Trojanized version of PuTTY client discovered online

A version of the client has been tampered to steal user data.
Written by Charlie Osborne, Contributing Writer

A version of the open-source PuTTY client has been discovered online which includes an information-stealing Trojan.

According to Symantec researchers, an unofficial version of the open-source Secure Shell (SSH) client PuTTY has been discovered in the wild which may compromise the privacy and safety of developers.

PuTTY, developed by Simon Tatham, is used by web developers, administrators and IT staff worldwide. The client can be used for collaboration and to both fix and improve IT projects and connects people to a remote server through encrypted channels -- most often from a Windows PC to a Unix/Linux server.

However, its open-source nature has now led to abuse.

A Trojanized version of PuTTY is being hosted on websites aside from the official domain, and cyberattackers have been redirecting users to their own websites.

"If the user is connected to other computers or servers through the malicious version of PuTTY, then they could have inadvertently sent sensitive login credentials to the attackers," the researchers say.

"Data that is sent through SSH connections may be sensitive and is often considered a gold mine for a malicious actor. Attackers can ultimately use this sensitive information to get the highest level of privileges on a computer or server, (known as 'root' access) which can give them complete control over the targeted system."

The Trojanized PuTTY version was first discovered in 2013, however the researchers believe scanner tests were being performed at this time due to low levels of distribution. However, the file is now being downloaded after users seek a download through Google and inadvertently pick a compromised third-party website to download the program rather than its official source.

This message appears in malicious versions.

The compromised website then redirects the user several times, ultimately connecting them to an IP address in the United Arab Emirates, according to Symantec. The altered version of PuTTY then is downloaded.

This is not the first time the threat actors have manipulated open-source software to steal data. The team says that last year, a malicious version of the FileZilla FTP client was created by the same group and sent out online.

To prevent yourself becoming a victim of the malicious software, always check the source of your download.

Editorial standards