
Trojan found in Filezilla downloaded from SourceForge - yitchelle
https://forum.filezilla-project.org/viewtopic.php?t=36762
======
scrollaway
Something came up last time Sourceforge was discussed here, namely "why are
projects still using it?"...

I'm the project lead for LXQt ([http://lxqt.org](http://lxqt.org)). We
inherited some infrastructure legacy from LXDE, which was hosted on
sourceforge. Today, we have moved most of the legacy to Github but we're still
using Sourceforge's mailing list system.

We're moving to a self-hosted mailman3 instance but it's been excruciatingly
painful. Email is _not fun_ to deal with.

So I'm pitching this to bored devs and entrepreneurs: Help us, and many other
projects, by creating a "Github for mailing lists" with a web client featuring
a clean high quality UI, easily browsable/linkable archives, etc. Make it open
source, make it self-hostable, stuff in enterprise support. Make it quick and
easy to create new lists.

This model can work. It's not unheard of either (cf. Discourse), but it just
hasn't been executed properly yet, or is forum-only and does not support email
properly. Right now, the UX of mailing list software is like IRC's. Very raw.
If it were made more seamless, more approachable, overall easier, it would
have a similar effect as Slack has had on unthreaded-async-topical-
conversation.

PS: You should change your adblocker to uBlock Origin. It blocks Sourceforge
as a malware risk.

~~~
aldanor
Why mailing lists are still quite massively popular in 2015?..

~~~
pmlnr
How would you replace them? ( Please don't say Slack. That is just _not_ a
good replacement, especially for projects that needs publicly searchable
archives. )

IMHO a publicly/semi-publicly logged irc channel would do just as well, but
that's even more oldschool.

~~~
noselasd
The alternative is pretty much only online forums. Which imo. doesn't offer a
lot of advantages, and most forum software is exceptionally bad (though yes, a
few new and nicer ones are coming along)

~~~
unixhero
Discourse NodeBB and Vanilla comes to mind

~~~
scrollaway
None of them appropriately support mailing lists, though. Email-based
communication is a big deal for devs which contribute on maybe 5+ projects at
once and have to manage comms in one central place.

As for Discourse's mockery of a mailing list mode, let's not even talk about
it.

~~~
swhipple
Are you familiar with DFeed [1] used by the D-Lang forum [2]? It is, in my
opinion, one of the most usable web frontends for mailing lists (as well as a
few other sources).

[1]
[https://github.com/CyberShadow/DFeed](https://github.com/CyberShadow/DFeed)

[2] [http://forum.dlang.org/](http://forum.dlang.org/)

~~~
scrollaway
Never heard of it. Looks quite good. I will keep an eye on it, thank you.

------
DanBC
> If someone really wanted to download FileZilla and skip the malware do just
> that.

> Then after installation is complete install Malware bytes and Avira. Scan
> with both and restart the computer.

> Then run with ADWcleaner and and remove the infections and restart. should
> be good from there and enjoy FileZilla.

Do people really think this works? I mean, there's no-one on HN who thinks
this works, right?

~~~
krylon
Even if it works, that sounds telling somebody to park their car crashing it
into a wall and then scraping off the pieces.

------
agildehaus
SourceForge and Filezilla are both on their way out, hence their owners desire
to monetize their remaining users while they still can.

WinSCP is a decent alternative. As is Swish:

[http://www.swish-sftp.org/](http://www.swish-sftp.org/)
[https://github.com/alamaison/swish](https://github.com/alamaison/swish)

~~~
Asbostos
On Windows, you don't always need a 3rd party FTP program. Windows Explorer
(not IE) already does FTP. Just open any folder and type ftp://example.com
into the path bar.

~~~
pmlnr
Or you type 'ftp' in the command line.

~~~
abcd_f
It doesn't come standard, not on all Windows flavours. It's a part of "Core
networking utilities" package that used to have some really odd dependencies.

~~~
UnoriginalGuy
You're mis-remembering or something... There's no such thing as a "Core
Networking Utilities" package on Windows (never has been) and ftp has been a
command line tool since at least Windows 95.

