From Digibase Knowledge Base
Jump to: navigation, search

Disclaimer: as technology changes, advisories may become out of date or may no longer be relevant, please refer to the "Date" section of the header to be sure the advisory is recent as pertains to your situation.

Digibase Security Advisory - Malware Impersonating FileZilla

Keywords: FileZilla, malware

DBSA ID: 2014-0002

Regarding: Malware Impersonating FileZilla

Writeup: Kradorex Xeron (talk) 13:18, 28 January 2014 (EST)

Date: 2014 01 28

Last Modified: 20140128141855 by Kradorex Xeron

Who should take note: Everyone, particularly FileZilla users


Priority: HIGH

Rationale: Users utilizing the program must take note to see if they are utilizing a legitimate installation of the software.

Severity: HIGH

Rationale: Utilizing the malicious variant may compromise security of websites and lead to damages.


Rationale: Most users do not use FTP software, however this has the potential to affect users accessing websites maintained using the software.


FileZilla is an FTP file management utility that provides website and server administrators access to transmit and receive files via FTP (File Transfer Protocol). It has been reported that the software has had a fake variant released that poses as being the software, the fake variant is fully operational and will operate as expected but contains hooks that transmit any logins and passwords entered to a third party through largely undetectable means.

This has implications whereas websites administered or maintained using the fake variant may be maliciously compromised and altered to host malware, illegal activities or redirect users to compromised websites.


It is advised to utilize official sources only for downloading the software and be sure that any versions already installed do not contain the files in the "C:\Program Files\FileZilla FTP Client" or "C:\Program Files (x86)\FileZilla FTP Client" directories:

  • ibgcc_s_dw2-1.dll
  • libstdc++-6.dll

The installation package of the software may be verified by checking which version of the NullSoft installer it utilizes. The legitimate version is v2.45-Unicode while the malicious version is v2.46.3-Unicode.

If any credentials have been potentially compromised, it is advised to contact your server or system administrator or provider to reset any passwords that may have been compromised, including any attached web control panel passwords.

Users of small to medium websites are advised to forward this advisory to their webmasters.