Contributor: Val S

Symantec Security Response has encountered an unofficial, information-stealing version of the open source Secure Shell (SSH) client PuTTY, which was compiled from source. The Trojanized version of this open source software was not hosted on the official website and instead, the attackers redirected users from a compromised, third-party website to their own site.

If the user is connected to other computers or servers through the malicious version of PuTTY, then they could have inadvertently sent sensitive login credentials to the attackers.

How the legitimate PuTTY tool works

The open source software model allows contributors to collaborate from anywhere in the world to fix and improve projects. This practice provides useful software to users for free, but the model can have its pitfalls. Attackers can use an open source project’s code to create Trojanized versions for their own gain.

In this case, the attackers created a Trojanized version of PuTTY, a popular open source SSH/Telnet/Serial console client written by software engineer Simon Tatham. PuTTY is used around the world by many system administrators, web developers, database administrators, and people connecting to a remote server through encrypted means. The most common connections made through PuTTY are from a Windows computer to a Unix/Linux server.

Data that is sent through SSH connections may be sensitive and is often considered a gold mine for a malicious actor. Attackers can ultimately use this sensitive information to get the highest level of privileges on a computer or server, (known as “root” access) which can give them complete control over the targeted system.

PuTTY is usually whitelisted because it is a commonly used administration tool which is frequently employed to connect system administrators to other computers and servers. It is not seen as a security threat by most firewalls and third-party security products, and the software is being actively maintained so administrators rarely need to recompile the product from its source.

Unofficial Trojanized PuTTY

Based on the compile date of the malicious version of PuTTY and our own telemetry, this file has been in the wild since late 2013 and it was first seen in Virus Total around the same time. However, we have only seen this sample broadly distributed recently. Distribution in 2013 was minimal, and we saw a gap of a year and a half before it reappeared again. It can be surmised that the author of the malware was performing tests to see which specific scanners would detect this file.



Figure 1. The “About” information on the unofficial version of PuTTY

Our telemetry reveals that the current distribution of the Trojanized version of PuTTY is not widespread and is not specific to one region or industry. The distribution of this malware appears to occur in the following manner:

The victim performs a search for PuTTY on a search engine. The search engine provides multiple results for PuTTY. Instead of selecting the official home page for PuTTY, the victim unknowingly selects a compromised website. The compromised website redirects the user several times, ultimately connecting them to an IP address in the United Arab Emirates. This site provides the user with the fake version of PuTTY to download.

There is evidence to show users that the Trojanized version of PuTTY is suspicious, as the file is much larger in size than the latest official release. If users are not paying attention to the program’s file size, they may accidentally end up using the malicious version.

PuTTY typically uses the standard SSH URL format for a connection:

“ssh://[USER NAME]:[PASSWORD]@[HOST NAME]:[PORT NUMBER]”

However, we found that whenever the malicious version of PuTTY successfully connects to a host, it copies the connection SSH URL, encodes the URL with Base64 web safe, and sends a ping containing this string to the attacker’s web server.



Figure 2. Original binary file with URL (blurred) in plain text



Figure 3. SSH URL being encoded

The malicious version of PuTTY also uses a specific HTTP User Agent to filter connection attempts:



Figure 4. Malicious version of PuTTY uses HTTP User Agent to filter connection attempts

With these credentials, the attackers can make a connection to the server. This particular attack method, using PuTTY as an example, has been blogged about before.

This is not the first time that these attackers have made a Trojanized version of an open source program to steal information. Last year, the same attackers created a malicious version of the File Transfer Protocol (FTP) client, FileZilla, in order to steal victims’ information.

Mitigation

Symantec and Norton products detect this malicious version of PuTTY as Hacktool, WS.Reputation.1, and Suspicious.Cloud.9.

To ensure that you don’t become a victim to malicious versions of legitimate software, always ensure that the page you are downloading from originates from the author or publishers’ official home page. For the best possible protection, Symantec and Norton customers should ensure that they are using the latest Symantec technologies incorporated into our consumer and enterprise solutions. Finally, always keep your computer up to date with the latest virus definitions and patches.