Trojanized SSH Client PuTTY Steals Credentials

Malicious PuTTY Download

Symantec security response team has found a trojanized version of popular SSH client PuTTY that steals users' credentials. The malicious version was first spotted by Symantec in the wild in late 2013; distribution in 2013 was minimal. 


The current distribution of the Trojanized version of PuTTY is not widespread and is not specific to one region or industry, according to the researchers.

When a user performs a search for PuTTY on a search engine, it provides multiple results for PuTTY. If the victim unknowingly selects a compromised website instead of the PuTTY official home page, the compromised website redirects the victim several times, and then connects the victim to an IP address in the United Arab Emirates to provide a malicious version of PuTTY.

PuTTY typically uses the standard SSH URL format for a connection:  
ssh://[USER NAME]:[PASSWORD]@[HOST NAME]:[PORT NUMBER]
Whenever the malicious version of PuTTY successfully connects to a host, it copies the connection SSH URL, encodes the URL with Base64 web safe, and sends a ping containing this string to the attacker’s web server. So, with these credentials, an attacker can easily make a connection to the server.


How To Protect Yourself

Check the source of the download or install Norton products to detect this malicious version of PuTTY.

No comments

Powered by Blogger.