dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
755

angussf
Premium Member
join:2002-01-11
Tucson, AZ

1 recommendation

angussf

Premium Member

Fully functional trojanized FileZilla client steals FTP logins

Seen today, just one more reason to avoid FileZilla:
Trojanized versions of the hugely popular FileZilla FTP client are being offered to unsuspecting users via hacked websites with fake content.

"Malware installer GUI is almost identical to the official version. The only slight difference is version of NullSoft installer where malware uses 2.46.3-Unicode and the official installer uses v2.45-Unicode. All other elements like texts, buttons, icons and images are the same," Avast researchers warn.

"The installed malware FTP client looks like the official version and it is fully functional! You can’t find any suspicious behavior, entries in the system registry, communication or changes in application GUI."
Seen here:
Fully functional trojanized FileZilla client steals FTP logins
»www.net-security.org/mal ··· ?id=2690

therube
join:2004-11-11
Randallstown, MD

therube

Member

> one more reason to avoid FileZilla

And what are the other reasons?
And how is it that if someone (not FileZilla) distributes a rogue version of an app, that you should look down on the source?

Are there not "fake" Flash & "fake" media players & "fake" ... out there?
And are we to look down on (Adobe) Flash because of that?
(Oh yeah, we do look down on Flash .)

norwegian
Premium Member
join:2005-02-15
Outback

norwegian

Premium Member

Sheesh, so malware variants are out there?

So what has that to do with the official version?

But it is better alerted than not at all............................

siljaline
I'm lovin' that double wide
Premium Member
join:2002-10-12
Montreal, QC

siljaline to angussf

Premium Member

to angussf
See also:
Malformed FileZilla FTP client with login stealer
»blog.avast.com/2014/01/2 ··· stealer/

angussf
Premium Member
join:2002-01-11
Tucson, AZ

angussf to therube

Premium Member

to therube
said by therube:

And what are the other reasons?

Filezilla stores saved passwords in plain text in a fixed file location. Malware can harvest these files trivially; I know from personal experience with a client who no longer uses FileZilla after their FTP passwords leaked and many of their saved FTP sites were used to distribute the same malware.

The author of FZ has repeatedly refused to consider encrypting saved passwords, noting that FTP is a plain-text protocol. Even though FZ supports SFTP, the author won't consider discontinuing this unsafe practice.

Search for 'filezilla "plain text" passwords'.

For FTP I recommend either WinSCP or Total Commander, both of which allow you to encrypt your saved passwords with a "Master Password". That way if malware exfiltrates your "saved passwords" file, they're not in plain text.

therube
join:2004-11-11
Randallstown, MD

therube

Member

> Filezilla stores saved passwords in plain text in a fixed file location

Within %APPDATA% it looks like.
Thanks.

PS: I hope that malware never gets a hold of my passwords.txt file .

sbconslt
join:2009-07-28
Los Angeles, CA

sbconslt

Member

We discussed the plaintext password issue in FZ earlier here:

»Plain text passwords: whose responsibility?

This new thing is really a separate issue, and you can't hold it against FZ in the same way as the other one.

Snowy
Lock him up!!!
Premium Member
join:2003-04-05
Kailua, HI

Snowy to angussf

Premium Member

to angussf
said by angussf:

"Malware installer GUI is almost identical to the official version. The only slight difference is version of NullSoft installer where malware uses 2.46.3-Unicode and the official installer uses v2.45-Unicode.

That quote from the link should be clarified.
There isn't a 'Nullsoft" version of FileZilla floating around.
The link is referring to Nullsoft's open source Scriptable Install System which was used to compile the trojanized version.
»nsis.sourceforge.net/Main_Page
Sentinel
Premium Member
join:2001-02-07
Florida

Sentinel to angussf

Premium Member

to angussf
Thanks for the info. There is no such thing as unimportant security info.

That said ... I only download ALL programs from the original authors website; which I assume is a clean, uninfected copy.
And I don't save passwords in ANY program ever. I always enter the password for everything each and every time I log in to anything. No cookie log-ins and no saved password log-ins.

I do things infrequently enough that I can do that. I realize that others do more and as such cannot. But this works for me.