the main download page? by Ben+Hutchings · · Score: 4, Insightful
    I know that's the official site, but:
    • I'm supposed to download binaries that don't have Authenticode signatures, from a web server that doesn't support TLS.
    • And then I have to download (and somehow verify) a copy of PGP or GnuPG, in order to verify the signatures they do provide. (I also have to know and remember the fingerprint of the genuine PGP signing key.)
    • Finally, I have to trust that no-one has cracked a 1024-bit PGP key.

    I can only assume that almost all downloads from the official site are vulnerable to MITM'ing. And, as PuTTY is such a popular tool, it is surely a prime target for that.