Slashdot Mirror
Trojanized, Info-Stealing PuTTY Version Lurking Online
One of the best first steps in setting up a Windows machine is to install PuTTY on it, so you have a highly evolved secure shell at your command. An anonymous reader writes, though, with a note of caution if you're installing PuTTY from a source other than the project's own official page. A malicious version with information-stealing abilities has been found in the wild. According to the article:
Compiled from source, this malicious version is apparently capable of stealing the credentials needed to connect to those servers. "Data that is sent through SSH connections may be sensitive and is often considered a gold mine for a malicious actor. Attackers can ultimately use this sensitive information to get the highest level of privileges on a computer or server, (known as 'root' access) which can give them complete control over the targeted system," the researchers explained.
The Symantec report linked above also shows that (at least for this iteration) the malware version is easy to spot, by hitting the "About" information for the app.
Any sort of COM port access.
Any sort of SSH access.
Any sort of SSH tunnelling access.
I work in IT, PuTTY is one of the first things I install in every workplace - not "just because" but I'll be damned if I'm going to SSH into a remote server's management module without it or try to use some junky HTTP/Java monstrosity to achieve what one command can achieve on the CLI.
Hell, I've diagnosed mail servers using it by telnetting to the mail port and issuing commands direct for a setting that some Exchange "experts" denied would ever affect anything - when you can show them the entire mail transaction live rather than some convoluted log that purports to tell you everything that happens on the email sending with a junky bounce error, it kinda hurts.
Sure, a lot of stuff is HTTP-managed nowadays but wait until Chrome removes Java and see if the other browsers follow suit. Because then you'll be back on the CLI quite quickly.
The last Cisco switch I installed came only with some absolutely worthless piece of software that only works if you have version X of IE etc. But SSH was a one-tick enable and I could do everything else from there.
The infected client contains "Unidentified build, Nov 29 2013 21:41:02" on the about PuTTY page while the official has "Release 0.63". Cisco has a good article here: http://blogs.cisco.com/securit... by Robert Semans, Brandon Enright, James Sheppard, and Matt Healy.
The best first step is to install Steam, because Windows is only used for gaming.
How does it feel to be on the other side of a generalization, timothy?
Get free satoshi (Bitcoin) and Dogecoins
In this particular situation; because at first glance the main download page, site and URL doesn't look "official" at all.
http://www.chiark.greenend.org...
It would be pretty easy to confuse a slightly more modern looking page for the "main download page".
Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
I've never really be that fond of putty, although I see where it is useful. Cygwin offers so much more having use of the shell on windows and ssh if you need to get into a system. Cygwin/X is even better when I need to get a gui. Add windowspager and Windows becomes a great presentation layer!
Thank you Cygwin people!
My ism, it's full of beliefs.
That's a good point actually.
greenend.co.uk is the official domain for PuTTY (specifically, www.chiark.greenend.co.uk). Simon Tatham has hosted it there from the start. I'd be more suspicious of putty.org, honestly.
In Soviet Russia, Jesus asks: "What Would You Do?"
CygWin is a damn nightmare, especially if you have other software that uses it.
It suffers from enormous "DLL Hell" problems when it has multiple versions trying to load and if you use programs that use older versions of Cygwin, they don't necessarily run at all in co-existence with programs using newer versions. "Cygwin1.dll" exists is so many different versions that it's almost impossible to manage properly.
I used to develop on Windows with Eclipse and Cygwin. I quickly moved to MinGW because silly things like random games, utilities, etc. that use it would interfere with the version I was developing against.
If all you want is a real terminal on a GUI, Cygwin is total overkill. Not only that, if you use WinSCP as well, it will manage the keys for you properly between both programs so you don't even notice that you're using it.
Use *nix, or use Windows and PuTTY. For sure, as a network admin, I wouldn't let put Cygwin near your computers but I'll happily pre-install PuTTY for you (zero install needed, certainly no pissing about with PATH and multiple versions of the DLL etc.).
I agree however http://www.putty.org/ links to this page and is the first result on google. The second result is this page. As long as scammers can't get their trojanized putty on google's first page I don't think there is much of a risk.
Anyway, why don't you just use an ad-blocker like uBlock or Adblock Edge?