I don't particularly like the built in FTP command line utility (even with
scripts). But it has existed a very long time indeed.

~~~
kuschku
Eh, yes, it is. On the Windows 7 Home Basic and Home Premium edition, it’s not
pre-installed, and you have to go to System Settings -> Programs and Features
-> Install or Remove Features to install it.

~~~
Someone1234
I have Windows 7 Home Premium on my Mac via Parallels, and just I just typed
in "ftp" into cmd and it came straight up.

The only packages I have installed are "Media Features" ".Net Framework 3.5.1"
"Print and Document Services" "Windows Gadget Platform" "Windows Search" and
XPS Services/Viewer. All of which are default features.

Which package are you even suggesting contains the ftp.exe client? Because I
don't even see one. Also why would anyone go to the trouble of putting a 47 Kb
binary inside of a feature package? It makes absolutely no sense at all.

~~~
kuschku
They used to put all that stuff – ftp, network utilities, etc in one package.

Granted, I haven’t used Windows in 4 years, but I remember fighting with
getting ftp on Windows without admin.

~~~
Someone1234
Are you sure you aren't mis-remembering and were installing the Unix Services
for Windows, to utilise Linux-like command line utilities?

As the person said above, ftp.exe has been in Windows since the MS Dos days,
and is a core utility. I've never seen it not been available on any version in
any situation.

Now an FTP server definitely needs to be installed. Always has. But we're
talking about the ftp.exe client.

~~~
jlgaddis
_ftp.exe_ should be there, but _telnet.exe_ is no longer installed by default.
One must go to "Add/Remove Features" (or similar) and enable it first. Maybe
that's what he's confusing it with.

------
vermilingua
_As far as the password storage goes, you are not up-to-date. They are stored
base64-encoded now._

Yes, much better.

~~~
scrollaway
FTP passwords can't be hashed. The right solution would be to support platform
keyrings but ... [https://trac.filezilla-
project.org/ticket/1373](https://trac.filezilla-project.org/ticket/1373)

~~~
StavrosK
Why can the passwords not be hashed?

~~~
vermilingua
FTP is inherently insecure, everything is transmitted in plaintext. Because
the server cannot check a password against a hash (due to the limitations of
FTP), the client needs to store the password, and can't keep only a hash.

That being said, Base64 is woefully inadequate, just google 'base64 decode';
and this response (from someone who appears to be a contributor) is just not a
defence.

~~~
icebraining
If the server checked against a client-provided hash, _the hash would become
the password_ , and the attacker could just use the hash as-is to login to the
server. Hashing on the client solves nothing.

~~~
kuschku
Except if you require hash of (password+timestamp modulo 60000)

~~~
joopxiv
In that case you can't just store the hash of the password, you will need to
password itself.

~~~
kuschku
Hmm. Yeah.

I’ve thought about it for the last few hours, and decided that the best
solution is to just use RSA in client.

~~~
joopxiv
How would that work? If you would use a private key to authenticate to the
server you would still need to protect this key with a password. Otherwise
stealing the private key will get an attacker access to the server just as
simple.

~~~
kuschku
Well, you’d be 100% safe of MitM.

And you could use a hardware key auth.

Like the German eID, where the key is signed by the government and on a
special chipcard.

The software requests the card to sign, you need to type in your PIN on the
reader itself, and the request will be signed with RSA.

The public key is world-readable on the card, so you can just send that to the
server.

------
morganvachon
I stopped using Filezilla on Windows a while back, due to this and other
issues (passwords stored in plaintext, etc.) and switched to PSFTP and PSCP,
which are MIT licensed and offered directly from the developer's page[1].
However, reading this article reminded me that Filezilla was actually still
installed on that box, just not in use, so I decided to uninstall it while it
was on my mind. Immediately after uninstalling it, it tried to force a
shutdown on my computer. The only reason I was able to stop it was because I
had a process running in the background that wouldn't terminate and I was
given the choice by Windows to force shutdown or cancel.

Now, I've only ever installed it from ninite.com[2], so I know it didn't
initially have the Sourceforge trojan/adware junk. However, I've since allowed
it to download its own updates instead of doing it manually through the Ninite
downloader. I've never, ever seen a program I've uninstalled via the Windows
Control Panel with the ability to force a shutdown or restart without first
notifying me or giving me the option to postpone. I'm starting to think
there's something nefarious in Filezilla itself, perhaps in one of those
"direct from the developer" updates, not just the Sourceforge wrapper.

