The author analyzed the downloaded file, and found that PuTTY was not the official version. Unlike the official version, the Baidu software center's PuTTY has no digital signature, and the version is a strange 184.108.40.206.
After running the software, the program will first connect to one.The serverTo download a list.exe file, but in fact, this file is a list containing the downloading address of the Jinshan poison and Iqiyi. When the list is downloaded, the software will extract the real PuTTY file, and when the PuTTY runs, it will be silently downloading the installation of Jinshan poison and Iqiyi.
In order to find out the truth, the author traced the IP address of the server.
Ultimately, IP's owner X is a senior R & D engineer from Baidu Shanghai.
At present, Baidu has not responded to this, nor does it know whether the bundled malware is an engineer's personal behavior.
Xiaobian also conducted a simple investigation, found that the problem of 0.67.0.0At least in May 2017It has already appeared in the software center. 10 days ago, V2EX was also relatedPostAccusation of binding behavior. At present, Baidu search PuTTY, the software center page has been deleted.
It is reported that 360, tinder, and some foreign anti-virus software will alarm the Baidu version of PuTTY.
This is notPuTTYThe first time it was involved in the problem, as early as 2012, the Sinicization version of PuTTY had been exposed to the back door, and a large number of host administrator passwords could be leaked. At the end of last yeartencentWe also apologized for promoting the behavior of computer stewardship and QQ browsers.MentionA large number of download stations in China still have a lot of induced advertisements, which affect the user experience. Therefore, it is recommended that you download the software to the official website of the product.