[1]

Sevan Makaracı
Administrator
February 2nd, 2014 at 12:00 am

Story

Couple of days ago Avast reported about malformed FileZilla FTP client.  Malware installer GUI and installed malware FTP client is almost identical to the official version, and fully functional.

Primary mission of this malware is stealing your login information and sending it to attackers.

According to Avast, malware versions of famous open source FTP clients on increase. (Versions 3.7.3 and 3.5.3)

You can find identifying / protection info and technical details below.

 

How to identify and protect

First detail to identify this malware is downloading url.  Malware installer is mostly hosted on hacked websites with fake content (for example texts and user comments are represented by images.)

web_02web_01web_03

 

Also the difference between malware installer and official Filezilla installer is version of NullSoft installer where malware uses 2.46.3-Unicode and the official installer uses v2.45-Unicode. All other parts of both installers (texts,buttons etc) are identical.

Other detail to identify this malware is smaller filesize of filezilla.exe (~6,8 MB). Also 2 dll libraries ibgcc_s_dw2-1.dll and libstdc++-6.dll being installed with fake installer which not included in the official version.  And information in “About FileZilla” window showing use of older SQLite/GnuTLS versions.

about_windows

Another suspicious sign is update function, which is not working in fake version for protecting malware binary.

Best way of protecting is using up-to-date antivirus software and download any software from official, well-known or trusted sources.

 

Technical details

Deeper analysis on malware shows that malware authors add their steal code to original open source code.

payload

Log in details sent to hackers using ongoing FTP connection only once.  Stolen log in information is converted into the following format:
"ftp://username:password@ftp.domain.com:port"  

then encoded through custom base64 algorithm and sent to the attacker’s server.  Here is  communication details while fake FTP client (v3.7.3) sending log in information:

wireshark

Login info is sent to the IP 144.76.120.243, which resolves as follows;

domain

 

Additional hash information:

Malicious Installer v3.5.3:

SHA256: 595D954C7CE574337C97A0801E779BC3DCA94FC92AFAE8F483DCDD1A053C5C24

Malicious FileZilla.exe v3.5.3
SHA256: 525E9ED135C1435772A774D7AD7168CECCD225E354118E621482DB61174F6734

Malicious Installer v3.7.3
SHA256: B9A12F9B6827144D84E65EF2BA454D77CB423C5E136F44BC8D3163D93B97F11F

Malicious FileZilla.exe v3.7.3
SHA256: 2451599C03B136C1848F538184F0F266973B65AFC8DD25F272A7E6B0555B657A

 

Source

Avast! blog

 

 

4,388 total views, 1 views today

Comments

comments

Permalink | Quote

Join the Discussion

You must be logged in to post a comment.