FileZilla Has an Evil Twin That Steals FTP Logins

Nerval's Lobster writes "On the same day the world discovered Western intelligence agencies were siphoning user information from Angry Birds and other popular smartphone apps, a leading antivirus developer revealed hackers are doing the same thing with one of the most popular open-source applications on the Internet. Maliciously modified versions of the popular FTP application FileZilla look and act just like the real thing, but include extra code that steals the login data typed in by users and sends it to an unauthorized server using the same FTP operation launched by the user without going through a firewall that might spot what it's doing, according to an alert posted this afternoon by antivirus developer Avast Software. The malicious version is fully functional, uses the same graphical interface and component file names as the original, and masks itself further by avoiding any suspicious entries in the system registry, overt attempts to communicate with outside servers or other changes, according to the Jan. 27 alert from Avast. The most obvious differences are that the poisoned version of filezilla.exe is 6.8MB smaller than the real thing and there are two DLL libraries included in the fake that are not present in the original. They are labeled ibgcc_s_dw2-1.dll and libstdc++-6.dll, according to Avast. The official version's Nullsoft installer is v2.45-Unicode; the evil twin uses v2.46.3-Unicode. Automatic updates also fail on the poisoned version 'which is most likely a protection to prevent overwriting of the malware binaries,' Avast added."

Firewall

[Dan East]

I'm not fully understanding the "sends it to an unauthorized server using the same FTP operation launched by the user without going through a firewall that might spot what it's doing" part. It's posting the stolen credentials via http, not FTP. If FileZilla is only given access to the FTP port then it should block this behavior, correct? I'm just not understanding what's magical about this - any app that is already given blanket permission to access the network in a general way can send data to places it shouldn't go without being blocked by firewalls. They make it sound like there's something special or exotic it's doing to avoid the firewall and I'm not understanding exactly what that is.

Re:Firewall

[Anonymous Coward]

More importantly, any app which legitimately needs access to an internet-enabled DNS resolver can exfiltrate data without permission to access the internet on its own. What you need in order to catch this kind of thing is an IDS, not a firewall.

Re:Firewall

[fatphil]

Absolutely, side channels are everywhere if all you care about is small packets of data. You don't even need to "connect" to pass the data, as some things happen before the connection you'd think of filtering. Try resolving the domain name fatphil.hunter2.haxorsrus.ru., and when the DNS server for *.haxorsrus.ru. responds with a random address, you never need to connect to it on any port, the payload's been delivered already. You can't filter DNS without breaking way too much of the internet.

Re:What about GNU/Linux ?

[gl4ss]

what I find funny is that the poisoned extra payload version is several megabytes smaller than the clean one!

Re:Blame Source Forge...

[Anonymous Coward]

Your SFInstaller is the most annoying thing ever, and I actively encourage open-source projects to leave SourceForge because of its existence, whether it is supposedly voluntary or not.

Re:Blame Source Forge...

[Anonymous Coward]

when the download from sourceforge can't be trusted
is it so strange that people try to download the software from elsewhere?

(When sf came to filezilla wanting them to join in on this stupidity, filezilla should have stood up, said "Hell no!!" and quickly moved the project elsewhere, and maybe maybe sf would have scrapped the idea altogether "ok this was perhaps not a good idea after all"... but it is too late now. the damage is done, sf is dead in my eyes)