Skip to comments.Malformed FileZilla FTP client with login stealer
Posted on 01/28/2014 10:08:51 AM PST by Utilizer
Beware of malformed FileZilla FTP client versions 3.7.3 and 3.5.3. We have noticed an increased presence of these malware versions of famous open source FTP clients.
The first suspicious signs are bogus download URLs...
Malware installer GUI is almost identical to the official version. The only slight difference is version of NullSoft installer where malware uses 2.46.3-Unicode and the official installer uses v2.45-Unicode. All other elements like texts, buttons, icons and images are the same.
The installed malware FTP client looks like the official version and it is fully functional! You cant find any suspicious behavior, entries in the system registry, communication or changes in application GUI.
The only differences that can be seen at first glance are smaller filesize of filezilla.exe (~6,8 MB), 2 dll libraries ibgcc_s_dw2-1.dll and libstdc++-6.dll (not included in the official version) and information in About FileZilla window indicates the use of older SQLite/GnuTLS versions. Any attempt to update the application fails, which is most likely a protection to prevent overwriting of malware binaries.
(Excerpt) Read more at blog.avast.com ...
Grr...just updated to 3.7.3. My version is clean but it wasn’t all that easy to prove. BTT
Yep. I walked through it just to be sure too. Bleh.
I feel sorry for those who are not that computer savvy and do not know how to check for and correct from a corrupt version, other than removal and re-installation from a known good version out of a reputable site.
I’ll say this with the same aplomb as I do with my coworkers: people still use FTP?
With cloud-based file services and SFTP out there, why would anyone want to continue using a protocol that transmits your uid/pw as clear text?
Meh. You get a guaranteed complete copy of the file you want, even if the download is interrupted for some reason. Like your internet connection goes out -which also defeats your cloud file services. Speaking as someone who does not have internet access at all times, cloud-based services are not reliable enough for critical functions.
Multipart and parity files are in use across the Internet. Resuming a download is pretty standard anymore. FTP’s only real use anymore is for anonymous file distribution in the case of, say, drivers for hardware, etc.
“Avoid strange looking websites and portals offering software via their own downloaders or installers”
My favorite advice. Heck, at least half the LEGIT download sites want to use their own damn installable downloader, which I refuse to do btw. I’ll just go elsewhere where I can get a clean download and let them keep their crappy downloaders.
Filezilla doesn’t just do vanilla FTP. It does SFTP and FTPS as well.
I personally use it to back up my wife’s blog onto my hard drive for easy disaster recovery or sudden webhosting changes.
For your tech Ping list.
Oddly enough, when downloading a file using http or https the file gets corrupted when interruptions occur and do not reliably resume the downloads. Needs a complete deletion and restart.
Too, although I am not an expert at it, I am informed that using an ftp service is the least-demanding useage of system resources one can find, thus its continued popularity.
FileZilla uses SFTP/SSH as well.
I generally use download.cnet.com. I don’t trust any others.
There’s no doubt it’s one of the most direct methods to get/put data, but vanilla FTP is one of the biggest security holes remaining on the Internet as a whole. SFTP improves on that, but you have to have SSL compatibility on both client and server, which, believe it or not, is not always standard.
Agreed, and I do the same. For those sites I either look around the web for somewhere else to download the file or wait until one appears before downloading.
The other types of downloads I worry about are the ones with an ".exe" extension. To be on the safe side, I uncompress them into their constituent directories first and make certain that only the software I need will be installed. For those that will not decompress I simply mark them as being malware and leave them uninstalled.
That’s the beauty of MD5 checksums. I generate MD5 checks for all of my uploads, esp. multipart, and I have the receiver check the data integrity. Admittedly it’s a bit more advanced, but it works really well.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.