Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
Encryption Security

Trojanized, Info-Stealing PuTTY Version Lurking Online 216

One of the best first steps in setting up a Windows machine is to install PuTTY on it, so you have a highly evolved secure shell at your command. An anonymous reader writes, though, with a note of caution if you're installing PuTTY from a source other than the project's own official page. A malicious version with information-stealing abilities has been found in the wild. According to the article: Compiled from source, this malicious version is apparently capable of stealing the credentials needed to connect to those servers. "Data that is sent through SSH connections may be sensitive and is often considered a gold mine for a malicious actor. Attackers can ultimately use this sensitive information to get the highest level of privileges on a computer or server, (known as 'root' access) which can give them complete control over the targeted system," the researchers explained. The Symantec report linked above also shows that (at least for this iteration) the malware version is easy to spot, by hitting the "About" information for the app.
This discussion has been archived. No new comments can be posted.

Trojanized, Info-Stealing PuTTY Version Lurking Online

Comments Filter:
  • by danbob999 ( 2490674 ) on Tuesday May 19, 2015 @09:26AM (#49725739)
    And if not, why should I care?
    • by mwvdlee ( 775178 ) on Tuesday May 19, 2015 @09:44AM (#49725915) Homepage

      In this particular situation; because at first glance the main download page, site and URL doesn't look "official" at all.
      http://www.chiark.greenend.org... [greenend.org.uk]
      It would be pretty easy to confuse a slightly more modern looking page for the "main download page".

      • by jones_supa ( 887896 ) on Tuesday May 19, 2015 @09:51AM (#49725973)
        That's a good point actually.
      • by danbob999 ( 2490674 ) on Tuesday May 19, 2015 @10:00AM (#49726071)
        I agree however http://www.putty.org/ [putty.org] links to this page and is the first result on google. The second result is this page. As long as scammers can't get their trojanized putty on google's first page I don't think there is much of a risk.
        • by Jadecristal ( 135389 ) on Tuesday May 19, 2015 @03:20PM (#49729311)

          I know that there are checksums on the download page. We know how to use them. Other people don't.

          I don't understand WHY, after all this time, the author(s) continue to refuse to get a code-signing certificate and sign the executable files and the installer. I'm almost assuming that it's on principle somehow, because it's not that expensive and if a request was made I'd bet donations would take care of the cost in under a day.

          • by Anonymous Coward

            Because it would provide no extra security.

            Certs and digital signatures cannot vouch for the person who made them. All they say is: After running my verification algorithm, I have determined that a key that is mathematically equivalent to this public cert was used to sign this file.

            Notice that the algorithm, the key, the signature, nor can the file in question is actually verified in this statement. From the user's perspective, they *assume* the algorithm is secure and trustworthy. The user *assumes* that t

      • Re: (Score:2, Informative)

        by Anonymous Coward

        While that seems like sound reasoning, I have found that in practically every case it is a recipe for disaster to think that way.

        Most high-quality software packages and libraries, at the highest levels, come from very spartan websites.

        The Flash junkies will argue this point with me for years, and it's nice to have flashy web design as part of a broad-spectrum marketing strategy, but it's all just fluff that gives too many problems a chance to creep in undetected.

      • by tnk1 ( 899206 ) on Tuesday May 19, 2015 @10:50AM (#49726589)

        I am always struck by the fact that something in such widespread use as PuTTY is still downloaded from what looks like someone's public home directory.

        On the other hand, it is such an anomaly that I instantly recognize the site when I see it as the correct download site.

      • by Ben Hutchings ( 4651 ) on Tuesday May 19, 2015 @01:39PM (#49728373) Homepage
        I know that's the official site, but:
        • I'm supposed to download binaries that don't have Authenticode signatures, from a web server that doesn't support TLS.
        • And then I have to download (and somehow verify) a copy of PGP or GnuPG, in order to verify the signatures they do provide. (I also have to know and remember the fingerprint of the genuine PGP signing key.)
        • Finally, I have to trust that no-one has cracked a 1024-bit PGP key.

        I can only assume that almost all downloads from the official site are vulnerable to MITM'ing. And, as PuTTY is such a popular tool, it is surely a prime target for that.

