PuTTY, the brainchild of Cambridge-based software author Simon Tatham, is used by systems admins and web developers worldwide and has been downloaded millions of times.
But Symantec says attackers are using the infected version of PuTTY to take over high-level users' computers and steal data that “is often considered a gold mine for a malicious actor”.
In an 18 May blog post, Symantec researcher Dumitru Stama said the attacks are coming from an IP address in the United Arab Emirates.
But Symantec principal threat researcher Candid Wueest told SCMagazineUK.com via email: “We do not know who exactly is behind these attacks, and as the attackers may well be orchestrating the attack remotely, it is not possible to speculate as to which country this has come from.”
Symantec said the Trojan was first seen in 2013. It then stopped circulating but “has now started being broadly distributed again”.
The current attacks are not aimed at any specific region or industry.
PuTTY, a free open-source tool, is used by systems admins, web developers and database administrators to securely connect to remote Unix/Linux servers, using the SSH (Secure Shell) protocol.
As a result, Wueest told SCMagazineUK.com: “This attack should be treated as serious, as administrator passwords hold the key to highly sensitive servers. As attackers can keep track of any password changes, this threat represents a backdoor for hackers.
“SSH software is widely used by administrators to connect securely to a number of different servers. If an attacker is able to steal an administrator's password, they can gain access to numerous servers, and also manipulate databases and websites.”
Typically, the attack works when the victim searches for PuTTY, then unknowingly selects a compromised website and is connected to the IP address in the UAE, which offers them the fake version of PuTTY to download.
If the user then connects to other computers or servers, they may inadvertently send sensitive login credentials to the attackers.
Stama confirmed: “Data sent through SSH connections is often considered a gold mine for a malicious actor. Attackers can ultimately use this sensitive information to get root access to a computer or server, which can give them complete control over the targeted system.”
PuTTY author Simon Tatham, a software engineer with micro-processor supplier ARM, toldSCMagazineUK.com via email that he was not surprised maliciously modified versions of PuTTY exist, as “any software at all with publicly available source code makes it easy to create such things”.
Tatham added: “It's notable that this particular Trojanised copy of PuTTY doesn't try very hard to masquerade as an official build - it has a distinctive version number which makes it easy to tell apart from anything we distribute.”
He advised users to install the latest PuTTY release 0.64 from the official website (http://www.chiark.greenend.org.uk/~sgtatham/putty/), and to “treat any machine that's run the malicious version as potentially compromised; change any passwords that might have been stolen and re-secure the accounts they protect”. A warning and link has been added to the front page of the PuTTY website, he said.
Analysing the attack, Matt Gough, principal security consultant with Nettitude, told SCMagazineUK.com via email that he believes PuTTY has been targeted because: “It is *the* most popular Windows SSH client used by systems and network admins throughout the world. It's small in size, requires no elevated permissions to install and, most importantly, is often executed on an admin PC. This makes it the ideal candidate for ‘Trojaning'.”
Gough added: “Being open source, anti-virus will not be able to detect this type of malware easily, due to the way the malicious code can hide itself within the binary. This means software restriction policies should be configured to whitelist allowed software and binaries to run.
“These can be easily configured through Windows Group Policy or by installing third-party products such as Bit-9. And of course only ever download from reputable sources and compare the Checksum against the authors.”
Independent security expert Jovi Umawing, a malware intelligence analyst with Malwarebytes, told SC via email: “For those hit by this, we advise that credentials be updated immediately and that they run anti-malware software to remove malicious files and registries.
“It also pays to look up names of developers of free and open-source software (FOSS) and the official download sites to ensure that what would be installed on systems are genuine copies.”
According to Stama at Symantec, the same attackers behind the latest PuTTY Trojan last year created a malicious version of the File Transfer Protocol (FTP) client, FileZilla, in order to steal victims' information.
Based on this, Umawing advised: “FileZilla, like PuTTY, is also an FOSS. It appears that actors behind these Trojanised campaigns are targeting the free, open-source community. Watch out for campaigns with a similar MO in the future.”