Forgot your password?
typodupeerror
Security Open Source

FileZilla Has an Evil Twin That Steals FTP Logins 197

Posted by Unknown Lamer
from the install-our-toolbar-today dept.
Nerval's Lobster writes "On the same day the world discovered Western intelligence agencies were siphoning user information from Angry Birds and other popular smartphone apps, a leading antivirus developer revealed hackers are doing the same thing with one of the most popular open-source applications on the Internet. Maliciously modified versions of the popular FTP application FileZilla look and act just like the real thing, but include extra code that steals the login data typed in by users and sends it to an unauthorized server using the same FTP operation launched by the user without going through a firewall that might spot what it's doing, according to an alert posted this afternoon by antivirus developer Avast Software. The malicious version is fully functional, uses the same graphical interface and component file names as the original, and masks itself further by avoiding any suspicious entries in the system registry, overt attempts to communicate with outside servers or other changes, according to the Jan. 27 alert from Avast. The most obvious differences are that the poisoned version of filezilla.exe is 6.8MB smaller than the real thing and there are two DLL libraries included in the fake that are not present in the original. They are labeled ibgcc_s_dw2-1.dll and libstdc++-6.dll, according to Avast. The official version's Nullsoft installer is v2.45-Unicode; the evil twin uses v2.46.3-Unicode. Automatic updates also fail on the poisoned version 'which is most likely a protection to prevent overwriting of the malware binaries,' Avast added."
This discussion has been archived. No new comments can be posted.

FileZilla Has an Evil Twin That Steals FTP Logins

Comments Filter:
  • Re:Also Ran (Score:5, Informative)

    by Anonymous Coward on Tuesday January 28, 2014 @05:26AM (#46089399)

    Mostly because these dll's are present in projects compiled with MingW.

  • by Anonymous Coward on Tuesday January 28, 2014 @05:46AM (#46089449)

    Take a look in
    %APPDATA%\FileZilla\sitemanager.xml

  • by Anonymous Coward on Tuesday January 28, 2014 @05:46AM (#46089451)

    What you seem to want is Gentoo.

  • by jones_supa (887896) on Tuesday January 28, 2014 @06:13AM (#46089541)

    This dll names look like legal ones atleast in Linux world. I several time install libstdc++ as an dependencies of other packages.

    Duh, logic fail. The article does not claim that these particular DLLs provide the malicious code, but are simply some easily observable differences between the friendly and malicious version.

  • by Bearhouse (1034238) on Tuesday January 28, 2014 @07:01AM (#46089669)

    From TFA

    Stolen data is sent to the IP 144.76.120.243 that belongs [to a] server hosted in Germany.

    "We found 3 domains that link to same IP:
    go-upload.ru created 2012.09.23
    aliserv2013.ru created 2013.09.09
    ngusto-uro.ru created 2013.09.19

    Unfortunately, domains are registered through the infamous Russian domain registrar Naunet.ru, which is associated with malware and spam activities. This registrar hides client contact info and ignores requests to suspend illegal domains.

  • by gnasher719 (869701) on Tuesday January 28, 2014 @07:04AM (#46089679)

    No need to be condescending. I use FOSS all the time. Yet, AFAIK, there is no such mechanism that lets a developer introduce security fingerprints which "tag" a critical section of code, and which the compiler adds to the binaries, in such a way that after compiling source locally, you can check critical parts of your binaries on compliance with the "official" fingerprints. Or am I mistaken ?

    There is no mechanism in most compilers/linkers that allows you to recreate the exact same executable that someone else built, byte by byte. You would need a compiler to be hundred percent deterministic. I could imagine some optimisation algorithms working better with some randomisation, so that wouldn't be possible. a+b could sometimes translate to "load a, add b" and sometimes "load b, add a". Things like the __FILE__ macro in C or C++ include the full path of the file, which is different on your machine than on mine. And of course you'd need the exact same build environment. Exact same version of every library that is used.

  • by drinkypoo (153816) <martin.espinoza@gmail.com> on Tuesday January 28, 2014 @07:26AM (#46089765) Homepage Journal

    The question is really do you have SSD. It only takes a few days to build gentoo on some architecture which actually benefits from it, like a K6... with a laptop drive. On a modern machine with a SSD you ought to be able to knock it out in actually quite reasonable time.

  • by Anonymous Coward on Tuesday January 28, 2014 @07:35AM (#46089795)

    You're over thinking it.

    if you're compiling from source, check the hash of the source against an official source of the source.

    If you're running a pre-compiled binary, then check the hash of the binary with an official source of the binary.

  • Re:Firewall (Score:5, Informative)

    by mysidia (191772) on Tuesday January 28, 2014 @07:48AM (#46089845)

    If FileZilla is only given access to the FTP port then it should block this behavior, correct?

    What "FTP" port? Every FTP transfer requires a control connection and a data connection --- the data connection is established based on a procedure that depends on transfer mode -- there is standard mode, or passive mode (for firewall traversal).

    In either case, the destination port number is not a specific FTP port, but a port number dynamically allocated by the server and presented to the client, or vice-versa

    In Passive mode, to establish the data connection, the FTP client must open a connection back to the server ON ANY PORT specified by the server, sourced from its ftp-data port.