    • by ne0n ( 884282 )
      Tried to confirm, apt-get install putty grabbed a good binary. Checksums match. This article is blowing smoke.
  • Dear DICE (Score:4, Informative)

    by mr.mctibbs ( 1546773 ) on Tuesday May 19, 2015 @09:28AM (#49725761)
    I stayed through the beta bullshit. I stayed through Bennett. Autoplaying audio advertisement, and what the fuck ever you're letting through that's running my machine to a crawl with javascript: these are the final straw. Fuck you, I'm done.
  • by Anne Thwacks ( 531696 ) on Tuesday May 19, 2015 @09:36AM (#49725839)
    So, what is it we are supposed to look for on the about page?

    "This is the malicious version! If you want the secure one, please delete me and go elsewhere!"

    Is there a way to read the about page without installing?

    The article came quite close to being useful, but then missed by a mile.

  • Putty domain (Score:4, Insightful)

    by watermark ( 913726 ) on Tuesday May 19, 2015 @09:41AM (#49725881)

    I never did like that you had to download putty from a "random" domain. The putty.org website takes you to some greenend.org.uk domain. If you google for putty, it takes you directly to the greenend.org.uk domain. The official binary really should be hosted on the putty.org domain, or at the least have the actual download link on the official domain, using that greenend.org.uk domain as a CDN for the binary.

    • Re:Putty domain (Score:5, Insightful)

      by red_dragon ( 1761 ) on Tuesday May 19, 2015 @09:52AM (#49725989) Homepage
      greenend.co.uk is the official domain for PuTTY (specifically, www.chiark.greenend.co.uk). Simon Tatham has hosted it there from the start. I'd be more suspicious of putty.org, honestly.
      • Re: (Score:2, Insightful)

        by Anonymous Coward
        Yes, but a newcomer would find www.chiark.greenend.co.uk more suspicious than putty.org.
      • greenend.co.uk is the official domain for PuTTY (specifically, www.chiark.greenend.co.uk). Simon Tatham has hosted it there from the start. I'd be more suspicious of putty.org, honestly.

        Except that the official domain is greenend.org.uk. See, even you got confused it there.

  • by AverageCitizen ( 4120563 ) on Tuesday May 19, 2015 @09:41AM (#49725893)
    The infected client contains "Unidentified build, Nov 29 2013 21:41:02" on the about PuTTY page while the official has "Release 0.63". Cisco has a good article here: http://blogs.cisco.com/securit... [cisco.com] by Robert Semans, Brandon Enright, James Sheppard, and Matt Healy.
    • by ledow ( 319597 ) on Tuesday May 19, 2015 @09:59AM (#49726069) Homepage

      That's just because they compiled without specifying the build number.

      That's LITERALLY a ten-second fix and recompile to resolve.

      Don't identify software / spam / viruses by "it has X feature that's easily copied", whether that's a registry entry, a process name or an arbitrary string.

      Publish the damn checksums at a minimum, or GPG signing key ideallly.

      • Publish the damn checksums at a minimum, or GPG signing key ideallly.

        They are published:
        http://www.chiark.greenend.org.uk/~sgtatham/putty/download.htm

        Your average Windows user and his average admin don't know what to do with a checksum, however.

      • The check sums are already published, anyone that wants to check can check.

        To the other half, I can modify any Windows binary to have malware and keep the version the same. Check sums can fix that almost all of the time. The build information is as reliable as the binary's name, in that it has very little use.

        People pushing this gunk are not going after knowledgeable users that check sources (obviously), they are going after the low hanging fruit which could be "got" any number of ways. The latest craze

        • I'm sure the publishers of tainted versions of PuTTY also have MD5s I can download and verify against.
          • I'm sure the publishers of tainted versions of PuTTY also have MD5s I can download and verify against.

            Do you know what the purpose of a checksum is? What you said doesn't really make sense.

  • Best first steps (Score:5, Insightful)

    by ArcadeMan ( 2766669 ) on Tuesday May 19, 2015 @09:44AM (#49725911)

    One of the best first steps in setting up a Windows machine is to install PuTTY on it.

    The best first step is to install Steam, because Windows is only used for gaming.

    How does it feel to be on the other side of a generalization, timothy?

    • Re: (Score:2, Insightful)

      by Sarten-X ( 1102295 )

      I just rebuilt my Windows desktop at home.

