Trojanized, Info-Stealing PuTTY Version Lurking Online

One of the best first steps in setting up a Windows machine is to install PuTTY on it, so you have a highly evolved secure shell at your command. An anonymous reader writes, though, with a note of caution if you're installing PuTTY from a source other than the project's own official page. A malicious version with information-stealing abilities has been found in the wild. According to the article: Compiled from source, this malicious version is apparently capable of stealing the credentials needed to connect to those servers. "Data that is sent through SSH connections may be sensitive and is often considered a gold mine for a malicious actor. Attackers can ultimately use this sensitive information to get the highest level of privileges on a computer or server, (known as 'root' access) which can give them complete control over the targeted system," the researchers explained. The Symantec report linked above also shows that (at least for this iteration) the malware version is easy to spot, by hitting the "About" information for the app.

Is it on the main download page?

[danbob999]

And if not, why should I care?

Re:Is it on the main download page?

[mwvdlee]

In this particular situation; because at first glance the main download page, site and URL doesn't look "official" at all.
http://www.chiark.greenend.org... [greenend.org.uk]
It would be pretty easy to confuse a slightly more modern looking page for the "main download page".

Re:Is it on the main download page?

[jones_supa]

That's a good point actually.

Re:Is it on the main download page?

[danbob999]

I agree however http://www.putty.org/ [putty.org] links to this page and is the first result on google. The second result is this page. As long as scammers can't get their trojanized putty on google's first page I don't think there is much of a risk.

Re:Is it on the main download page?

[Jadecristal]

I know that there are checksums on the download page. We know how to use them. Other people don't.

I don't understand WHY, after all this time, the author(s) continue to refuse to get a code-signing certificate and sign the executable files and the installer. I'm almost assuming that it's on principle somehow, because it's not that expensive and if a request was made I'd bet donations would take care of the cost in under a day.

Re: Is it on the main download page?

[Anonymous Coward]

Because it would provide no extra security.

Certs and digital signatures cannot vouch for the person who made them. All they say is: After running my verification algorithm, I have determined that a key that is mathematically equivalent to this public cert was used to sign this file.

Notice that the algorithm, the key, the signature, nor can the file in question is actually verified in this statement. From the user's perspective, they *assume* the algorithm is secure and trustworthy. The user *assumes* that t

Re:

[Anonymous Coward]

While that seems like sound reasoning, I have found that in practically every case it is a recipe for disaster to think that way.

Most high-quality software packages and libraries, at the highest levels, come from very spartan websites.

The Flash junkies will argue this point with me for years, and it's nice to have flashy web design as part of a broad-spectrum marketing strategy, but it's all just fluff that gives too many problems a chance to creep in undetected.

Re:

[Curtman]

We have that. Apt-get install ssh-client.

Windows will catch up someday.

Re:Is it on the main download page?

[Coren22]

Windows has that, it is called the Microsoft Store.

Re:

[Coren22]

So, MS makes efforts to shift over to the model you advocate, and you slam them for the older versions of the OS people refuse to get rid of?

Re:Is it on the main download page?

[tnk1]

I am always struck by the fact that something in such widespread use as PuTTY is still downloaded from what looks like someone's public home directory.

On the other hand, it is such an anomaly that I instantly recognize the site when I see it as the correct download site.

Re:Is it on the main download page?

[Ben Hutchings]

I know that's the official site, but:

• I'm supposed to download binaries that don't have Authenticode signatures, from a web server that doesn't support TLS.
• And then I have to download (and somehow verify) a copy of PGP or GnuPG, in order to verify the signatures they do provide. (I also have to know and remember the fingerprint of the genuine PGP signing key.)
• Finally, I have to trust that no-one has cracked a 1024-bit PGP key.

I can only assume that almost all downloads from the official site are vulnerable to MITM'ing. And, as PuTTY is such a popular tool, it is surely a prime target for that.

Re:

[ne0n]

Tried to confirm, apt-get install putty grabbed a good binary. Checksums match. This article is blowing smoke.

Re:

[danbob999]

yeah, I wouldn't know how to get that executable which is "lurking around" even if I wanted to.

Re:Is it on the main download page?

