FileZilla warns of large malware campaign

Discussion in 'malware problems & news' started by ronjor, Jan 29, 2014.

  1. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,719
    Location:
    Texas
  2. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
  3. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,695
    This is actually the first sensible malware report I've ever read. Nice.
    Mrk
     
  4. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    If you mean the AVAST Blog, there must be a way to send along kudos :D
     
  5. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,695
    Yup, I meant the post in that blog. The very time ever. Honest.
    Mrk
     
  6. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
  7. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,695
    Do you mean that filezilla at sf is also the one with the trojan?
    Or that spinoffs of the original - hosted not at sf - are the ones with the trojan.
    Mrk
     
    Last edited: Mar 8, 2014
  8. roger_m

    roger_m Registered Member

    Joined:
    Jan 25, 2009
    Posts:
    5,237
    Actually it's not a trojan.

    There are two download links for FileZilla at SourceForge. The second link is for the original unmodified installer. The main download link downloads a program called SourceForge Download Manager. It is basically the same concept that download.com is using. It will download the original installer for FileZilla and give you the option to install it. It also however, offers to optionally download and install two 3rd party programs.

    It needs to be noted, that if you click Decline on both the 3rd party offers, then only FileZilla will be downloaded and installed. Like I said, download.com has similar installer, and also quite a few software publishers are using OpenCandy to provide optional 3rd party offers.

    Also, with either installer, you will get the original FileZilla, not the malicious modified version.
     
  9. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    As best as I can determine, what "S/F" is hosting still has an adware wrapper as whatever is attempted to download flags something on my A|V.

    Findings from a previous issue: http://www.dslreports.com/forum/r28803216-Sourceforge-Drives-off-Downloads I have nothing else to report at this time.
     
  10. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,695
    When I got to sf and try to download fz, I get the standard fz binary without any adware thingie. So I am not sure how and why the discrepancy. I also read the dslreports thread, and I don't see anything of that sort. Could be regional targetting?

    If you go here and click on the green thingie:
    http://sourceforge.net/projects/filezilla/

    What do you see?
    I see filezilla_3.7.3_....exe

    And accordingly to your original report, the binary itself was the compromised one, so your previous post also indicates the same thing, but I guess it is not the case then?

    It is important to separate the possibilities, because there's a big difference:
    FZ binaries on SF are clean BUT bundle installer offers adware?
    FZ binaries on SF are trojaned?
    Something else?

    Mrk
     
  11. roger_m

    roger_m Registered Member

    Joined:
    Jan 25, 2009
    Posts:
    5,237
    This is not the original installer. As I explained in my previous post, it is a downloader, which will download and run the original FileZilla installer, but also offers two 3rd party programs, which will also be downloaded and installed, unless you click Decline on both of them.

    Underneath the green download button, is a link title Direct Download. This link is for the original installer with nothing else bundled.
    SF Download.PNG

    Both downloads have the same file name, but different icons as you can see in this screenshot
    SF.png
    The first download is the original installer.

    Here are screenshots of Sourceforge's downloader:
    FZ1.png
    FZ2.png
    FZ3.png

    If you click on the Decline buttons on the second two screens, then the 3rd party software will not be downloaded. The actual extra software offered, will no doubt change from time to time.

    No matter which installer you use, you get the original unmodified FileZilla. SourceForge's downloaded gets flagged by some AV software because it can install extra software, just like many AVs detect OpenCandy.

    I hope this helps.

    Roger
     
  12. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,695
    For me, if I click on the green one, the download offers the 4.7MB file.
    The same thing for the direct download thingie.
    So I wonder, regional stuff?

    fz.png

    Cheers,
    Mrk
     
  13. WSFuser

    WSFuser Registered Member

    Joined:
    Oct 7, 2004
    Posts:
    10,632
    @Mrkvonic, go to this page:

    https://sourceforge.net/projects/filezilla/files/

    And see whether you have "Direct Download Link: On" or "Direct Download Link: Off". If it the former, I *think* that may be why you are not getting the stub installer. Or maybe its something else.
     
  14. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,695
    Figured it, the reason is Noscript.
    This is what I get:

    The interactive file manager requires Javascript. Please enable it or use sftp or scp.
    You may still browse the files here.
    Looking for the latest version? Download FileZilla_3.7.3_win32-setup.exe (4.8 MB)

    So there's a completely unrelated reason for Noscript.
    Block moronware.

    Mrk
     
  15. Adric

    Adric Registered Member

    Joined:
    Feb 1, 2006
    Posts:
    795
    Fileszilla stable is at 3.7.4.1. I always start from here, which takes me to the direct link page without any other download buttons..

    Al
     
  16. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    Regardless of what link I point at and thanks to those that have offered alternative ways of fetching this software - my AV still flags the
    download.

    (see screenshot)
     

    Attached Files:

  17. roger_m

    roger_m Registered Member

    Joined:
    Jan 25, 2009
    Posts:
    5,237
    ESET only detects SourceForge's downloader - it does not detect the original installer. I just scanned both the downloader and original installer (which I also downloaded from SourceForge) at VirusTotal, and only the downloader was detected by ESET.

    If you click on the "Direct Download" link you will get the original installer.

    Edit: My next post explains what is going on.
     
    Last edited: Mar 11, 2014
  18. roger_m

    roger_m Registered Member

    Joined:
    Jan 25, 2009
    Posts:
    5,237
    I just looked again at your screenshot and I can see the problem. ESET is detecting the url "ids.sourceforgecdn.com", and blocking the download, rather than letting the file download and then detecting it. This is an issue you might want to report to ESET, since it blocking the download of the original installers of software and not just the download of SourceForge's downloader.

    It is things like this that make me avoid website blocking of any kind.
     
  19. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,723
    Location:
    localhost
    I think ESET is correct and it will not block the direct link considering its on another server ;)
     
  20. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    Thanks for your feedback and observations, Roger. ESET is aware of this and it is currently under investigation.

    Regards,

     
  21. asloane

    asloane Registered Member

    Joined:
    Oct 10, 2007
    Posts:
    4
    The maker of Filezilla refuses to stop his official Filezilla website from linking to file hosts which bundle in pernicious, damaging and virtually impossible to remove browser hijacking malware such as "driver restorer", "reimage repair" and "astromenda" etc. Adware is awful but a software engineer who permits malware infection should be banned. I can never recommend Filezilla, the real cost in lost time and hassle is too great. The complaints at Filezilla's forum and the 1-star reviews at SourceForge are stacking up.

    Can anyone recommend a secure, malware-free FTP Server and Client solution?
     
  22. roger_m

    roger_m Registered Member

    Joined:
    Jan 25, 2009
    Posts:
    5,237
    Astronmenda may be an exception, but both Reimage Repair and Driver Restore are absolutely not malware, and are safe to use. They also come with uninstallers, so can easily be removed.

    I'm not happy about extra being bundled with installers eithers. But, it is important to note that almost always the 3rd party software installed is not malicious in any way, and can be considered a nuisance if you didn't want it installed, but not harmful.
     
Loading...