FileZilla is being shipped with malware

[Levisallanon]

Users on the Filezilla forum found out that filezilla is being bundeled with malware since januari. People reported this:

Quote

I'm seeing hits on this file as well from advanced security tools in an enterprise environment. This appears to be a bit more than just a few false hits on VirusTotal. The installation of filezilla_3.29.0_win64-setup_bundled.exe file with MD5 of 9f405c266c883305537c11246bdb1d42 shows signs of malicious activity in the form of IDS/IPS bypass techniques to copy and append .dat files behind the scenes. This activity can sometimes be a false positive, but this does not appear to be a false hit.

and this

Quote

The IP's and domains we see tofufeti.exe connecting to are:

• 54.225.173.220 on tcp/80 (goquc.com)
  52.84.25.26 on tcp/80 (d39ievd5spb5kl.cloudfront.net)
  34.208.177.52 on tcp/80 (gubuh.com)

Random unsigned processes reaching out to random sites with no content over port 80 is typically a sign of malware beaconing.

The problem does show to be in the bundled software only as people do note this:

Quote

Running the install without choosing any of the bundled adware shows no signs of this activity and is a simple and clean install that one would expect for a lightweight tool like FileZilla.

It's also sad to see that question like this are being ignored:

Quote

First...do you even know what software applications or advertisement software you are bundling with the bundled version of FileZilla? How do you know without a doubt that the software you are bundling is not malicious or not able to lead to anything malicious? If you can honestly say you know for sure, then you are complacent in the delivery of malvertising applications to people. Not to mention your use of Click Baiting (Social Engineering) by using a big green download button...hiding the alternative download link at the bottom with small text so that nobody pays attention.

It looks like the owner/maker is trying to do some stuff about it, but mostly he is defensive and trying to show the program itself is not problem. But people see that I hope, the problem lies in the bundled software. And it seems people are mostly worried about this.

 

Just a headsup for everyone using filezilla, you might want to deinstall it for now.
Source: https://forum.filezilla-project.org/viewtopic.php?t=48441

 

[ItsMitch]

Evasive? He's the owner of the site and if there's no malware, there's no malware. False positives happen all the damn time and this shit is dating back to 2017 wtf

[Levisallanon]

2 minutes ago, SC2Mitch said:

Evasive? He's the owner of the site and if there's no malware, there's no malware. False positives happen all the damn time and this shit is dating back to 2017 wtf

Read the later posts in the topic. it's coming back now.

[AlTech]

So, Somebody is trying to run a smear campaign against FileZilla creator? Kek.

 

FileZilla is FOSS, you don't just shove ADs or malware in the program to make a buck with Free Software. It's fairly obvious somebody has beef with him/her.

[AlTech]

Also,

Welcome to 2018, the year where being truthful is seen as both Edgy and Evasive! More at 11 /sarcasm.

[TetraSky]

Wow, haven't heard about filezilla in like, 10+ years... I'm surprised it still exist.

[mynameisjuan]

Filezilla has always been malware in my eyes. Last place I worked it was flagged on 3 different occasions a few months apart. I dont know why people use it or trust it

[Dabombinable]

7 minutes ago, TetraSky said:

Wow, haven't heard about filezilla in like, 10+ years... I'm surprised it still exist.

All I know is, I'm going to be trying it with all of my (modded) OG Xbox.

@Everyone

Kaspersky didn't pick up anything (I might try tomorrow with Trend Micro...but the program doesn't even protect itself from being forced to close).

[AlTech]

3 minutes ago, TetraSky said:

Wow, haven't heard about filezilla in like, 10+ years... I'm surprised it still exist.

A surprising amount of people still use it because it's FREE (as in Freedom and also as in Money) and OPEN SOURCE Software.

 

The kind of software that respects user freedom and privacy. I've used it a few times and It's an okay program.

 

@Levisallanon Also, I have no idea how you thought my post was funny. I am genuinely serious when I'm saying somebody is out to get the creator of FileZilla and is running a smear campaign to tarnish the FileZilla name. 

 

Do you remember CTS Labs and those "AMD Vulnerabilities"? They were running a smear campaign against AMD because Intel or a company associated with them paid them to.

[Levisallanon]

1 minute ago, AluminiumTech said:

@Levisallanon Also, I have no idea how you thought my post was funny. I am genuinely serious when I'm saying somebody is out to get the creator of FileZilla and is running a smear campaign to tarnish the FileZilla name. 

I found it funny because of how it was written. Might be the language barrier (from my side).
It looks like someone is trying to run a smear campaign, but on the other hand it's not completly certain yet if and how it happened and maybe there just wasn't a good check on what was included.

[Dabombinable]

1 minute ago, AluminiumTech said:

A surprising amount of people still use it because it's FREE (as in Freedom and also as in Money) and OPEN SOURCE Software.

 

The kind of software that respects user freedom and privacy. I've used it a few times and It's an okay program.

 

@Levisallanon Also, I have no idea how you thought my post was funny. I am genuinely serious when I'm saying somebody is out to get the creator of FileZilla and is running a smear campaign to tarnish the FileZilla name. 

 

Do you remember CTS Labs and those "AMD Vulnerabilities"? They were running a smear campaign against AMD because Intel or a company associated with them paid them to.

Thing is, with Filezilla being open source you have to be pretty stupid to make a false claim when anyone can check the source code.

[AlTech]

5 minutes ago, Dabombinable said:

Thing is, with Filezilla being open source you have to be pretty stupid to make a false claim when anyone can check the source code.

