Steve Bass's Tips & Tweaks FlashGet's Security Hole Delivers a Trojan (original) (raw)

Steve Bass's Tips & Tweaks
Fixes for the trickiest high-tech hassles.

I just uninstalled FlashGet, my favorite downloading program. It's got a big, inviting security hole that can -- and did -- let a nasty Trojan worm its way onto my system. I'm not the only one having to fend off the attack. Users on the FlashGet and Kaspersky Labs first raised the flag.

My at-the-moment favorite anti-virus program, Kaspersky, spotted and deleted the Trojan-Downloader.Win32.Agent.kht. I didn't give it a second thought -- some of the files I download are, to say the least, suspect. [_You, too. --Editor_] And I didn't connect the Trojan with FlashGet.

avast_flashget.jpg
Kapersky immediately detected the Trojan FlashGet let through.

But the next day, Kaspersky hollered again, and this time it was just after launching FlashGet. So I did some digging and found what I was looking for: A Viruslist blog entry that explained the FlashGet exploit.

Come On Through
FlashGet's servers appear to have been infected and FlashGet merrily passed along the Trojan to users. That's why even though Kapersky caught it the first time, FlashGet let it through again.

Rather than continue paraphrasing, I've excerpted the salient points from the post; you can read Aleks Gostev's entire explanation at Viruslist.

So how was FlashGet turned into a Trojan-Downloader? There's one obvious answer ? the developer?s site was hacked and someone managed to substitute the standard configuration file and link it to a Trojan located on the site. Why the hacker didn't use a different site isn't clear. Maybe this was deliberate stealthing, as a link to FlashGet in the configuration file isn't likely to arouse suspicion). We decided to check whether it would be possible to use this technique to download any file from any site. The answer? Yes, it is.

All you need to do is add a link (which can point to any file you want) to the FGUpdate3.ini file and it will be automatically downloaded to your computer every time you launch FlashGet. Even if you don?t press ?Refresh?, FlashGet uses the information from the .ini file. This ?vulnerability? is present in all versions of FlashGet 1.9.xx.

So, in spite of the fact that the site is no longer ?hacked?, users are still vulnerable. Any Trojan program could modify the local .ini FlashGet file, causing it to function like a Trojan-Downloader. And it's worth noting here that FlashGet is usually treated as a trusted application, consequently, network activity caused by the application or requests to sites won't be flagged as suspicious, and users won't be alerted.

What's a Downloader to Do?
The problem is that FlashGet's security breach hasn't been fixed and for all I know, their site might be attacked again, with FlashGet users still at risk. So far there hasn't been an acknowledgment of the problem on the FlashGet site and the Chinese developer hasn't replied to my request for comment.

I just uninstalled FlashGet and I recommend you do, too. There are downloading alternatives -- Download Accelerator Plus, Fresh Download, Crawler Download Manager, and Free Download Manager. I prefer FlashGet, sure, but I also like a Trojan-free PC. You can read about them, as well as other downloading tips, in Top Tricks for Safe, Smart Downloads.

Talkback
Have something to say -- or have a favorite download manager? You can use Comments below or if you'd prefer, fire an e-mail right into my inbox.

Recent Posts