On the same day the world discovered Western intelligence agencies were siphoning user information from Angry Birds and other popular smartphone apps, a leading antivirus developer revealed hackers are doing the same thing with one of the most popular open-source applications on the Internet.
Maliciously modified versions of the popular file-transfer protocol (FTP) application FileZilla look and act just like the real thing, but include extra code that steals the login data typed in by users and sends it to an unauthorized server using the same FTP operation launched by the user without going through a firewall that might spot what it’s doing, according to an alert posted this afternoon by antivirus developer Avast Software.
FileZilla is the ninth most-downloaded application from the open-source site SourceForge, with 256.8 million downloads over its lifetime and almost 600,000 this week alone.
The malicious version is fully functional, uses the same graphical interface and component file names as the original, and masks itself further by avoiding any suspicious entries in the system registry, overt attempts to communicate with outside servers or other changes, according to the Jan. 27 alert from Avast.
The most obvious differences are that the poisoned version of filezilla.exe is 6.8MB smaller than the real thing and there are two DLL libraries included in the fake that are not present in the original. They are labeled ibgcc_s_dw2-1.dll and libstdc++-6.dll, according to Avast.
The official version’s Nullsoft installer is v2.45-Unicode; the evil twin uses v2.46.3-Unicode.
Automatic updates also fail on the poisoned version “which is most likely a protection to prevent overwriting of the malware binaries,” according to Avast.
Under the covers, however, something naughty is going on.
The evil twin includes a set of hardcoded functions that grab copies of the username and password every time a user logs in to an FTP site, converts it to the format “ftp://username:firstname.lastname@example.org:port,” encodes it using a base64 algorithm and sends it to the attacker’s using a custom-installed user agent and the WS2_32.send API interface.
The attacker’s site uses the IP address of a German server that is linked to sites in Russia registered by Russian domain-name registrar NAUNET, which has been accused of harboring servers distributing malware, spam, or acting as part of criminal botnets.
“The whole operation is very quick and quiet. Log in details are sent to attackers from the ongoing FTP connection only once,” according to the report. “Malware doesn’t search bookmarks or send any other files or saved connections.”
The biggest danger is that the malware version of the FileZilla client doesn’t do anything that would raise a user’s suspicions, so each version could be in use for a long time. Because the infection is in an application designed specifically to connect to secure servers and exchange files, malicious versions of FTP software could spread itself to otherwise secure servers and use permission to use FTP to upload “whole webpage source code containing database login, payment system, customer private information, etc.,” according to the report.
The best way to avoid the evil twin is to make sure downloads come only from trusted sites, avoid sites using custom downloaders and avoid installers that have adware or other add-on application installed as well, the report recommends.
Malicious versions of the FileZilla client use the following IDs, though they may not be limited only to the following:
Malicious Installer v3.5.3:
Malicious FileZilla.exe v3.5.3
Malicious Installer v3.7.3
Malicious FileZilla.exe v3.7.3