Beware of fake versions of FileZilla FTP Client packing malware
It seems malware is everywhere these days, and many a user falls prey to it through emails, downloaded files and malicious websites. One trick is to name a bad file after a popular existing app -- Flash is a top target for this sort of thing.
The FileZilla FTP Client seems to be the latest target in this type of attack. Security researchers at Avast discovered this happening with versions 3.7.3 and 3.5.3 of the software. “We have noticed an increased presence of these malware versions of famous open source FTP clients”, the firm announces.
This is apparently a very good fake, with the installer GUI bearing a strong resemblance to the real product. In fact, once installed, the app is identical and even has full functionality. However, Avast points out that "any attempt to update the application fails, which is most likely a protection to prevent overwriting of malware binaries".
After deep analysis, the researchers found code hidden within the real open source code designed to add a stealer to the app. "The algorithm is part of a malformed FileZilla.exe binary, therefore sending stolen log in details which bypasses the firewall. The whole operation is very quick and quiet. Log in details are sent to attackers from the ongoing FTP connection only once. Malware doesn’t search bookmarks or send any other files or saved connections", Avast concludes.
The websites distributing these fake copies of FileZilla seem to all be registered in Russia, using a registrar that hides the client information.
FileZilla has placed a warning on its own website, stating "We do not condone these actions and are taking measures to get the known offenders removed. Note that we cannot in general prevent tainted versions on third-party websites or proof their authenticity, especially since the FileZilla Project promotes beneficial redistribution and modifications of FileZilla in the spirit of free open source software and the GNU General Public License". The site gives instructions for checking the version you have installed.