Intelligence Brief: Versions of FireZilla May Be Compromised

By gTIC ·

Recently, FishNet Security’s gTIC team has discovered that versions of FileZilla FTP client (versions 3.5.3 and 3.7.3) may be compromised. Original information and posting was performed by antivirus and security organization Avast. The commonly used FTP client has been found on multiple incredulous download sites to contain “additional” functionality that is not part of the valid application.

After individuals have downloaded the malicious version, the identification that the application is not valid is not easily identifiable. The authors of the malicious application operate an installer that utilizes a nearly identical visual representation of the official application. Avast does identify that the NullSoft installer used by the official application is v2.45-Unicode, while the malicious application utilizes v2.46.3-Unicode. Most individuals will not notice this difference or that of the “About” information that is presented after install.

As stated by Avast:

“The only differences that can be seen at first glance are smaller filesize of filezilla.exe (~6,8 MB), 2 dll libraries ibgcc_s_dw2-1.dll and libstdc++-6.dll (not included in the official version) and information in “About FileZilla” window indicates the use of older SQLite/GnuTLS versions. Any attempt to update the application fails, which is most likely a protection to prevent overwriting of malware binaries.”

Additionally, since that malicious application performs the same functionality as the valid application, it is even more difficult for users to spot that they have a malicious application. Avast researchers identified code within the installed application signaling an information stealer function has been added that is able to collect and transmit FTP connection information utilized by the user. The information being collected is transmitted quickly and quietly one time via an ongoing FTP connection.

Avast posted the following network traffic that was identified when a malicious installation of FileZilla v3.7.3 was utilized:

The outbound communications were transmitted to IP 144.75.120.243. As of this report, this IP has not been identified on any IP blacklists but has been identified in connection with domains: go-upload.ru, aliserv2013.ru and ngusto-uro.ru. Each of these domains is registered through Naunet.ru, which has historically been known to be associated with various nefarious activities.

File information, provided by Avast, for the installer and created executables identifies that AV vendors are beginning to identify the malicious files, but many are still not up to date on these files.

Malicious Installer v3.5.3:
SHA256: 595D954C7CE574337C97A0801E779BC3DCA94FC92AFAE8F483DCDD1A053C5C24
VirusTotal Link (12/50 Detect):
https://www.virustotal.com/en/file/595D954C7CE574337C97A0801E779BC3DCA94FC92AFAE8F483DCDD1A053C5C24/analysis/

Malicious FileZilla.exe v3.5.3
SHA256: 525E9ED135C1435772A774D7AD7168CECCD225E354118E621482DB61174F6734
VirusTotal Link (18/50 Detect): https://www.virustotal.com/en/file/525E9ED135C1435772A774D7AD7168CECCD225E354118E621482DB61174F6734/analysis/

Malicious Installer v3.7.3
SHA256: B9A12F9B6827144D84E65EF2BA454D77CB423C5E136F44BC8D3163D93B97F11F
VirusTotal Link (16/50 Detect): https://www.virustotal.com/en/file/B9A12F9B6827144D84E65EF2BA454D77CB423C5E136F44BC8D3163D93B97F11F/analysis/

Malicious FileZilla.exe v3.7.3
SHA256: 2451599C03B136C1848F538184F0F266973B65AFC8DD25F272A7E6B0555B657A

VirusTotal Link (18/50 Detect): https://www.virustotal.com/en/file/2451599C03B136C1848F538184F0F266973B65AFC8DD25F272A7E6B0555B657A/analysis/

To help protect your environment, FishNet Security recommends that organizations review their firewall configurations and policies surrounding FTP communications. Additionally, many organizations provide known malicious IP/URL blacklists that may be utilized within firewall and IDS/IPS solutions. Current FishNet Security MSS clients have access to IP/URL blacklists through the gTIC page within the MSS client portal, to help in identifying malicious activity. IPs identified within this report should be included in any firewall and IPS/IDS solution blocking rules.

Further steps include reviewing policies and procedures around the installation of applications on corporate devices to prevent unnecessary and potentially other malicious applications from being installed. As with any download and installation of software, make sure that you utilize an official source of the application.

Additional information may be found on Avast’s blog: https://blog.avast.com/2014/01/27/malformed-filezilla-ftp-client-with-login-stealer/