Another interesting thing is that the built in Filezilla updater will first
uninstall the app before reinstalling the updated version, and it never tried
to restart or shutdown the computer during those updates, only during
uninstallation from the Control Panel.

[1]
[http://www.chiark.greenend.org.uk/~sgtatham/putty/download.h...](http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html)

[2] Ninite strips out any malware or other crap from the installer and only
installs the pure program with default settings, in the background, and
sources the app directly from the developer's site when possible. It's my go-
to tool for essential Windows utilities.

------
discreditable
The linked thread is from 2015-04-20. SourceForge has been bundling adware
with Filezilla since then and continues to do so. Here's a VirusTotal analysis
of the current installer:
[https://www.virustotal.com/en/file/16e0ecda06ed98f835e449e1e...](https://www.virustotal.com/en/file/16e0ecda06ed98f835e449e1e3e58959df60703c0262e357f5bcc0c3db9fae97/analysis/1449152400/)

If you want clean software you must not install directly from Sourceforge.

------
jug
AFAIK this practice (and not on the FileZilla project alone) is why uBlock
Origin is blocking SourceForge.

~~~
bigbugbag
Though ublock origin can use it, it's the ublock badware risks filter list
which is blocking sourceforge :
[https://github.com/gorhill/uBlock/wiki/Badware-
risks](https://github.com/gorhill/uBlock/wiki/Badware-risks)

~~~
gorhill
You are linking to uBlock Origin ("uBO") -- that filter list is specific to
uBO. The other "uBlock"[1] (abandonware) does not support strict blocking,
which is what blocks SourceForge.

[1]
[https://github.com/chrisaljoudi/uBlock](https://github.com/chrisaljoudi/uBlock)

~~~
bigbugbag
Sorry if I didn't make myself clear, what I was trying to point out is that
for ublock origin to block sourceforge the badware risk filter list has to be
enabled. Also I suppose this list can used with other blocking software.

Oh and gorhill, much much thanks for your time and work on this.

------
gargalatas
Unfortunately Filezilla has this trojan for some years now! The trojan send
all your identities to a server. This is tested 100%. We had many passwords
stolen this way and we are 100% sure that it's filezilla.

Just take this test: Try to download the Filezilla and when the download page
shows click on the Direct Link. Then compare the two executables, one that
downloaded automatically and the one that it downloaded via the direct link.
You will see that the direct download is clean but the other has the SF icon
and it has a virus!

~~~
driverdan
That's a pretty serious claim. Do you actually have evidence to prove it was
FZ? Just because the SF executable includes spyware doesn't mean it's
disclosing passwords.

~~~
gargalatas
You are kidding right? And what do you think that spyware does? They steal
passwords! Our DC warns us of stolen passwords every time a client is using
this exactly "touched" version of FZ. The DC is informed by a security firm
and 100% of the situations is the Filezilla that steals them!

------
CM30
So SourceForge has gone from terrible to (somehow) even worse than that.

It makes me wonder; why don't we have a good site for Windows programs yet?

Ideally, it'd be run by volunteers (not a company with a profit motive), would
manually moderate the programs posted them (and remove any
adware/spyware/bundled programs by force if necessary) and tell every malware
ridden sleazy ad network to sod off.

It exists in more niche subject areas. If I look for game making resources, a
lot of those sites actually do proper moderation and try and make sure viruses
aren't present in uploads. Places like MFGG are pretty good about this. So why
don't we have that for software in general?

I mean, there's GitHub and package managers, but it's disappointing how this
market has no honest people in it.

------
chris_wot
This has been known about for some time. The Filezilla guys know about it.

[http://sourceforge.net/blog/devshare-relaunch-power-to-
end-u...](http://sourceforge.net/blog/devshare-relaunch-power-to-end-users/)

