Forgot your password?
typodupeerror
Security Open Source

FileZilla Has an Evil Twin That Steals FTP Logins 197

Posted by Unknown Lamer
from the install-our-toolbar-today dept.
Nerval's Lobster writes "On the same day the world discovered Western intelligence agencies were siphoning user information from Angry Birds and other popular smartphone apps, a leading antivirus developer revealed hackers are doing the same thing with one of the most popular open-source applications on the Internet. Maliciously modified versions of the popular FTP application FileZilla look and act just like the real thing, but include extra code that steals the login data typed in by users and sends it to an unauthorized server using the same FTP operation launched by the user without going through a firewall that might spot what it's doing, according to an alert posted this afternoon by antivirus developer Avast Software. The malicious version is fully functional, uses the same graphical interface and component file names as the original, and masks itself further by avoiding any suspicious entries in the system registry, overt attempts to communicate with outside servers or other changes, according to the Jan. 27 alert from Avast. The most obvious differences are that the poisoned version of filezilla.exe is 6.8MB smaller than the real thing and there are two DLL libraries included in the fake that are not present in the original. They are labeled ibgcc_s_dw2-1.dll and libstdc++-6.dll, according to Avast. The official version's Nullsoft installer is v2.45-Unicode; the evil twin uses v2.46.3-Unicode. Automatic updates also fail on the poisoned version 'which is most likely a protection to prevent overwriting of the malware binaries,' Avast added."
This discussion has been archived. No new comments can be posted.

FileZilla Has an Evil Twin That Steals FTP Logins

Comments Filter:
  • Firewall (Score:5, Interesting)

    by Dan East (318230) on Tuesday January 28, 2014 @05:30AM (#46089407) Homepage Journal

    I'm not fully understanding the "sends it to an unauthorized server using the same FTP operation launched by the user without going through a firewall that might spot what it's doing" part. It's posting the stolen credentials via http, not FTP. If FileZilla is only given access to the FTP port then it should block this behavior, correct? I'm just not understanding what's magical about this - any app that is already given blanket permission to access the network in a general way can send data to places it shouldn't go without being blocked by firewalls. They make it sound like there's something special or exotic it's doing to avoid the firewall and I'm not understanding exactly what that is.

    • Re: (Score:2, Interesting)

      by Anonymous Coward

      More importantly, any app which legitimately needs access to an internet-enabled DNS resolver can exfiltrate data without permission to access the internet on its own. What you need in order to catch this kind of thing is an IDS, not a firewall.

      • by mwvdlee (775178)

        As long as an app can connect to a random IP, there is a way to send data.
        No need for any particular port access if you control the receiving server.

        • Re:Firewall (Score:5, Interesting)

          by fatphil (181876) on Tuesday January 28, 2014 @08:12AM (#46089937) Homepage
          Absolutely, side channels are everywhere if all you care about is small packets of data. You don't even need to "connect" to pass the data, as some things happen before the connection you'd think of filtering. Try resolving the domain name fatphil.hunter2.haxorsrus.ru., and when the DNS server for *.haxorsrus.ru. responds with a random address, you never need to connect to it on any port, the payload's been delivered already. You can't filter DNS without breaking way too much of the internet.
          • Re: (Score:2, Funny)

            by Anonymous Coward

            fatphil.*******.haxorsrus.ru is not a valid domain name.

    • Re:Firewall (Score:5, Informative)

      by mysidia (191772) on Tuesday January 28, 2014 @07:48AM (#46089845)

      If FileZilla is only given access to the FTP port then it should block this behavior, correct?

      What "FTP" port? Every FTP transfer requires a control connection and a data connection --- the data connection is established based on a procedure that depends on transfer mode -- there is standard mode, or passive mode (for firewall traversal).

      In either case, the destination port number is not a specific FTP port, but a port number dynamically allocated by the server and presented to the client, or vice-versa

      In Passive mode, to establish the data connection, the FTP client must open a connection back to the server ON ANY PORT specified by the server, sourced from its ftp-data port.

      In Active mode, the client must select an ephemeral port from the 32768 to 65535 range, send it over the control connection, and accept a TCP connection from the server.

      • FTP: Still sucking because it was invented with NCP in mind.

    • by fatphil (181876)
      Ignore the summary, and *both* links, there's mangled illogic everywhere.

      "You canâ€(TM)t find any suspicious behavior, entries in the system registry, communication or changes in application GUI." Apart from the suspicious behaviour and the communication, that is - duh!

      If they can't describe what it does, they clearly don't understand what it does.

      Just make sure you compare known hashes which you got from a secure (and trusted by you) server when you download binaries. Then this problem m
  • to compile your own binaries from source, and then letting you compare its fingerprint with "official" pre-compiled binaries. No, not a simple hash. Various fingerprints, spread over security-sensitive parts of the software. No idea if such a thing exists, although I remember having seen a discussion here on /. last year.
    • by mwvdlee (775178) on Tuesday January 28, 2014 @05:56AM (#46089487) Homepage

      Then the problem shifts from getting your binaries from the right website to getting your sourcecode from the right website.