The issue here is that the person who started accusing FileZilla of things is going after their binaries which is not technically source code.

[asus killer]

i use filezilla for a long time now. Never had any issue.

[GoodBytes]

False positives happens all the time.

I already made a software, a small utility, mostly for myself, but put made a setup out of it for possible distribution, and hold and behold, a bunch of A/V on VirusTotal marked it as a variety of viruses, from Trojan to adware.

 

Funny thing is that I am looking at the list:

https://www.virustotal.com/en/file/3129fd5421c1a71c0673f4cae5349b4a98d4e93da9c41ace1bcacdc9ebf9c0ff/analysis/1529931832/

And it is always seems to be the same anti-viruses that marks everything as a virus, for me.

ESET-NOD32 and Avira are always on the list, as it marks anything that isn't from a very large company, pretty much, as "potentially unwanted', and therefore: "ZOMG! Virus! Virus!"

 

I am surprised that Microsoft  made the list, but Windows 10 Defender isn't complaining, even after doing a system scan, so they probably use Microsoft Security Essential from Windows 7, or an old version. As for the rest, shitty A/V are shitty A/V.

 

For the developer of FileZilla, he can fix this by having his project whitelisted. But he needs to do it, potentially, for every, single, version, released that is made.... UNLESS, you are a big company or a hugely popular software for the average user computer base, where you'll be permanently whitelisted. And whitelisting your project can be a painful and long process as a small dev, as you need to contact the each A/V company, and the process is very long, and of course, you are the lowest priority for them, again, unless you are a big company like EA, Microsoft, Apple, Adobe, etc.

[Mira Yurizaki]

47 minutes ago, AluminiumTech said:

So, Somebody is trying to run a smear campaign against FileZilla creator? Kek.

 

FileZilla is FOSS, you don't just shove ADs or malware in the program to make a buck with Free Software. It's fairly obvious somebody has beef with him/her.

At one point, FileZilla's installer included OpenCandy, which can be considered Adware, and anti-malware vendors classify it as a PUP.

 

https://malwaretips.com/threads/sourceforge-net-adds-adware-installers-provided-by-ask-com.17247/

 

So... you can add "malware", just not on the application itself.

[captain_to_fire]

I haven't used FileZilla at all but I downloaded it and ran a scan on the .exe file and both AVs found nothing. As @GoodBytes said, it looks like a typical false positive.

[captain_to_fire]

8 minutes ago, GoodBytes said:

I am surprised that Microsoft  made the list, but Windows 10 Defender isn't complaining, even after doing a system scan, so they probably use Microsoft Security Essential from Windows 7, or an old version. As for the rest, shitty A/V are shitty A/V Next!

It's possible that Windows Defender initially detected it as a threat but given on how cloud protection works (a technique shared by almost all AVs), their ML models probably decided that it's not malicious after all.

[bowrilla]

On Topic:

As a dev you could also get certified as a developer and distribute your software via platform specific stores. That software should be automatically whitelisted. 

 

You can't blame the dev for sourceforge or other download sources adding adware. Personally I never download anything from those sites if there's any other chance. I just visit the dev's/manufacturer's website. Imho the only "safe" way on getting the software without bloat-, ad- or malware.

Edited June 25, 2018 by Crunchy Dragon

[Bananasplit_00]

isnt FileZilla pretty much malware to begin with?  thats my experience with it atleast lol

[aezakmi]

WinSCP rules

Edited June 25, 2018 by Crunchy Dragon

[GoodBytes]

1 hour ago, Bananasplit_00 said:

isnt FileZilla pretty much malware to begin with?  thats my experience with it atleast lol

It is an open source FTP file transfer program (avail in Client and server form).

[Bananasplit_00]

1 minute ago, GoodBytes said:

It is an open source FTP file transfer program (avail in Client and server form).

All I remember it for is making the family imac slow and popping notifications and also not working but hey, that was ages ago and I'm not certain I even got the right program tbh, might have gotten it off softonic or whatever

[LAwLz]

9 hours ago, AluminiumTech said:

So, Somebody is trying to run a smear campaign against FileZilla creator? Kek.

Doesn't seem like a smear campaign. Seems like it's just a false positive, possibly generated by the ads inside the installer.

 

9 hours ago, TetraSky said:

Wow, haven't heard about filezilla in like, 10+ years... I'm surprised it still exist.

Well, how often do you use FTP in general?

It's probably the best graphical FTP program for Windows, but it's most something the average Joe uses.

 

9 hours ago, AluminiumTech said:

A surprising amount of people still use it because it's FREE (as in Freedom and also as in Money) and OPEN SOURCE Software.

And it's the best graphical FTP client for Windows.

Again, the thing is that most people do not use FTP servers anymore. Whenever the average user downloads something these days it's probably over HTTPS, P2P or some streaming protocol like DASH. Not FTP.

[Dabombinable]

13 minutes ago, LAwLz said:

Doesn't seem like a smear campaign. Seems like it's just a false positive, possibly generated by the ads inside the installer.

 

Well, how often do you use FTP in general?

It's probably the best graphical FTP program for Windows, but it's most something the average Joe uses.

 

And it's the best graphical FTP client for Windows.

Again, the thing is that most people do not use FTP servers anymore. Whenever the average user downloads something these days it's probably over HTTPS, P2P or some streaming protocol like DASH. Not FTP.

FTP is mostly used for transferring files between old computers and consoles (and its far easier to configure+get files transferring across a network than the shit Windows 10 Pro has now)

[W-L]

Please keep discussion related to the original post. 

 

 

-Thread Cleaned-