~~~
facepalm
Shouldn't this be a criminal offense?

~~~
chris_wot
It's usually hidden in the EULA. Very hidden.

It's not just Filezilla or sourceforge doing this. Lenovo do this routinely.
They used to bundle something called BrowserGuard, which contains a PUP by
Conduit. Conduit have since been partially acquired by another company Perion.
I followed that rabbit hole last year, Lenovo point blank refuse to
acknowledge it is spyware.

And it IS spyware. I created a Perion account to see what they actually had
going on. They have an online form you can upload your executable to and it
wraps their malware in the form of a toolbar. I tested it by uploading
notepad.exe, and sure enough it works quite easily.

They capture your location and a whole bunch of data about your computer. They
also have remote update facilities built into it. It's pernicious, and the
company structure has been designed to make it very hard to determine who owns
it. And Lenovo were very happy to use them.

Oh, and here is an article that confirms the autoupdate:

[https://support.lenovo.com/au/en/documents/ht101178](https://support.lenovo.com/au/en/documents/ht101178)

~~~
facepalm
Good to know - I was almost ready to consider Lenovo again after Superfish,
but no...

~~~
throwaway7767
You should generally not trust preinstalled OSs, regardless of vendor. Most
(all?) of them shovel crap in there, often because they get paid to do it.
It's sad, but it's just the world we live in.

The really scary thing is when vendors put in backdoors or trojans like this
at a level below the OS (in UEFI, for example).

------
Jonnerz
It's done intentionally to make the owners a bit of money. They have direct
download links on their website (click show all on download page), avoid the
green Sourceforge link.

~~~
huuu
Nope, all links direct to Sourceforge.

~~~
level3
Yes, all the downloads are hosted on Sourceforge, but Jonnerz is pointing out
that the additional links come without the Sourceforge wrapper (the links will
have "?nowrap" at the end).

We all wish FileZilla would just drop Sourceforge completely, but at least the
non-wrapped versions are still available.

------
jmnicolas
No way I'm supporting this kind of behavior. Can you suggest an alternative to
FileZilla ?

~~~
teddyh
The problem is not FileZilla, but SourceForge. They do this to all their
files.

~~~
kardos
That's not quite accurate... FileZilla has opted into the bundle-with-crapware
program [1] to make some money.

[1]
[https://news.ycombinator.com/item?id=8849950](https://news.ycombinator.com/item?id=8849950)

~~~
luma
Not only that, but the FileZilla Admin is posting in that thread denying any
claim that there is anything wrong with the installer, despite repeated
reports from multiple users.

FileZilla is maintained by people who _want_ to push spyware to you because
it's how they get paid. This isn't an accident.

------
elipsey
The Filezilla forum admin in that thread obstinately blames users for
"accidentally" accepting a bundeled "offer", when users are clearly warning
project admins that the installer is infected with malware.

Does sourceforge share revenue from bundeled installs with projects?

~~~
kuschku
If you opt-in, they do. Filezilla was one of the first to opt-in.

If you say "no, I don’t want you to bundle your installer with my project",
they will do so anyway (look at GIMP), and you get nothing.

~~~
elipsey
so yeah, it seems like there's kind of a conflict of interest here. if there's
no way for a user to know whether the project opted in to revenue sharing,
then how can they trust the project?

in other words, in my view, a project that opts in to revenue sharing with
crapware bundlers who are known to sometimes distrubute malware, is behaving
unethically.

so now i don't trust filezilla dev's in general, even if i get an package
signed by my distro or whatever. very dissapointing. worse still, it makes
projects that didn't opt in suspect in my view, simply because they are on
sourceforge; if i can't find out whether they opted in, how can i know any
project isn't taking kickbacks?

i really hope i'm missing something here....

~~~
kuschku
For your information, currently sourceforge "usually" only bundles the
crapware with projects where either the person opted in, or where sourceforge
has "seized" the repo.

If it bundles crapware, and the maintainer listed on sourceforge.net is
sourceforge itself, they didn’t opt in.

Otherwise they did.

------
nissehulth
Older thread about Sourceforge:
[https://news.ycombinator.com/item?id=9623142](https://news.ycombinator.com/item?id=9623142)

Just don't use them.

------
halfdan
Absolute money quote: "As far as the password storage goes, you are not up-to-
date. They are stored base64-encoded now."

~~~
Asbostos
There's the argument that if someone has access to the passwords then they've
already got enough control over the computer to do whatever other damage they
like - like reading them out of memory after they're decrypted.

