FileZilla FTP client doppelganger on the loose, stealing logins

by Mark Tyson on 29 January 2014, 11:59

Tags: avast!

Quick Link: HEXUS.net/qab765

Add to My Vault: x

FileZilla is a very popular fully featured open source FTP client which has been the target of malware writers before but a new campaign, backed by many third party websites, is the largest ever seen to date, reports PC Advisor.

The FileZilla blog says that this threat to would-be FileZilla downloaders is being addressed as best as it can and it is "taking measures to get the known offenders removed." For FileZilla it's not so simple to track down and prevent tainted versions of the software because, as part of the free open source software and the GNU General Public License, (beneficial) redistribution and modifications are encouraged.

If perhaps you haven't paid much attention to where you downloaded your copy of FileZilla you might be getting more than you bargained for with this malware infested version. Security software company Avast says that the iffy FileZilla versions are as up-to-date as the official versions (up to 3.7.3 right now) but that these programs will seek to steal your FTP login credentials bypassing your firewall as it is part of the main program; "The whole operation is very quick and quiet." Other than that the FTP client is fully functional and operates as you would expect.

A quick check to see if the FileZilla FTP program on your computer is a tainted version is possible via the about box; the use of older GnuTLS/SQLite versions as can be seen in the screenshots below. Also you will find the malware infected version will not update; which for versions 3.7.3 is logical at this time as it's the newest release. However it still won't update when a newer version comes out, in order to protect itself from replacement.

click to zoom image

What would happen to your FTP login data if you used this hacked version of the program? The Avast blog reveals that stolen data would be sent to individuals or organisations using the "infamous Russian domain registrar Naunet.ru, which is associated with malware and spam activities". This registrar doesn't display client contact info or respond to suspension requests. It is assumed that the FTPs will then be used for further spread of malware and if your site uses a payment system that is also vulnerable.

It is recommended that users always download FileZilla directly from the official FileZilla website or the SourceForge page.



HEXUS Forums :: 4 Comments

Login with Forum Account

Don't have an account? Register today!
It is staggering how many people will type "download " into Google and hit the first result.

I'd like to think this wouldn't happen to me, because I only ever download software from the sources confirmed by official website. I suppose that might be a little naive, but it's certainly a pretty good start.
This is the sort of reason I always download using ninite.com
ajax2061
This is the sort of reason I always download using ninite.com

Ninite is a pretty handy tool I agree.
ajax2061
This is the sort of reason I always download using ninite.com
But what's to stop them (ninite) from (accidentally?) including one of those bad copies? Not slagging them off, ninite isn't something I've come across before, so I'm curious.

Personally with this kind of thing I'd agree with Jim and prefer to go direct to the project's area.