      • Correct. That, however, can be in part dealt with by taking hashes....
    • The binary is never going to be identical - it contains all kinds of platform- or compiler-dependent stuff, as well as timestamps. Depending on optimization flags, the compiler may even restructure it differently, with no practical way to isolate security-relevant portions that should remain unchanged. And a malicious payloads could be basically anywhere in the executable, so every part is security-relevant.

      The approach is still good, but since it already involves distributing the source code, it would make

    • Re: (Score:3, Informative)

      by Anonymous Coward

      You're over thinking it.

      if you're compiling from source, check the hash of the source against an official source of the source.

      If you're running a pre-compiled binary, then check the hash of the binary with an official source of the binary.

  • by gooman (709147) on Tuesday January 28, 2014 @05:48AM (#46089459) Journal

    Without a doubt this will be used as propaganda against the entire Open Source community. Everything OSS.
    I'd bet the Sales & Marketing Dept. at Microsoft and the all the rest will have talking points in their sales peoples hands before the end of the day.

    At this moment, there is nothing about this on the Filezilla project's website. GET ON IT people!
    An accurate explanation should be front page before the scare tactics have a chance to work.
    Plus, users need an instant & easy way to identify if their version is legit to ease their minds.

    Now concerning the bad guys... I'd suggest some sort of vigilante justice is in order.
    Perhaps identifying the rogue servers and uploading something the local authorities might be interested in.

    • There is no equivalent in the Windows world to the signed source repositories of Linux. Windows keeps itself updated through signed updates, but does nothing about the other thousands of applications and libraries that are installed. There's probably a good reason why this rogue FTP app isn't in a repository, those evil library files would have to be included in the dependency manifests for all to see. These things survive in Windows because users are forced to install everything from the untrusted web.

      • by fatphil (181876)
        > These things survive in Windows because users are forced to install everything from the untrusted web.

        Deeper - they survive in Windows because users don't give a damn 99.9% of the time, and the only .1% of the time is the short period after a fatal infection, and is quickly forgotten. If you've worked in IT, you'll know that educating users is a futile goal. (As is trying to label all bad things with a "this is bad" label, which is stupidly what all anti-virus programs do.)
    • Why is there no yum repository for Windows or OSX. It seems like there is plenty of motivation for them to exist.

      • by _anomaly_ (127254)
        Yeah, me too, and I would bet that Microsoft moves to incorporate the Windows app store into desktops. The app store could easily be expanded to offer desktop versions of software, in addition to tablet and phone versions. It would be a way for Microsoft to have more control over what gets installed on desktops running their OS... and having more control is definitely what they want.
        • There are tonnes of packages that are available for free for windows. Winscp, putty, etc, But currently there is no one way to just say "gimme that". Other than google/browse/download without verify. There is a system under cygwin to download software and maybe that is what most people use. But I dont think it covers everything.

  • D'oh!! (Score:4, Insightful)

    by benjfowler (239527) on Tuesday January 28, 2014 @05:58AM (#46089493)

    Stubbed my toe. NSA's fault!!

  • by Arancaytar (966377) <arancaytar.ilyaran@gmail.com> on Tuesday January 28, 2014 @05:59AM (#46089497) Homepage

    1. package manager of your distro (ie. trust someone trustworthy to curate)
    2. git clone; make (ie. get it from the developers directly)

    Anything else is basically eating candy you found on the street.

    • by fatphil (181876)
      "Anything else is basically eating candy you found on the street."

      Wow, that's the best description I've heard in a long time. It's 100% bang on. People like candy...

      However, downloading the source means that you're trusting the compiler or the virtual machine that's running the code. OK, signed gcc straight from debian, that I trust (but there's no need to follow up with a Thompson Trusting Trust reference, I'm fully aware of the principle). But, to be honest, I don't trust the guys who are trying to push
    • by Bert64 (520050)

      The same applies for non free software... You need to ensure you've got it from a trusted source.
      In fact, non free software is potentially even more dangerous in this regard as you're more likely to be entering credit card details into the site you're purchasing the software from.

  • by Bearhouse (1034238) on Tuesday January 28, 2014 @07:01AM (#46089669)

    From TFA

    Stolen data is sent to the IP 144.76.120.243 that belongs [to a] server hosted in Germany.

    "We found 3 domains that link to same IP:
    go-upload.ru created 2012.09.23
    aliserv2013.ru created 2013.09.09
    ngusto-uro.ru created 2013.09.19

    Unfortunately, domains are registered through the infamous Russian domain registrar Naunet.ru, which is associated with malware and spam activities. This registrar hides client contact info and ignores requests to suspend illegal domains.

