Trojaned FileZilla FTP (and JYA is a badass, CCC files criminal complaint over Snowden leaks)

What happens if an adversary can trick you into downloading THEIR version of a popular software package… whether by sending you to a hacked site, or via QUANTUM INSERT?

Some Russkies have a neat demo. Hackers using a domain registrar well-known in the Russian underground created a version of the popular FileZilla FTP client. And a near-duplicate of the official FileZilla page.

The idea being, if you can send someone looking to download the software to the hosted-on-a-hacked-site page, instead of the legitimate site, you’ve got a backdoor.

In this case the software doesn’t do much extra… it just tells the crooks the login information for every server you connect to.

The whole operation is designed for stealth — there are very few signs of what happens, and no system changes that would give the game away.

It looks like the idea is to get people using the client long-term… many people. And then just collect server logins for nefarious uses later.

I wonder if they’re doing e.g BGP redirects from the official FileZilla site to get people to grab the wrong file… or more local DNS hackery?

Of course they could also be using easier-to-spot methods like dodgy portals and “bundled software” downloaders. Who knows.

JYA is a badass: ’nuff said.

CCC files a criminal complaint over the Snowden leaks — alleging the German government aided and abetted mass surveillance.

One side effect of the complaint? Even if the Federal Prosecutor’s Office decides not to pursue a case against the Americans for spying on Germany, the CCC can press forward with their case (and has many options even if the bureaucracy tries not to pursue it at first).

A second side effect of such a case being, quite possibly, bringing Edward Snowden to Germany as a witenss to testify!

Question: If Snowden comes to Germany as a witness in the CCC’s case against the German government, does this neatly side-step most of the diplomatic concerns?

Quoth some Merkel of the future, “it wasn’t OUR choice, those pesky hackers forced us to do it! Ve are just following our law! And zey are prosecuting *us*! So quit mit de whining!”

Somebody’s been using their noggin…

“The first suspicious signs are bogus download URLs. As you can see, the installer is mostly hosted on hacked websites with fake content (for example texts and user comments are represented by images.)[…]

The installed malware FTP client looks like the official version and it is fully functional! You can’t find any suspicious behavior, entries in the system registry, communication or changes in application GUI[…]

We found a hardcoded connection detail stealer after deeper analysis. Malware authors abuse open source code and add their own stealer function to the main code.

The algorithm is part of a malformed FileZilla.exe binary, therefore sending stolen log in details which bypasses the firewall. The whole operation is very quick and quiet. Log in details are sent to attackers from the ongoing FTP connection only once. Malware doesn’t search bookmarks or send any other files or saved connections.[…]

The absence of any suspicious activity is the biggest danger for average users who can use malformed FileZilla for a very long time.

We assume that the stolen FTP accounts are further abused for upload and spread of malware. Attackers also can download whole webpage source code containing database log in, payment system, customer private information etc.

Connection via infected FTP client to your home or corporate network is another level of this threat.”

%d bloggers like this: