DBSA:2014-0002
Disclaimer: as technology changes, advisories may become out of date or may no longer be relevant, please refer to the "Date" section of the header to be sure the advisory is recent as pertains to your situation.
Contents
Digibase Security Advisory - Malware Impersonating FileZilla
Keywords: FileZilla, malware
DBSA ID: 2014-0002
Regarding: Malware Impersonating FileZilla
Writeup: Kradorex Xeron (talk) 13:18, 28 January 2014 (EST)
Date: 2014 01 28
Last Modified: 20140128141855 by Kradorex Xeron
Who should take note: Everyone, particularly FileZilla users
Classification
Priority: HIGH
Rationale: Users utilizing the program must take note to see if they are utilizing a legitimate installation of the software.
Severity: HIGH
Rationale: Utilizing the malicious variant may compromise security of websites and lead to damages.
Spread of Issue: SINGLE-PLATFORM HIGH
Rationale: Most users do not use FTP software, however this has the potential to affect users accessing websites maintained using the software.
Description
FileZilla is an FTP file management utility that provides website and server administrators access to transmit and receive files via FTP (File Transfer Protocol). It has been reported that the software has had a fake variant released that poses as being the software, the fake variant is fully operational and will operate as expected but contains hooks that transmit any logins and passwords entered to a third party through largely undetectable means.
This has implications whereas websites administered or maintained using the fake variant may be maliciously compromised and altered to host malware, illegal activities or redirect users to compromised websites.
Mitigation/Solution
It is advised to utilize official sources only for downloading the software and be sure that any versions already installed do not contain the files in the "C:\Program Files\FileZilla FTP Client" or "C:\Program Files (x86)\FileZilla FTP Client" directories:
- ibgcc_s_dw2-1.dll
- libstdc++-6.dll
The installation package of the software may be verified by checking which version of the NullSoft installer it utilizes. The legitimate version is v2.45-Unicode while the malicious version is v2.46.3-Unicode.
If any credentials have been potentially compromised, it is advised to contact your server or system administrator or provider to reset any passwords that may have been compromised, including any attached web control panel passwords.
Users of small to medium websites are advised to forward this advisory to their webmasters.