I am still trying to figure out why Microsoft hasn't packaged SSH based tools with windows.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
...what sibling said. Anything can be trojanized, and it's turtles all the way down if you're proposing that by simply using a different application (or suite/kernel/VM/whatever thereof).
In all seriousness, PuTTY is a quick and dirty way of getting a working SSH shell on a Windows box. For the greybeards (like myself), it's also a quick and kick-ass means of plugging an old laptop into a serial port on the back of a Sun/HPUX/IBM-PPC box.
It's a self-contained executable that you can keep on a geek stick. No dependencies, no lengthy installation bullshit like Cygwin, no muss, no fuss. It just works.
In fact, I still keep a copy on my phone just in case, in spite of the fact that I typically use a MacBook Pro nowadays (OSX has a working *nix shell that I can open Terminal with and SSH from all day long, tab the hell out of, have customized nine ways from Sunday for local Git coloring, pre-hooks, branch awareness, etc). That said, I use PuTTY when I find myself stuck with a 'doze box (usually when having to show a 'doze user something on a *nix box from his machine), or when I find myself in a datacenter with only a shitty old laptop and no other useful means of getting some RS-232 love (because let's face it, HyperTerminal sucks donkey balls).
Quo usque tandem abutere, Nimbus, patientia nostra?
Can you imagine powershell ssh commands?
SSH-Connect -host -ipv4{192.168.100.1} -username {no smith}
Oh and go ahead and hack my machine script kiddies.
i thought once I was found, but it was only a dream.
I am always struck by the fact that something in such widespread use as PuTTY is still downloaded from what looks like someone's public home directory.
On the other hand, it is such an anomaly that I instantly recognize the site when I see it as the correct download site.
Cygwin works well until you get other programs that use it. You either have to install them within your Cygwin install folder (and hope they are able to cope with Cygwin updates you make, e.g. to Cygwin 2) or suffer DLL hell. Look at the Cygwin FAQ for ".DLL" - if you're not familiar with those errors already, you haven't used Cygwin very much. Now consider across a bunch of workstations on a network.
"Want say tunneling to a Windows service? If you use Windows only as a client...."
Don't. Use a proper tool. PuTTY is a client, not a server. This is like saying that ssh-client is no good at being sshd,.. of course not. But that's not what we're talking about.
And the fact is that for every SSH server set up (properly), you probably have 10-100 clients joining to it or you wouldn't bother setting it up. And one of the main points of things like SSH servers is cross-compile farms and remote access. And almost all the universities that offer such services recommend PuTTY if you're on Windows (because they've dealt with the Cygwin issues, I assure you, and decided it's not worth the hassle).
Opinion, of course. So's yours. Just because it's contrary doesn't make it more or less valid.
However, PuTTY is widely used and recommended for everything from talking to your Arduino's over a serial port to logging into your University server... go take a look. Cygwin - if and when it comes up - is not mentioned in nearly as many places for such simple actions.
Cygwin is, in fact, overkill for the majority of users who just want to use SSH, telnet or serial services from Windows. If they wanted Linux, generally they end up installing it in preference to Cygwin.
I agree, except you've over-rated HyperTerminal.
Red to red, black to black. Switch it on, but stand well back.
Simon publishes MD5, SHA1, SHA256 and SHA512 sums for all official binaries.
General Relativity: Space-time tells matter where to go; Matter tells space-time what shape to be.
That said, I use PuTTY when I find myself stuck with a 'doze box (usually when having to show a 'doze user something on a *nix box from his machine), or when I find myself in a datacenter with only a shitty old laptop and no other useful means of getting some RS-232 love (because let's face it, HyperTerminal sucks donkey balls).
I use a free program called mRemote v1.50 as it integrates Putty, RDP, VNC, Citrix, etc. into one console. It's a good tool as you can organize your connections using folders. As a network architect, it's nice to be able to connect to network devices by site. It has a few bugs, such as screwing up the sort order, but nothing major.
There is a newer version out called mRemoteNG 1.72. The last update was from the end of 2013 and it looks like the project is on hold for whatever reason.
It does what I need it to do and that's all I ask of any tool...
Because SSH is mostly used to talk to Linux servers. Since when has Microsoft ever done anything to make Windows easier to use with other systems?
I can only assume that almost all downloads from the official site are vulnerable to MITM'ing. And, as PuTTY is such a popular tool, it is surely a prime target for that.