Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

ABTV

9/19/2017
03:00 PM
Simon Marshall
Simon Marshall
Simon Marshall
50%
50%

CCleaner Infection Reveals Sophisticated Hack

The hack that put malware on an update of a popular security program was not the work of a first-time malware author.

In mid-July, Avast Software, one of the world's largest security companies, acquired Piriform, the humble creator of CCleaner, the wildly successful PC tune-up utility.

Avast claims to stop about 1 billion security attacks worldwide per month, and has a big cloud-based machine learning engine that sits at the inflow of training data from 400 million live users. CCleaner has about 130 million users. Most are on PC, but 15 million of them are on the Android platform.

A few weeks ago, hackers decided that was a big enough target for a complex infection which dropped its payload through CCleaner and began activity at an as-yet-unspecified time. It now looks like it was planned at least two months ago, in stealth mode, in advance of the acquisition announcement.

Avast says it was notified of an infection Friday last week from a private Israeli organization. The company spoke to US law enforcement agencies, and then took action to notify its own customers on Monday morning, following the protocol of investigating/remediating before announcing.

This action potentially saved millions of PCs from the second stage of a one-two punch designed to first gather private device information, and then secondly to check-in with a third-party server and deliver a second-stage payload. All we know is that the second stage backdoor was capable of launching deviant code on devices after receiving new orders from a third-party control server(s). Avast has not detected an execution of the second stage payload and believes that its activation now is unlikely.

Nevertheless, the fact the initial infection went unobserved for so long is due to the highly unusual nature of the infection, which sat cuckoo-like within the very code for the CCleaner application, delivering its first payload, and then the second had it not been stopped. The infection was threaded into the Piriform CCleaner build server as a line of code within a regularly updated version of CCleaner itself, which was then assigned a digital certificate and left the lab with the sparkling semblance of legitimacy.

Phase one of the attack collected certain information described by Avast as 'non-sensitive,' from a user's Windows registry key related to encryption and communications. It also ransacked local system information including the name of the computer, the list of installed software -- including Windows updates, a list of running processes, MAC addresses of network adapters and finally information about administrator privileges and whether the system was 32bit or not.

Phase one transmitted this information to a third-party server in the US, which was taken down by Avast on Friday. Apparently, no further information was transmitted to this server after phase one. Paul Yung, vice president of products at Piriform, said in a statement "...that the threat has now been resolved in the sense that the rogue server is down," but there was no additional available information about whether users' computers had been affected after the server shut-down with anything more than the initial data grab.

Ondrej Vlcek, CTO of Avast, told SecurityNow that the point of the attack was to hurt Avast. "At this point, we don't know how long the infection was in place... but the attackers must have known that Piriform was about to be owned by Avast." He describes the infection as 'very skillfully designed' to remain cloaked and evade the standard procedure for testing new software for weaknesses before it goes out into the wild.

"My view is that whoever designed this (had) carefully analyzed where the backdoors should be, and then added multiple layers and sophistication to the infection," said Vlcek. "It evaded our sandboxing process, and was definitely a very innovative attack. It went unnoticed for about a month."

Interestingly enough, in an apparent tussle to identify who was first -- and most proactive -- to be on top of this infection, Talos, Cisco's threat-intelligence group, says that it initially found the weakness, but Avast disputes this. "This is incorrect. Cisco was not the source of information about this threat. We knew about the threat when they contacted us on [Friday] and had already taken action to stop it."


Want to learn more about the technology and business opportunities and challenges for the cable industry in the commercial services market? Join Light Reading in New York on November 30 for the 11th annual Future of Cable Business Services event. All cable operators and other service providers get in free.

At this point, Avast reckons that about 700,000 users remain on the CCleaner version number that was infected of a total initial number of 2.27m Avast-declared user infections. Other users were automatically updated to a clean version through the cloud.

When challenged that a Piriform or Avast employee could have launched this attack themselves, Vlcek said there was no further information available at this point.

Now, Piriform faces the dismantling of its IT organization and replacement as Avast's bigger fist seeks to crush any further security interruptions by seemingly 'importing' them.

Piriform continues to work with US law enforcement.

Related posts:

— Simon Marshall, Technology Journalist, special to Security Now

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
Browsers to Enforce Shorter Certificate Life Spans: What Businesses Should Know
Kelly Sheridan, Staff Editor, Dark Reading,  7/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-17366
PUBLISHED: 2020-08-05
An issue was discovered in NLnet Labs Routinator 0.1.0 through 0.7.1. It allows remote attackers to bypass intended access restrictions or to cause a denial of service on dependent routing systems by strategically withholding RPKI Route Origin Authorisation ".roa" files or X509 Certificate...
CVE-2020-9036
PUBLISHED: 2020-08-05
Jeedom through 4.0.38 allows XSS.
CVE-2020-15127
PUBLISHED: 2020-08-05
In Contour ( Ingress controller for Kubernetes) before version 1.7.0, a bad actor can shut down all instances of Envoy, essentially killing the entire ingress data plane. GET requests to /shutdown on port 8090 of the Envoy pod initiate Envoy's shutdown procedure. The shutdown procedure includes flip...
CVE-2020-15132
PUBLISHED: 2020-08-05
In Sulu before versions 1.6.35, 2.0.10, and 2.1.1, when the "Forget password" feature on the login screen is used, Sulu asks the user for a username or email address. If the given string is not found, a response with a `400` error code is returned, along with a error message saying that th...
CVE-2020-7298
PUBLISHED: 2020-08-05
Unexpected behavior violation in McAfee Total Protection (MTP) prior to 16.0.R26 allows local users to turn off real time scanning via a specially crafted object making a specific function call.