      The first thing I did was to install Google Chrome, because I'd rather not tolerate IE while fetching other stuff. Next was Steam, mostly so I could get it downloading a game immediately. Once my game was underway, I downloaded PuTTY, followed by a few other utilities.

      From my perspective, you're all very close, but wrong nonetheless.

    • by tepples ( 727027 )

      Windows is only used for gaming.

      Or for game development, for which you might need a shell to administer your version control server.

  • by MrKaos ( 858439 ) on Tuesday May 19, 2015 @09:45AM (#49725929) Journal

    I've never really be that fond of putty, although I see where it is useful. Cygwin offers so much more having use of the shell on windows and ssh if you need to get into a system. Cygwin/X is even better when I need to get a gui. Add windowspager and Windows becomes a great presentation layer!

    Thank you Cygwin people!

    • by Pope Hagbard ( 3897945 ) on Tuesday May 19, 2015 @10:08AM (#49726145) Journal

      MobaXterm is pretty nice as a SSH/Telnet/X11/mosh/tunnel client. It doesn't do anything you can't do with Cygwin in that regard but it's less work to get set up.

      • I sort of like Teraterm Pro, I don't think it really does more than putty but it's self-contained (in regard to the GUI), tabbed and the set up is mostly setting up the font, font size and text color. With either putty or Teraterm, install Xming to do X11 (next/next/finish, then check a box in the terminal program's settings)

      • A second vote for MobaXTerm. I moved to it from Putty. It has tabs and the X11 stuff built in, don't have to configure a thing - it just works. Love it.

  • Someone's always gonna ruin it.
  • That's not from the main putty page but is linked to from the main page.
  • Sure, in 2015, it wouldn't be so hard for Microsoft to include an SSH client with their OS? I can't think of any other OS that doesn't come with one pre-installed.

    • Because their solution was powershell with it's own nonstandard remote interface.

      • And Windows can't even run powershell scripts by default, making it useless. You need to change some security settings in order to execute a simple Windows equivalent of a ".sh".
  • Unlike PuTTY (which is a fantastic piece of work, BTW), I understand the OpenSSH client. I guess my UNIX roots are showing.

    With that said, I do routinely install PuTTY - I've gotten tired of the old arguments:

    (ME): "What ports should I use on the jump server, and is Netcat installed there?"

    (COWORKER): "Just click on PuTTY and go to the Tunnels part . . ."

    (ME): "Can't you just tell me what ports to use?"

    (COWORKER): "The only way I know how is in PuTTY."

    Anybody but me ever felt the urge to punch the mo

  • I use Putty plenty, but I haven't had a time yet where I have needed to use it on a new system and needed root access on the system I am logging in to. If I'm using it on a new box, I am logging in with my usual non-root account on my remote system. How exactly would they use that to gain root access?
  • Anyone know if there's a trojanized version of PuTTY-CAC?

    For the rest of you, that's for use with "smart cards" (i.e., US fed gov PIV, or US DoD CAC id cards), and it's a fork of PuTTY.

    And what about pageant?

                  mark

  • 2015-05-19 Malware pretending to be PuTTY

    A Symantec blog post warns that a trojaned copy of PuTTY has been detected in the wild. Fortunately, it's easily recognisable by its version identification ("Unidentified build, Nov 29 2013 21:41:02"). If you've encountered this version, we suggest you treat any machine that's run the malicious version as potentially compromised, change any passwords that might have been stolen, and resecure the accounts they protect.

    • Yeah, I only have to connect to all of our machines with an admin account with psexec and run a c:\program files (x85)\PuTTY\pscp.exe -V with my admin account. Then I'll know if it's malware that I shouldn't run with an admin account. Huzzah!
  • by Damiano ( 113039 ) on Tuesday May 19, 2015 @12:20PM (#49727519)

    It is nice to know that the trojanized version retains the copyright notice and disclaimer of warranty as required by the PuTTY FOSS license. Good to see people properly using Open Source!

  • I use ZOC [emtec.com] terminal. Its commercial and worth it to me. Anyone else have a favorite SSH client?

Today's scientific question is: What in the world is electricity? And where does it go after it leaves the toaster? -- Dave Barry, "What is Electricity?"

Working...