Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Problem with Putty downloads?


  • Please log in to reply
3 replies to this topic

#1 psiborger80

psiborger80

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:46 PM

Posted 15 April 2015 - 07:41 AM

Hello,


I am running windows 8.1


I was downloading puttyagent from http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html. The http:// based download link points to http://the.earth.li/~sgtatham/putty/latest/x86/pageant.exe

 

After clicking on the link, the file downloaded and my McAfee alerted "Malware detected, reboot to remove". I rebooted, and submitted the original download link to virus total, and it returned clean.

I looked in my "Downloads Library" list within Mozilla Firefox (pasted below), and it showed the download as being present, but that the source of the download was not where I downloaded it from ....it was from tartarus.org which VirusTotal has two reports of being infected.

McCafe reports the details of the exploit downloaded in the subsequently pasted screenshot as GenericR variant trojan.

When I give the URL http://the.earth.li/~sgtatham/putty/latest/x86/pageant.exe to Virus Total, it gets one hit.

My question is, how/why was my computer redirected to download the file from the different site?


Edited by psiborger80, 15 April 2015 - 07:43 AM.


BC AdBot (Login to Remove)

 


m

#2 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,205 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Quebec, Canada
  • Local time:04:46 PM

Posted 15 April 2015 - 08:24 AM

Hi psiborger80 :)

It's possible that you've been browser hijacked, hence why the download was redirected, but here's the thing: nothing leads to believe that the Tartarus.org, from which you download the pageant.exe file is malicious.

Here's the VirusTotal report for pageant.exe, downloaded from the chiark.greenend.org.uk website:

https://www.virustotal.com/fr/file/cb3e3e9b738c20b0384518dee12e32b8acd447428a82da7504fab673bbf43f5a/analysis/1429103961/

And here's the VirusTotal report for Tartarus.org:

https://www.virustotal.com/fr/url/908ba7e6e5e5d9c02dc6815dc5e313aade41ea21d72f1cea7e8bcac9bf890ec6/analysis/1429104000/

I went on the website, and the Putty project is listed as part of this website. When you click on "Putty", it redirects you to the chiark.greenend.org.uk website (the legitimate one). And when you download the pageant.exe, it really downloads it from chiak.greenend.org.uk again.

jTtKTG9.png

Also, Web of Trust reports that website as totally legitimate, but since it's a user-based opinion extension, it could be false. So I don't think anything phishy happened here, but there's still a possibility.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#3 psiborger80

psiborger80
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:46 PM

Posted 15 April 2015 - 09:11 PM

OK. Stupid question, I suppose this would imply that my PC has malware?



#4 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,205 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Quebec, Canada
  • Local time:04:46 PM

Posted 15 April 2015 - 09:12 PM

Yes, since redirections are often malicious and not normal. Right now there's no signs that this redirection was malicious however according to what I posted and tried myself.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users