[danbob999]

Because it would be impossible to add a trojan to cygwin or openssh?

Re:

[bluefoxlucid]

No, because putty is ballsacks that can't be properly scripted, uses weird key files that need special conversion (it doesn't use an openssh key, but a putty identity key that you can convert to openssh using another program), and handles all kinds of terminal interactions in such a wrong way that you may as well be using Microsoft Word with a VB script to send commands across ssh. Start in a real terminal, where 27 sessions is C-a " instead of "oh fuck which alt-tab icon is it?!"

Re:

[operagost]

So if someone wants to install a single GUI tool instead of a app compatibility layer and a command line tool, they're an idiot?

What if they installed one of those Heartbleed-vulnerable versions of openssl? Are they smart?

Re:

[elfprince13]

No, but you're also an idiot for not knowing the difference between SSL and SSH ;)

Re:

[cyberchondriac]

Not really so idiotic: up until only a year ago, OpenSSH required OpenSSL for the crypto.

Re:

[elfprince13]

Heartbleed was a TLS protocol bug, not a crypto bug.

Re:

[cyberchondriac]

Fair enough. But still, if someone installed a vulnerable version of openSSL I suppose they might start using it for other things than openSSH in their Cygwin environment, where HB might still rear it's head. An iffy, minor point, I concede.
In any case, I never really had an issue with puTTY if I had to SSH on Windows, but then that's not very often. It's not my preference. I usually use my linux box for SSH, it's just more comfortable. All of us in our workgroup have 1 win box and 1 linux box, and

Re:Is it on the main download page?

[Penguinisto]

...what sibling said. Anything can be trojanized, and it's turtles all the way down if you're proposing that by simply using a different application (or suite/kernel/VM/whatever thereof).

In all seriousness, PuTTY is a quick and dirty way of getting a working SSH shell on a Windows box. For the greybeards (like myself), it's also a quick and kick-ass means of plugging an old laptop into a serial port on the back of a Sun/HPUX/IBM-PPC box.

It's a self-contained executable that you can keep on a geek stick. No dependencies, no lengthy installation bullshit like Cygwin, no muss, no fuss. It just works.

In fact, I still keep a copy on my phone just in case, in spite of the fact that I typically use a MacBook Pro nowadays (OSX has a working *nix shell that I can open Terminal with and SSH from all day long, tab the hell out of, have customized nine ways from Sunday for local Git coloring, pre-hooks, branch awareness, etc). That said, I use PuTTY when I find myself stuck with a 'doze box (usually when having to show a 'doze user something on a *nix box from his machine), or when I find myself in a datacenter with only a shitty old laptop and no other useful means of getting some RS-232 love (because let's face it, HyperTerminal sucks donkey balls).

Re:Is it on the main download page?

[Rufty]

I agree, except you've over-rated HyperTerminal.

Re:

[Fnord666]

I agree, except you've over-rated HyperTerminal.

And disrespected the donkey.

Re:Is it on the main download page?

[David_Hart]

That said, I use PuTTY when I find myself stuck with a 'doze box (usually when having to show a 'doze user something on a *nix box from his machine), or when I find myself in a datacenter with only a shitty old laptop and no other useful means of getting some RS-232 love (because let's face it, HyperTerminal sucks donkey balls).

I use a free program called mRemote v1.50 as it integrates Putty, RDP, VNC, Citrix, etc. into one console. It's a good tool as you can organize your connections using folders. As a network architect, it's nice to be able to connect to network devices by site. It has a few bugs, such as screwing up the sort order, but nothing major.

There is a newer version out called mRemoteNG 1.72. The last update was from the end of 2013 and it looks like the project is on hold for whatever reason.

It does what I need it to do and that's all I ask of any tool...

Re:

[Coren22]

I wonder if there is any intention of handling more connection types. I have been using Remote Desktop Manager, but their free restrictions are kind of onerous as they don't allow password save in the free edition.

Re:

[shadowknot]

I feel the same way. If it supported TN3270 I might consider it...maybe.

Re:

[skids]

Really the OSes fault. SSH should be a base install item. And it isn't just Windows. (Android, I'm looking at you.)

