PuTTY Malware Steals Credentials

Thursday, May 21, 2015 @ 05:05 PM gHale


A malicious version of an open-source Secure Shell (SSH) and telnet client is able to remotely gain access to computers and steal data, Symantec researchers said.

Attackers created the Trojanized PuTTY in late 2013, when they uploaded a sample to VirusTotal only to pull it back later on, researchers said.

RELATED STORIES
Apache Fixes Security Manager Hole
Apache Fixes Message Broker Software
Cisco Video Conference Vulnerabilities
Malware Delivers Trojan to Enterprises

The malware is going out via hijacked websites that appear in search engine results when users look for PuTTY. When users access the compromised site, they go through several redirects to a website hosted in the United Arab Emirates set up to serve the fake version.

“Our telemetry reveals that the current distribution of the Trojanized version of PuTTY is not widespread and is not specific to one region or industry,” Symantec said in a blog post.

When users initiate an SSH connection in order to securely access a remote server, the connection URL includes the server’s address, the port number, the username, and the password. The bad version of PuTTY copies this URL, encodes it, and sends it back to a server controlled by the attackers.

“Attackers can ultimately use this sensitive information to get the highest level of privileges on a computer or server, (known as “root” access) which can give them complete control over the targeted system,” the Symantec researchers said.

One hint that gives away the faux software is the variant is much larger in size than the legitimate one, Symantec said.

PuTTY is a tool often whitelisted and not viewed as a threat by firewalls and security products, which makes this more dangerous, Symantec said.



Leave a Reply

You must be logged in to post a comment.