Avast Discovers Malicious Version of FileZilla FTP Application

Posted by on Feb 7, 2014 in Cloud, Computer Security, Web Development and SEO | 0 comments

Avast Discovers Malicious Version of FileZilla FTP Application

Antivirus specialist Avast announced today that they have spotted a malicious version of common FTP application; FileZilla in the wild. This malicious application is apparently masquerading versions 3.7.3 and 3.5.3.

The first suspicious signs are bogus download URLs. As you can see, the installer is mostly hosted on hacked websites with fake content (for example texts and user comments are represented by images.)


Malware installer GUI is almost identical to the official version of FileZilla. The only slight difference is version of NullSoft installer where malware uses 2.46.3-Unicode and the official installer uses v2.45-Unicode. All other elements like texts, buttons, icons and images are the same. This makes spotting this extremely difficult for casual users.

The installed malware FTP client looks like the official version and according to Avast is fully functional! You can’t find any suspicious behavior, entries in the system registry, communication or changes in application GUI.

The only differences that can be seen at first glance are:

  • smaller filesize of filezilla.exe (~6,8 MB),
  • 2 dll libraries ibgcc_s_dw2-1.dll and libstdc++-6.dll (not included in the official version)
  • and information in “About FileZilla” window indicates the use of older SQLite/GnuTLS versions.

Any attempt to update the application fails, which is most likely a protection to prevent overwriting of malware binaries.

We recommend that all our customers download their software directly from official websites. If you are looking for an alternative, then we recommend CyberDuck which connects to FTP sites, SSH as well as cloud storage platforms like Google Docs.

Comments are closed.