Re:Is it on the main download page?

[jellomizer]

I am still trying to figure out why Microsoft hasn't packaged SSH based tools with windows.

Re:Is it on the main download page?

[peragrin]

Can you imagine powershell ssh commands?

SSH-Connect -host -ipv4{192.168.100.1} -username {no smith}

Oh and go ahead and hack my machine script kiddies.

Re:Is it on the main download page?

[ahodgson]

Because SSH is mostly used to talk to Linux servers. Since when has Microsoft ever done anything to make Windows easier to use with other systems?

Re:

[jellomizer]

During Phases: Embrace and Extend.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Coren22]

http://en.wikipedia.org/wiki/W... [wikipedia.org]

It isn't that unheard of.

Re:

[Ben Hutchings]

Since they realised their customers were going to use a mixture of systems anyway. For example, they turned off a feature in the Windows CIFS client [msdn.com] because the server side was broken in Samba.

Re:

[AmiMoJo]

They don't make much use of SSH servers so there is little point bundling a client. The only thing you would use it for is administering non Microsoft severs.

Re:

[Coren22]

It would probably be better than the current situation of running Powershell through IIS like that makes any sense. It would be more stable as well. Have you ever tried to fix WinRM when it gets all mucked up?

Dear DICE

[mr.mctibbs]

I stayed through the beta bullshit. I stayed through Bennett. Autoplaying audio advertisement, and what the fuck ever you're letting through that's running my machine to a crawl with javascript: these are the final straw. Fuck you, I'm done.

Re:

[ArcadeMan]

Maybe DICE decided to mine bitcoins with our computers.

Re:Dear DICE

[aaaaaaargh!]

/. works fine for me (except that, yes, it sucks more and more and seems to have become a generic news aggregator).

Anyway, why don't you just use an ad-blocker like uBlock or Adblock Edge?

Re:

[armanox]

Are you not using Ad Block plus? Or an ad blocking hosts file? Never put all your eggs in one basket.

Re:

[ShaunC]

Slashdot doesn't belong to Dice anymore. It's DHI Group now.

DHI is Dice Holdings, Inc.

WTF

[Anne Thwacks]

So, what is it we are supposed to look for on the about page?

"This is the malicious version! If you want the secure one, please delete me and go elsewhere!"

Is there a way to read the about page without installing?

The article came quite close to being useful, but then missed by a mile.

Re:

[Coren22]

From the second link in TFS:

http://www.symantec.com/connec... [symantec.com]

The about shows "Unidentified Build" rather than the build number. Seems like sloppy hijacking to me.

Re:

[Anonymous Coward]

No it's not. MD5 has been broken for years now and needs to die. PLEASE STOP RECOMMENDING MD5 ALREADY.

http://www.kb.cert.org/vuls/id/836068

http://en.wikipedia.org/wiki/MD5

Re:WTF

[sconeu]

Simon publishes MD5, SHA1, SHA256 and SHA512 sums for all official binaries.

Re:WTF

[camperdave]

Don't you think that a person who is making a malicious version of Putty is also capable of putting MD5 checksums of the malicious code on their download site? Checking MD5 sums against those published by the author is useless. You need to check against publicly verified, independently published checksums.

Putty domain

[watermark]

I never did like that you had to download putty from a "random" domain. The putty.org website takes you to some greenend.org.uk domain. If you google for putty, it takes you directly to the greenend.org.uk domain. The official binary really should be hosted on the putty.org domain, or at the least have the actual download link on the official domain, using that greenend.org.uk domain as a CDN for the binary.

Re:Putty domain

[red_dragon]

greenend.co.uk is the official domain for PuTTY (specifically, www.chiark.greenend.co.uk). Simon Tatham has hosted it there from the start. I'd be more suspicious of putty.org, honestly.

Re:

[Anonymous Coward]

Yes, but a newcomer would find www.chiark.greenend.co.uk more suspicious than putty.org.

Re:

[jones_supa]

greenend.co.uk is the official domain for PuTTY (specifically, www.chiark.greenend.co.uk). Simon Tatham has hosted it there from the start. I'd be more suspicious of putty.org, honestly.

