“A malicious version of the popular open source Secure Shell (SSH) client PuTTY has been spotted and analyzed by Symantec researchers, and found to have information-stealing capabilities.
PuTTY, which is written and maintained primarily by Simon Tatham and can be freely downloaded from the project’s official site, is a popular software with admins and developers looking to connect to remote servers through encrypted means.
Compiled from source, this malicious version is apparently capable of stealing the credentials needed to connect to those servers.
“Data that is sent through SSH connections may be sensitive and is often considered a gold mine for a malicious actor. Attackers can ultimately use this sensitive information to get the highest level of privileges on a computer or server, (known as ‘root’ access) which can give them complete control over the targeted system,” the researchers explained.
They noted that this particular malicious version of PuTTY has already been spotted in the wild in 2013, but it wasn’t broadly distributed.
Neither is this time: there is not active or targeted malware distribution campaign – unsuspecting users will download it only if they search for the legitimate software via a search engine, and opt for getting it from a compromised site instead of the project’s official site.
“There is evidence to show users that the Trojanized version of PuTTY is suspicious, as the file is much larger in size than the latest official release. If users are not paying attention to the programs file size, they may accidentally end up using the malicious version,” the researchers noted.
One way to check whether you have perhaps installed it is to check the software’s About information. The malicious version will show you this:
“To ensure that you dont become a victim to malicious versions of legitimate software, always ensure that the page you are downloading from originates from the author or publishers official home page,” the researchers advise.”