Pierluigi Paganini May 21, 2015

Bad actors have released a malicious version of the popular open source tool PuTTY to steal access credentials of computers worldwide.

Be careful, there is an unofficial version of Putty in the wild and it seals information. This version was compiled from the legitimate source, but isn’t hosted on the official website project, instead, attackers redirect users from a comprised website to their own site with that malicious version.

The malicious version of PuTTY allows attackers to steal information related the connected computer/servers, including credentials used to access those systems.

PuTTY is an open source software that allows any people to contribute or collaborate somehow, normally with the objective of fixing or improving the software in question, but it can be used too for illegal activities. Hackers can recompile the source code by inserting a malicious code like a virus or a spyware:

In the case of PuTTY, the crooks, created a malicious version of PuTTY, since it’s a worldwide used software by millions of system administrators (or anyone that needs to connect to a remote server with encryption) to access by SSH/Telnet/Serial.

Because normally the PuTTY client is used to connect from a Windows machine to a Unix/Linux server, attackers can collect root access credentials from victims.

Another big problem in my opinion is that in corporations PuTTY always is seen as a useful and safe tool, meaning that is whitelisted in firewalls and other security products, so now imagine that you are using the malicious version of PuTTY in your company to access to the company’s server… Huge breach that can cost to the company a lot.

As far as it’s known, the “bad” version of PuTTY it’s in the wild since late 2013, but at the time the diffusion was minimal, but now, one and half year later, we are starting to see more and more cases of people using this dangerous version.

If you have doubts about the authenticity of your PuTTY client it could be useful to check the “About” of software. The “about” of the unofficial version of PuTTY looks like this:

When the official version looks like this (version may vary):

Experts at Symantec have published an interesting post on the case, as they explain, the distribution of the malware appears to occur in the following ways:

• The victim performs a search for PuTTY on a search engine.
• The search engine provides multiple results for PuTTY. Instead of selecting the official home page for PuTTY, the victim unknowingly selects a compromised website.
• The compromised website redirects the user several times, ultimately connecting them to an IP address in the United Arab Emirates. This site provides the user with the fake version of PuTTY to download.

You can also check that the size of the “bad” PuTTY is larger in size than the official one.

When connected to a machine with the “bad” version, the application copies the connection SSH URL and other info and sends a ping with a string to the attacker’s web server, it should look like this:

The URL is encoded with Base64 and uses the User Agent to filter the connection attempts.

If the credentials are sent to the attacker, well you can well say “Game Over”, since the attacker can make a connection to the server (if available over the internet).

To mitigate this, some of the AV available is already detecting the malicious version of Putty, so keep your AV always with the latest updates, but besides that always ensure that you are downloading a software from the official project website.

About the Author Elsio Pinto

Edited by Pierluigi Paganini

(Security Affairs – PuTTY, malware)