Except that the official domain is greenend.org.uk. See, even you got confused it there.

Re:

[radarskiy]

greenend.co.uk may be more trustworthy than putty.org, but neither will get you the official PuTTY release.

For those who don't RTFA

[AverageCitizen]

The infected client contains "Unidentified build, Nov 29 2013 21:41:02" on the about PuTTY page while the official has "Release 0.63". Cisco has a good article here: http://blogs.cisco.com/securit... [cisco.com] by Robert Semans, Brandon Enright, James Sheppard, and Matt Healy.

Re:For those who don't RTFA

[ledow]

That's just because they compiled without specifying the build number.

That's LITERALLY a ten-second fix and recompile to resolve.

Don't identify software / spam / viruses by "it has X feature that's easily copied", whether that's a registry entry, a process name or an arbitrary string.

Publish the damn checksums at a minimum, or GPG signing key ideallly.

Re:

[chispito]

Publish the damn checksums at a minimum, or GPG signing key ideallly.

They are published:
http://www.chiark.greenend.org.uk/~sgtatham/putty/download.htm

Your average Windows user and his average admin don't know what to do with a checksum, however.

done already, and so?

[s.petry]

The check sums are already published, anyone that wants to check can check.

To the other half, I can modify any Windows binary to have malware and keep the version the same. Check sums can fix that almost all of the time. The build information is as reliable as the binary's name, in that it has very little use.

People pushing this gunk are not going after knowledgeable users that check sources (obviously), they are going after the low hanging fruit which could be "got" any number of ways. The latest craze

Re:

[camperdave]

I'm sure the publishers of tainted versions of PuTTY also have MD5s I can download and verify against.

Re:

[chispito]

I'm sure the publishers of tainted versions of PuTTY also have MD5s I can download and verify against.

Do you know what the purpose of a checksum is? What you said doesn't really make sense.

Best first steps

[ArcadeMan]

One of the best first steps in setting up a Windows machine is to install PuTTY on it.

The best first step is to install Steam, because Windows is only used for gaming.

How does it feel to be on the other side of a generalization, timothy?

Re:

[Sarten-X]

I just rebuilt my Windows desktop at home.

The first thing I did was to install Google Chrome, because I'd rather not tolerate IE while fetching other stuff. Next was Steam, mostly so I could get it downloading a game immediately. Once my game was underway, I downloaded PuTTY, followed by a few other utilities.

From my perspective, you're all very close, but wrong nonetheless.

Re:

[tepples]

Windows is only used for gaming.

Or for game development, for which you might need a shell to administer your version control server.

Cygwin appreciation society!

[MrKaos]

I've never really be that fond of putty, although I see where it is useful. Cygwin offers so much more having use of the shell on windows and ssh if you need to get into a system. Cygwin/X is even better when I need to get a gui. Add windowspager and Windows becomes a great presentation layer!

Thank you Cygwin people!

Re:Cygwin appreciation society!

[Pope Hagbard]

MobaXterm is pretty nice as a SSH/Telnet/X11/mosh/tunnel client. It doesn't do anything you can't do with Cygwin in that regard but it's less work to get set up.

Re:

[Blaskowicz]

I sort of like Teraterm Pro, I don't think it really does more than putty but it's self-contained (in regard to the GUI), tabbed and the set up is mostly setting up the font, font size and text color. With either putty or Teraterm, install Xming to do X11 (next/next/finish, then check a box in the terminal program's settings)

Re:

[KermodeBear]

A second vote for MobaXTerm. I moved to it from Putty. It has tabs and the X11 stuff built in, don't have to configure a thing - it just works. Love it.

This is why we can't have nice stuff...

[QuietLagoon]

Someone's always gonna ruin it.

What about the installer executable?

[Culture20]

That's not from the main putty page but is linked to from the main page.

Why is any of this necessary?

[Jeremi]

Sure, in 2015, it wouldn't be so hard for Microsoft to include an SSH client with their OS? I can't think of any other OS that doesn't come with one pre-installed.

Re:

[silas_moeckel]

Because their solution was powershell with it's own nonstandard remote interface.

