Disclaimer: as technology changes, advisories may become out of date or may no longer be relevant, please refer to the "Date" section of the header to be sure the advisory is recent as pertains to your situation.
Digibase Security Advisory - Malware Impersonating FileZilla
Keywords: FileZilla, malware
DBSA ID: 2014-0002
Regarding: Malware Impersonating FileZilla
Date: 2014 01 28
Last Modified: 20140128131855 by Kradorex Xeron
Who should take note: Everyone, particularly FileZilla users
Rationale: Users utilizing the program must take note to see if they are utilizing a legitimate installation of the software.
Rationale: Utilizing the malicious variant may compromise security of websites and lead to damages.
Spread of Issue: SINGLE-PLATFORM HIGH
Rationale: Most users do not use FTP software, however this has the potential to affect users accessing websites maintained using the software.
FileZilla is an FTP file management utility that provides website and server administrators access to transmit and receive files via FTP (File Transfer Protocol). It has been reported that the software has had a fake variant released that poses as being the software, the fake variant is fully operational and will operate as expected but contains hooks that transmit any logins and passwords entered to a third party through largely undetectable means.
This has implications whereas websites administered or maintained using the fake variant may be maliciously compromised and altered to host malware, illegal activities or redirect users to compromised websites.
It is advised to utilize official sources only for downloading the software and be sure that any versions already installed do not contain the files in the "C:\Program Files\FileZilla FTP Client" or "C:\Program Files (x86)\FileZilla FTP Client" directories:
The installation package of the software may be verified by checking which version of the NullSoft installer it utilizes. The legitimate version is v2.45-Unicode while the malicious version is v2.46.3-Unicode.
If any credentials have been potentially compromised, it is advised to contact your server or system administrator or provider to reset any passwords that may have been compromised, including any attached web control panel passwords.
Users of small to medium websites are advised to forward this advisory to their webmasters.