    In Active mode, the client must select an ephemeral port from the 32768 to 65535 range, send it over the control connection, and accept a TCP connection from the server.

  • by Anonymous Coward on Tuesday January 28, 2014 @07:59AM (#46089889)

    it wouldn't surprise me that if it were SourceForge's own "custom downloader" that's the one pushing the altered versions with login stealing functionality... it's been pushing adware and other crap too and FileZilla especially has been hit by this. Here's a short selection of complaints from the FileZilla forums:

    https://forum.filezilla-project.org/viewtopic.php?f=2&t=30240
    (this one has screenshots documenting the EXE installer hijacking done by SourceForge)

    or this one: https://forum.filezilla-project.org/viewtopic.php?f=1&t=31127
    and more... https://forum.filezilla-project.org/search.php?keywords=sourceforge+adware

  • by heypete (60671) <pete@heypete.com> on Tuesday January 28, 2014 @08:00AM (#46089895) Homepage

    There's a world of difference between software having a digital signature and the software installer actually checking the digital signature. Does Windows even have a mechanism to check the signature?

    Yes. Many (most?) installers for Windows check the signature when you open the installer. This has been the case for ages, with even Windows XP checking signatures (though not for nearly as many things as Windows Vista/7/8 do).

    If a program wants admin rights (and many installers do), Windows will check the signature and display a different prompt for signed and unsigned code (see here [wikipedia.org] for an example).

  • by Khyber (864651) <techkitsune@gmail.com> on Tuesday January 28, 2014 @08:43AM (#46090113) Homepage Journal

    https://forum.filezilla-projec... [filezilla-project.org]
    https://forum.filezilla-projec... [filezilla-project.org]
    https://forum.filezilla-projec... [filezilla-project.org]

    Anyone using Source Forge should walk the fuck away right now and never go back. They are the ones responsible for this.

  • by Shalaska (1964046) on Tuesday January 28, 2014 @08:52AM (#46090169)

    The number of times I have accidently clicked on an ad Download button instead of the actual download button on sites I am not familiar with is astounding. I always have caught on quickly, stopped the incorrect download and then gone looking for the correct one, but as a Comp Sci PhD candidate and computer security practitioner, the fact that it can fool me even for a minute is astounding. Sites really should remove ads that confuse where you should be clicking to download what you came there for.

  • by heypete (60671) <pete@heypete.com> on Tuesday January 28, 2014 @08:56AM (#46090203) Homepage

    So, it's the software that you download that verifies itself? Or, does Windows have a list of checked software along with their signatures?

    The author(s) of individual software programs acquire a code-signing certificate from a certificate authority that Microsoft trusts for that purpose. The author(s) then sign their software using that certificate. Windows verifies the signature and ensures it's from a cert issued by a trusted CA.

    I had a quick look in your link to the UAC and couldn't see much relevance as it all seemed to be about elevating privileges rather than authenticating 3rd party software. I've never seen Windows do any checking except for drivers.

    Most software requires admin rights to install, so it's sensible that the results of the signature checks show up in the escalation prompt. (If the software is unsigned, it gets a scary yellow warning. If it's signed, it shows up in an ordinary looking prompt that lists the program name and the publisher details, as found in the certificate.)

    Additionally, if you try opening unsigned executables Windows will prompt you with a moderately-scary warning. Here's a screenshot [imgur.com] of such a warning that I took a few minutes ago.

    In short: yes, Windows does check signatures on software but it (for better or worse) gives users the option of easily running or installing software even if the program is unsigned.

  • by Anonymous Coward on Tuesday January 28, 2014 @09:19AM (#46090331)

    filezilla.exe is smaller, but it also includes libgcc and libstdc++ - they're several megabytes and probably statically linked in the official version.

  • by CastrTroy (595695) on Tuesday January 28, 2014 @09:30AM (#46090397) Homepage
    To be fair, it also supports SSH File Copy (SFTP) and FTP over SSL/TLS (FTPS). Also, FTP can be secure if tunneled over a VPN.
  • Re:Firewall (Score:0, Informative)

    by Anonymous Coward on Tuesday January 28, 2014 @09:33AM (#46090417)

    Actually, nope.

    Unless you're running a DNS server yourself, you don't need to query their DNS for subdomains.

    On any other system, you can allow communication on port 53 only with DNS servers you use to close this side channel.

  • by SFnetTeam (3432388) <communityteam@slashdotmedia.com> on Tuesday January 28, 2014 @03:32PM (#46094065) Homepage

    Hi Folks,

    SourceForge is aware of the malformed FileZilla FTP and are no way associated with or responsible for this malicious program posing as FileZilla.

    The FileZilla installer on SourceForge is a stub that encapsulates the actual FileZilla installer to ensure the original FileZilla software is delivered. All offers that are presented when downloading FileZilla are optional and go through a rigorous verification and strict compliance process to make sure they are not malicious and virus free. No personally identifiable information is ever collected.

    Best regards,

    The SourceForge Community Team

Bus error -- driver executed.

Working...