    • Thinking that you will be secure by putting bad domain names into your host file will tead to tears of failure because:

      a) it's attempting to enumerate badness. There's always new badness, you can't enumerate it all. New badness can be created quicker than you can update your hosts file.

      b) bad software can happily use a randomly or dynamically generated name which you cannot add to your hosts file, as it can't be known in advance, and may only be used once.
  • by Virtucon (127420) on Tuesday January 28, 2014 @07:33AM (#46089791)

    This is why we use AV/Malware tools isn't it? Malware is distributed in a lot of different ways and if you download a corrupted installer or image from a questionable site then you should expect something extra with what you're getting. This is what the AV vendors should be watching out for but also take a few minutes of common sense when downloading, otherwise expect to have your info stolen or your system compromised. While I'm glad the Avast researcher here published the warning, I liken this to stories about the NSA, "One more corrupted installer that installs Malware, read all about it!" Now if he'd found out that the information was being leaked back to Germany for spying then it would have been more interesting.

  • by Demonoid-Penguin (1669014) on Tuesday January 28, 2014 @07:41AM (#46089831) Homepage

    Install only from the source. If you install from a third-party source or don't check the md5sum what did you expect?

    Tag story as stupid

    Hey, I just found a bottle of whisky by the side of the road.... Party! (what could go wrong?)

    • Hey, I just found a bottle of whisky by the side of the road.... Party! (what could go wrong?)

      Hey, I know a guy who regularly does this.

      But, nowadays, after the pee incident, he carefully sniffs the bottle before he drinks...

  • I assume the malicious version appeared from an unreliable site. So, the obvious solution is to simply download Filezilla from source forge and not some random file host site.

    • by Bert64 (520050)

      How is a non technical end user supposed to know that sourceforge is the official site of filezilla, and that other sites are not?

  • I found both of them in TOR browser software and the pro edition of Easeus Partition Master 9.1.1 (legally obtained, not pirated).

    So is there something inherently wrong with dll's bearing that name, or are they OK except when they crop up in Filezilla?

    • by ledow (319597)

      They are DLL's used by many programs which are compiled with a certain compiler. It's like saying a program comes bundled with msvcrtXX.dll.

      The fact that you're even bothering about the names is much more important. What the hell makes you think that the filename is an indicator of its contents? That DLL could be named the same as a harmless file but contain the virus routines. The name is neither here nor there.

      The interesting question is "what's the hash?" - is it an official copy of those files, whic

      • by hyades1 (1149581)

        Thanks for the information. I've found that a heads-up on certain file names can be quite helpful, however. If a particular file name has been targeted by nasty people, I'll just submit the one on machine for analysis by one of the many on-line anti-malware sites that attend to such things.

        As it works out, I've learned that according to several sources the specific DLL's on my system are OK. They're where they belong, they're exactly the right size and contain exactly what they should contain...nothing

  • Please (Score:5, Insightful)

    by ledow (319597) on Tuesday January 28, 2014 @08:05AM (#46089913) Homepage

    Stop all this filesize / filename nonsense.

    Either publish signed hashes of the good version or don't bother at all. If it takes more than a minute to change the filesize / filenames to something arbitrary of your choice as a malware author, I'll be amazed, especially when you could easily make it be the same size as the official one in this case by just padding with zeroes.

    Please stop using these things are identifiers for malware. Same for "check for this registry entry". Any idiot with a copy of the virus can modify the strings in it to use a different reg entry / server / filename / filesize but what they CAN'T do easily is make a file with the same hash as something official.

    And given that I couldn't even see a GPG key or hash value on the download page of FileZilla at all, pretty much this kind of thing is to be expected.

  • This one example why Open Source sites need to take the threat of Advertsm mimicking download buttons on their sites.

    Instead they are still glossing over the risks.

    http://sourceforge.net/blog/ha... [sourceforge.net]

    • Re: (Score:2, Informative)

      by Shalaska (1964046)

      The number of times I have accidently clicked on an ad Download button instead of the actual download button on sites I am not familiar with is astounding. I always have caught on quickly, stopped the incorrect download and then gone looking for the correct one, but as a Comp Sci PhD candidate and computer security practitioner, the fact that it can fool me even for a minute is astounding. Sites really should remove ads that confuse where you should be clicking to download what you came there for.

      • Unfortunately, it's not that easy to remove "all" of those annoying, misleading, "download now" ads. My website shows ads through Google AdSense (i.e. the biggest ad network out there) and despite my going through every week or two to ban entire misleading advertiser accounts, there are always new "Download" ads waiting in the queue from new accounts. I've literally blocked hundreds of accounts by now - 5 or 10 every week for a year or two.

        I feel bad for my random users that get caught by the adware (or wor

... when fits of creativity run strong, more than one programmer or writer has been known to abandon the desktop for the more spacious floor. -- Fred Brooks

Working...