Re:

[danbob999]

And Windows can't even run powershell scripts by default, making it useless. You need to change some security settings in order to execute a simple Windows equivalent of a ".sh".

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Culture20]

Sometimes cow-orkers require percussive maintenance to reduce the incidence of pebkac episodes.

While I agree that no one should be orking cows, I think beatings are a rather severe punishment.

Who uses putty that way?

[damn_registrars]

I use Putty plenty, but I haven't had a time yet where I have needed to use it on a new system and needed root access on the system I am logging in to. If I'm using it on a new box, I am logging in with my usual non-root account on my remote system. How exactly would they use that to gain root access?

And PuTTY-CAC?

[whitroth]

Anyone know if there's a trojanized version of PuTTY-CAC?

For the rest of you, that's for use with "smart cards" (i.e., US fed gov PIV, or US DoD CAC id cards), and it's a fork of PuTTY.

And what about pageant?

              mark

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Culture20]

Yeah, I only have to connect to all of our machines with an admin account with psexec and run a c:\program files (x85)\PuTTY\pscp.exe -V with my admin account. Then I'll know if it's malware that I shouldn't run with an admin account. Huzzah!

FOSS Licence

[Damiano]

It is nice to know that the trojanized version retains the copyright notice and disclaimer of warranty as required by the PuTTY FOSS license. Good to see people properly using Open Source!

ZOC Terminal...any others?

[bhlowe]

I use ZOC [emtec.com] terminal. Its commercial and worth it to me. Anyone else have a favorite SSH client?

Re:

[danbob999]

To connect to a Linux machine remotely?

Re:Why?

[ledow]

Any sort of COM port access.
Any sort of SSH access.
Any sort of SSH tunnelling access.

I work in IT, PuTTY is one of the first things I install in every workplace - not "just because" but I'll be damned if I'm going to SSH into a remote server's management module without it or try to use some junky HTTP/Java monstrosity to achieve what one command can achieve on the CLI.

Hell, I've diagnosed mail servers using it by telnetting to the mail port and issuing commands direct for a setting that some Exchange "experts" denied would ever affect anything - when you can show them the entire mail transaction live rather than some convoluted log that purports to tell you everything that happens on the email sending with a junky bounce error, it kinda hurts.

Sure, a lot of stuff is HTTP-managed nowadays but wait until Chrome removes Java and see if the other browsers follow suit. Because then you'll be back on the CLI quite quickly.

The last Cisco switch I installed came only with some absolutely worthless piece of software that only works if you have version X of IE etc. But SSH was a one-tick enable and I could do everything else from there.

Re:

[nehumanuscrede]

The last Cisco switch I installed came only with some absolutely worthless piece of software that only works if you have version X of IE etc. But SSH was a one-tick enable and I could do everything else from there.

Chuckle. If one is using a GUI to configure Cisco gear, one should probably not be using Cisco gear.* :D

*Unless you're trying to learn it, then the GUI will help get you started.

Re:

[Hognoxious]

I don't work as a sysadmin or anything, but I even have it on my phone.

Occasionally I get a rogue process on my server and I can go in and sort it even if the console goes all Helen Keller.

Re: Why?

[pr100]

Cygwin with openssh works fine. Putty is OK. But for things you use regulary, scripts and SSH are nicer.

Re:Why?

[ledow]

CygWin is a damn nightmare, especially if you have other software that uses it.

It suffers from enormous "DLL Hell" problems when it has multiple versions trying to load and if you use programs that use older versions of Cygwin, they don't necessarily run at all in co-existence with programs using newer versions. "Cygwin1.dll" exists is so many different versions that it's almost impossible to manage properly.

I used to develop on Windows with Eclipse and Cygwin. I quickly moved to MinGW because silly things like random games, utilities, etc. that use it would interfere with the version I was developing against.

If all you want is a real terminal on a GUI, Cygwin is total overkill. Not only that, if you use WinSCP as well, it will manage the keys for you properly between both programs so you don't even notice that you're using it.

Use *nix, or use Windows and PuTTY. For sure, as a network admin, I wouldn't let put Cygwin near your computers but I'll happily pre-install PuTTY for you (zero install needed, certainly no pissing about with PATH and multiple versions of the DLL etc.).

