Posted on 05/19/2015 5:17:01 PM PDT by dayglored
A malicious version of the popular open source Secure Shell (SSH) client PuTTY has been spotted and analyzed by Symantec researchers, and found to have information-stealing capabilities.
PuTTY, which is written and maintained primarily by Simon Tatham and can be freely downloaded from the project's official site, is a popular software with admins and developers looking to connect to remote servers through encrypted means.
Compiled from source, this malicious version is apparently capable of stealing the credentials needed to connect to those servers.
"Data that is sent through SSH connections may be sensitive and is often considered a gold mine for a malicious actor. Attackers can ultimately use this sensitive information to get the highest level of privileges on a computer or server, (known as 'root' access) which can give them complete control over the targeted system," the researchers explained.
They noted that this particular malicious version of PuTTY has already been spotted in the wild in 2013, but it wasn't broadly distributed.
Neither is this time: there is not active or targeted malware distribution campaign - unsuspecting users will download it only if they search for the legitimate software via a search engine, and opt for getting it from a compromised site instead of the project's official site.
"There is evidence to show users that the Trojanized version of PuTTY is suspicious, as the file is much larger in size than the latest official release. If users are not paying attention to the program’s file size, they may accidentally end up using the malicious version," the researchers noted.
One way to check whether you have perhaps installed it is to check the software's About information. The malicious version will show you this:
"To ensure that you don’t become a victim to malicious versions of legitimate software, always ensure that the page you are downloading from originates from the author or publishers’ official home page," the researchers advise.
The real deal is found here:
http://www.chiark.greenend.org.uk/~sgtatham/putty/
More information on the malware version from Symantec:
Whoa interesting, I install putty for folks at work, thanks for the link.
Use PowerShell!
Set-PSSessionConfiguration -ShowSecurityDescriptorUI -Name Microsoft.PowerShell -Force
What’s a non-geek supposed to do? We’re like PuTTY in their hands?
Thanks for the warning - mine is secure. Nice little utility, been using it for years. BTT
The graphic shows 2013 - has this infected version been out there in the wild this long?
Tell me more. I didn't realize PowerShell could be used as an SSh client. What SSh options and features does it support?
I dunno. Might just be that the 2013 version was the one they corrupted.
That's not to say that you can't do SSH with Powershell:
Huh, I'll be darned. That's useful! Thanks!
Welcome!
How can you protect yourself against this and similar trojans?
Now, THAT sucks!
My rule is to always, always obtain software from the company that makes it, not a third-party, and especially not an unknown third party or one who promises something for nothing.
There is no free lunch if the software originally cost money. If the software is really free, get it from the guy who wrote it, for free. But if the guy who wrote it charges, then getting it elsewhere "for free" is likely to cost you bigtime. Pony up and pay him what he charges, or don't use it and find something else.
I much prefer SecureCRT. Yea for responsible software ownership!
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.