On January 28th, the makers of open source FTP application FileZilla announced that tainted versions of their program are circulating the web. Known collectively as StealZilla, these versions contain malware that steals server log-in credentials and sends them to the attacker.
StealZilla is being spread by third-party websites unassociated to FileZilla. If you have recently downloaded what you thought was FileZilla, you should investigate the application’s properties. Pictured below is a comparison of the About Windows from FileZilla (left) and StealZilla (right).
You can also compare SHA1 hashes:
Malicious Installer v3.5.3:
Malicious Installer v3.7.3:
Malicious FileZilla.exe v3.5.3:
Malicious FileZilla.exe v3.7.3:
If you require assistance with comparison, please don’t hesitate to contact Emsisoft Support.
How StealZilla Works
As an open-source application, FileZilla has long been vulnerable to fraudulent replication, however StealZilla is currently the largest and most successful attack to date. At a glance, StealZilla differs very little from FileZilla. To begin, the third-party GUI download sites (right) are almost identical to the official FileZilla one (left).
On top of this, StealZilla is fully functional and the application is only slightly smaller than the 6.8 MB FileZilla.exe. Essentially, StealZilla works because it works – and to the average user nothing appears to be wrong.
There are a few dead giveaways going on in the background, however. StealZilla actually contains a hardcoded FTP stealer which sends user FTP connection information to the hackers behind the attack. This information is sent only once, but once it is the hackers can then bypass your firewall and perform any number of malicious activities to or with your computer. The is a very subtle method, but Emsisoft Anti-Malware actually recognizes it with its Behavior Blocker.
As yet, the identities of those behind StealZilla are unknown. It has been discovered that the program sends stolen FTP credentials to a server in Germany (IP 18.104.22.168) but the domains linked to this IP are hosted by Naunet.ru, a Russian registrar long associated with hacking. The 3 known domains are: go-upload.ru, aliserv2013.ru, and ngusto-uro.ru but the WHOIS info on these domains is anonymous.
When downloading any open source application it is important to use only official or officially certified websites. For FileZilla, these sites are FileZilla.org and SurgeForce.net. If you use anything else, you are placing yourself at risk. With any application, regular updates are also a key component of comprehensive security. Notably, StealZilla does not allow itself to be updated.
Emsisoft’s Malware Analysis team will continue to follow StealZilla as it evolves, and will keep readers posted if any significant modifications to this threat occur. In the meantime, Have A Malware-Free Day!