Which C runtime library for MinGW?

[tepples]

I used to develop on Windows with Eclipse and Cygwin. I quickly moved to MinGW because silly things like random games, utilities, etc. that use it would interfere with the version I was developing against.

Which C runtime library do you use with MinGW? I'm told third-party applications shouldn't use MSVCRT.dll anymore [msdn.com].

Re:

[jdavidb]

I have used Cygwin daily at work and at home for ten years and have almost never seen the issues you are talking about. I'm sure they are real and affect people who do things differently than me. I don't typically download third party applications that depend on the Cygwin DLL. I use the complete official Cygwin package repository or (very rarely) compile from source. I use Eclipse, Java, ant, Cygwin, and am about as happy as I can be with my environment (I'd be happier writing Perl, but that's another

Re:

[dickens]

Ditto here. I suspect they are, as you suggest, downloading 3rd party applications that depend on the Cygwin DLL. I use the setup.exe provided and have never had a problem.

Re: Why?

[ledow]

Cygwin works well until you get other programs that use it. You either have to install them within your Cygwin install folder (and hope they are able to cope with Cygwin updates you make, e.g. to Cygwin 2) or suffer DLL hell. Look at the Cygwin FAQ for ".DLL" - if you're not familiar with those errors already, you haven't used Cygwin very much. Now consider across a bunch of workstations on a network.

"Want say tunneling to a Windows service? If you use Windows only as a client...."

Don't. Use a proper tool. PuTTY is a client, not a server. This is like saying that ssh-client is no good at being sshd,.. of course not. But that's not what we're talking about.

And the fact is that for every SSH server set up (properly), you probably have 10-100 clients joining to it or you wouldn't bother setting it up. And one of the main points of things like SSH servers is cross-compile farms and remote access. And almost all the universities that offer such services recommend PuTTY if you're on Windows (because they've dealt with the Cygwin issues, I assure you, and decided it's not worth the hassle).

Opinion, of course. So's yours. Just because it's contrary doesn't make it more or less valid.

However, PuTTY is widely used and recommended for everything from talking to your Arduino's over a serial port to logging into your University server... go take a look. Cygwin - if and when it comes up - is not mentioned in nearly as many places for such simple actions.

Cygwin is, in fact, overkill for the majority of users who just want to use SSH, telnet or serial services from Windows. If they wanted Linux, generally they end up installing it in preference to Cygwin.

Re:

[0dugo0]

Connection->ssh->tunnels, works like a charm.

Re:

[X0563511]

Putty runs circles around the cmd.exe terminal you'd have to suffer with, going that route.

Re:Why?

[Daniel Hoffmann]

PuTTY also runs in linux, if you are doing a simple SSH access you can do it in any terminal easily, but PuTTY also does a lot of stuff that you need to be a command-line specialist to be able to do by hand. Plus it saves your configurations for later uses.

Personally I always do tunneling through PuTTY

Re:

[Hognoxious]

That's like saying you've been playing with Lego for 20 years, and you can't see why anyone would ever need a spanner.

Re:

[camperdave]

Um... Duplo

Re:

[X0563511]

WTF is that? Because that's not sgtatham's site. [greenend.org.uk]

Re:

[jones_supa]

What would you say if someone set up a website with the following URL: http://www.chiark.greenend.org/~sgtatham/putty/download.html

Do you see what the problem is here?

TRWTF is that there is no putty.cc

[tepples]

I tried that and got "Firefox can't find the server at www.putty.cc." The fact that putty.cc doesn't exist is the real problem.

Obvious in what way?

[tepples]

obvious shady shit like this malicious version of PuTTY

The problem here is that it isn't "obvious shady shit" as you claim. The official PuTTY download page [greenend.org.uk] doesn't look very "official". This makes it easier to fool people into downloading the trojaned version instead of the official version.

Re:

[tepples]

Then what steps should an end user take to determine the official maintainer for any given piece of software, especially once malware purveyors become better at SEO than the official maintainer?

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[phayes]

Putty corrupts data when copying/pasting large amounts. I got tired of that screwing up network confs & moved to TeraTerm.