Blog‎ > ‎

Filezilla @ SourceForge = Malware

posted Jan 7, 2015, 8:00 AM by Sami Lehtinen   [ updated Jan 7, 2015, 8:46 AM ]
A hacker news discussion and comments about this topic I made earlier today.

I just hate it when good programs and recommended official download sites can't be trusted at all.
 
Filezilla client setup.exe @ VirusTotal

Filezilla server setup.exe @ VirusTotal
Filezilla server setup.exe @ MetaScan
Filezilla server setup.exe @ VirusScan (Jotti's Malware scan)
 
Downloaded the client setup again, now it got different content and hash, but it still contains same malware.

It seems that the malware package has been customized separately for each download. Because hashes of files won't ever match previously downloaded versions.
Many others have noticed the problem, but malware is STILL being delivered.

I personally would prefer that safer-browsing and other similar security tool bars would directly warn that SourceForge is dangerous malware site and shouldn't be visited at all.

SourceForge is official source for Filezilla binaries, which makes me really sad. If this would be just random "fake downloader site" it would be different story. But now the Filezilla project is publicly supporting installation of malware. This is ... speechless ...

Never, trust .exe files (or any other files either!). Even if those are from reliable and reputable sources. Just build your projects from the source code directly.

This is HUGE problem with production systems and made me really mad.

#filezilla #sourceforge #malware