Base64 at least provides some protection against somebody looking at it with
their eyes and memorizing them, which is perhaps a more likely scenario -
family members, kids, etc.

~~~
redbeard0x0a
Base64 provides no protection from malware that infects your machine and
actively looks for this kind of stuff. Stored passwords from websites, ftp
programs, key safes, etc.

------
jedicoffee
"While the SourceForge Installer may present third-party offers,"

Don't worry, it's just an "offer". They're totally not distributing malware
via their installer.

------
cpach
About two hours ago I pondered installing the Diffuse merge tool[0] on a
Windows box. Then I noticed that it was hosted on Sourceforge and thought
"nah, not really worth the risk". Now that I see this post I feel even more
content that I avoided Sourceforge.

[0] hxxp://diffuse.sourceforge.net/

------
Karunamon
What really gets me is the glib attitude of the FileZilla maintainers to this
news. Whether trojan or adware, the "just uncheck the boxes" mindset is rather
insulting.

Move your stuff off Sourceforge! What the _hell_ is wrong with your people?

~~~
DanBC
Filezilla opted in to the malware wrapper. They made a concious decision to do
this.

------
robgibbons
It's funny, I literally just messaged the maintainer of the Minibian project,
politely asking that he move the Minibian project away from Sourceforge, when
I saw this post on HN. It's too bad to see Sourceforge ending up like this,
after it was so useful years back.

------
jdeisenberg
Slightly O/T, but has anyone experienced similar problems with downloads from
PortableApps.com? They use SourceForge as well, and I am now hesitant to
recommend PortableApps to friends and co-workers.

------
rietta
It would seem that more projects would benefit from running their own free
software on their own virtual server infrastructure. A decade ago, there was
GNU Mailman and it's still around -
[http://www.list.org](http://www.list.org).

Yes, this means that a self-contained project needs the funds for basic
hosting and also someone with system admin experience. But that should not be
unreachable for major projects.

------
jron
Tim Kosse has really tarnished the reputation of FileZilla by ignoring the
SourceForge malware problem.

Chrome and Firefox should add SourceForge to their malicious site list.

~~~
AJ007
There are a few things that could happen:

a) Certainly if a site is distributing malware/virus/trojans it needs to be
flagged as such -- whether it is intentional or not.

b) Sourceforge's policies indicate it they are no longer a trusted source for
official files and is probably being ranked far too highly on Google and other
search engines.

c) If Dice fails to promptly and adequately address the distribution of
malicious files for profit the appropriate government agencies should become
involved.

------
acd
There is a safer way install FileZilla through ninite installer or chocolately

[https://ninite.com/filezilla](https://ninite.com/filezilla)

Chocolatey nuget is similar to Linux package managers but for Windows programs

[https://chocolatey.org](https://chocolatey.org) choco install filezilla

~~~
manveru
Please don't recommend chocolatey for this reason. While it's excellent, you
should probably check the install file first:
[https://chocolatey.org/packages/filezilla](https://chocolatey.org/packages/filezilla)
(and click "show" on "tools\chocolateyInstall.ps1")

You don't see the installer UI, but it still downloads from sourceforge
because that's where the executables are stored.

~~~
teh_klev
Unless ninite is building everything from source where do you think it's
getting the installer binaries?

------
aw3c2
> 2015-04-20

------
jokoon
Clicking on the download link ws blocked by ublock origin. Weird.

~~~
AdmiralAsshat
After the last Sourceforge malware-bundling debacle (Can't even remember who
it was at this point--someone who said Sourceforge seized their repo from them
and then repackaged it with malware), gorhill added Sourceforge to the uBlock
blacklists.

Good riddance, I say.

~~~
kuschku
It was the GIMP guys, btw.

------
FussyZeus
Refuse to download anything from SourceForge anymore. Sad too, used to be the
best out there back in the day.

------
nthcolumn
People are still using SourceForge? :O

------
kyriakos
you can get a clean version from fosshub

------
rbanffy
Are we still using FTP?

~~~
jlgaddis
You might be amazed at how much FTP is still actively used -- especially by
the financial industry!

~~~
rbanffy
Amazed _and_ alarmed ;-)

------
rogeryu
That article is from April. Good to know about it, but is this news?

~~~
brainary
First post on the thread is indeed old, but there are some newer ones.

