The well-known terminal simulation software XSHELL has multiple versions of backdoors, or upload user server account passwords!

August 15, 2017 1764 point heat 0 likes 0 comments


Xshell is a powerful and famous terminal simulation software, which is widely used for server operation, maintenance and management. Xshell supports SSH, SFTP, TELNET, RLOGIN and SERIAL functions. It provides industry-leading performance and powerful functions, and plays an irreplaceable role in free terminal simulation software. The Enterprise Edition has more professional functions, including: tabbed environment, dynamic port forwarding, user-defined key mapping, user-defined buttons, VB script and UNICODE terminal for displaying 2 byte characters and supporting international languages.

Xshell provides many user-friendly functions that are not available in other terminal simulation software. These functions include Zmodem file upload and Zmodem file download by dragging and dropping files, simple mode, full screen mode, transparency option and custom layout mode, etc. Using Xshell to perform terminal tasks saves time and effort.

At present, the highest version of xshell is Xshell 5 Build 1326, which was updated on August 5, 2017

A few days ago, 360CERT learned that a security company found malicious code in the nssock2.dll module released by NetSarang's Xmanager, Xshell, Xftp, Xlpd and other products. The malicious code has been confirmed in Xshell 5.0.1322 and Xshell 5.0.1325:

Official announcement:

It is worth mentioning that the 1326 upgrade prompt is very interesting: the prompt fixes nssock2.dll, which fixes a remote vulnerability (66666... Orz)

Brief analysis

360CERT found through behavior analysis that the backdoor will send a request to a box domain name "nylalobghyhigh. com".

Privacy protection is enabled for this domain name, and only NS records can be queried:

Data source: 360CERT

In addition, the domain name will also leak out to multiple super long domain names, and the domain name uses the DGA generation algorithm to leak data through DNS resolution.

Some generated domain names are as follows:

Basic process

The Xshell related component nssock2.dll used for network communication is found to have backdoor code. The DLL itself has a legitimate digital signature from the manufacturer, but has been marked as malicious by several security vendors:

Each month, a new control domain name is generated through a specific algorithm. At present, some of them have been registered by the author








Backdoor version exists (verified)

Xshell Build 5.0.1322

Xshell Build 5.0.1325

Xmanager Enterprise 5.0 Build 1232

Xmanager 5.0 Build 1045

Xftp 5.0 Build 1218

Xftp 5.0 Build 1221

Xlpd 5.0 Build 1220

PS: There are a large number of download stations in China. At present, they are all the above problematic versions

behavior characteristics

The version with a backdoor will Initiate a request, and the daily traffic exceeds 8 million Apart from the mandatory update of the official version, I'm afraid there is no other way to have such a large amount of data...

Data source: 360 Network Security Research Institute

Domain name whois information, which enables privacy protection.

Data source: 360 Network Security Research Institute

Data transmission is suspected to be through DNS out band

Data source: 360 Network Security Research Institute

No problem version

Xmanager Enterprise Build 1236

Xmanager Build 1049

Xshell Build 1326

Xftp Build 1222

Xlpd Build 1224 (primary)

terms of settlement

  1. Go to the official website to download the latest version
  2. If the program was upgraded from the problematic version to the latest version, the information may have been leaked. To be safe, it is recommended to change the password. At present, it can only prove that the program has obtained (user name, host name, network information, etc.), and other information is still being further verified.

Official reply from NetSarang

The 1322 version has a back door. We released version 1326 to fix this backdoor problem. Please update now to avoid continuing to be affected by this problem.

Reference source

360 Network Security Research Institute

360 Tianyan Laboratory

360 Sun Chasing Team

360 Network Security Response Center:

360 Threat Intelligence Center:

This article is transferred from @Safe passenger


If life is just like the first sight, what is the sad autumn wind painting fan

Article comments