Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

ABTV

// // //
9/19/2017
03:00 PM
Simon Marshall
Simon Marshall
Simon Marshall

CCleaner Infection Reveals Sophisticated Hack

The hack that put malware on an update of a popular security program was not the work of a first-time malware author.

In mid-July, Avast Software, one of the world's largest security companies, acquired Piriform, the humble creator of CCleaner, the wildly successful PC tune-up utility.

Avast claims to stop about 1 billion security attacks worldwide per month, and has a big cloud-based machine learning engine that sits at the inflow of training data from 400 million live users. CCleaner has about 130 million users. Most are on PC, but 15 million of them are on the Android platform.

A few weeks ago, hackers decided that was a big enough target for a complex infection which dropped its payload through CCleaner and began activity at an as-yet-unspecified time. It now looks like it was planned at least two months ago, in stealth mode, in advance of the acquisition announcement.

Avast says it was notified of an infection Friday last week from a private Israeli organization. The company spoke to US law enforcement agencies, and then took action to notify its own customers on Monday morning, following the protocol of investigating/remediating before announcing.

This action potentially saved millions of PCs from the second stage of a one-two punch designed to first gather private device information, and then secondly to check-in with a third-party server and deliver a second-stage payload. All we know is that the second stage backdoor was capable of launching deviant code on devices after receiving new orders from a third-party control server(s). Avast has not detected an execution of the second stage payload and believes that its activation now is unlikely.

Nevertheless, the fact the initial infection went unobserved for so long is due to the highly unusual nature of the infection, which sat cuckoo-like within the very code for the CCleaner application, delivering its first payload, and then the second had it not been stopped. The infection was threaded into the Piriform CCleaner build server as a line of code within a regularly updated version of CCleaner itself, which was then assigned a digital certificate and left the lab with the sparkling semblance of legitimacy.

Phase one of the attack collected certain information described by Avast as 'non-sensitive,' from a user's Windows registry key related to encryption and communications. It also ransacked local system information including the name of the computer, the list of installed software -- including Windows updates, a list of running processes, MAC addresses of network adapters and finally information about administrator privileges and whether the system was 32bit or not.

Phase one transmitted this information to a third-party server in the US, which was taken down by Avast on Friday. Apparently, no further information was transmitted to this server after phase one. Paul Yung, vice president of products at Piriform, said in a statement "...that the threat has now been resolved in the sense that the rogue server is down," but there was no additional available information about whether users' computers had been affected after the server shut-down with anything more than the initial data grab.

Ondrej Vlcek, CTO of Avast, told SecurityNow that the point of the attack was to hurt Avast. "At this point, we don't know how long the infection was in place... but the attackers must have known that Piriform was about to be owned by Avast." He describes the infection as 'very skillfully designed' to remain cloaked and evade the standard procedure for testing new software for weaknesses before it goes out into the wild.

"My view is that whoever designed this (had) carefully analyzed where the backdoors should be, and then added multiple layers and sophistication to the infection," said Vlcek. "It evaded our sandboxing process, and was definitely a very innovative attack. It went unnoticed for about a month."

Interestingly enough, in an apparent tussle to identify who was first -- and most proactive -- to be on top of this infection, Talos, Cisco's threat-intelligence group, says that it initially found the weakness, but Avast disputes this. "This is incorrect. Cisco was not the source of information about this threat. We knew about the threat when they contacted us on [Friday] and had already taken action to stop it."


Want to learn more about the technology and business opportunities and challenges for the cable industry in the commercial services market? Join Light Reading in New York on November 30 for the 11th annual Future of Cable Business Services event. All cable operators and other service providers get in free.

At this point, Avast reckons that about 700,000 users remain on the CCleaner version number that was infected of a total initial number of 2.27m Avast-declared user infections. Other users were automatically updated to a clean version through the cloud.

When challenged that a Piriform or Avast employee could have launched this attack themselves, Vlcek said there was no further information available at this point.

Now, Piriform faces the dismantling of its IT organization and replacement as Avast's bigger fist seeks to crush any further security interruptions by seemingly 'importing' them.

Piriform continues to work with US law enforcement.

Related posts:

— Simon Marshall, Technology Journalist, special to Security Now

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Promise and Reality of Cloud Security
Cloud security has been part of the cybersecurity conversation for years but has been on the sidelines for most enterprises. The shift to remote work during the COVID-19 pandemic and digital transformation projects have moved cloud infrastructure front-and-center as enterprises address the associated security risks. This report - a compilation of cutting-edge Black Hat research, in-depth Omdia analysis, and comprehensive Dark Reading reporting - explores how cloud security is rapidly evolving.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-10075
PUBLISHED: 2023-02-07
A vulnerability was found in Custom-Content-Width 1.0. It has been declared as problematic. Affected by this vulnerability is the function override_content_width/register_settings of the file custom-content-width.php. The manipulation leads to cross site scripting. The attack can be launched remotel...
CVE-2022-21948
PUBLISHED: 2023-02-07
An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in paste allows remote attackers to place Javascript into SVG files. This issue affects: openSUSE paste paste version b57b9f87e303a3db9465776e657378e96845493b and prior versions.
CVE-2015-10074
PUBLISHED: 2023-02-07
A vulnerability was found in OpenSeaMap online_chart 1.2. It has been classified as problematic. Affected is the function init of the file index.php. The manipulation of the argument mtext leads to cross site scripting. It is possible to launch the attack remotely. Upgrading to version staging is ab...
CVE-2022-31254
PUBLISHED: 2023-02-07
A Incorrect Default Permissions vulnerability in rmt-server-regsharing service of SUSE Linux Enterprise Server for SAP 15, SUSE Linux Enterprise Server for SAP 15-SP1, SUSE Manager Server 4.1; openSUSE Leap 15.3, openSUSE Leap 15.4 allows local attackers with access to the _rmt user to escalate to r...
CVE-2023-0706
PUBLISHED: 2023-02-07
A vulnerability, which was classified as critical, has been found in SourceCodester Medical Certificate Generator App 1.0. Affected by this issue is some unknown functionality of the file manage_record.php. The manipulation of the argument id leads to sql injection. The attack may be launched remote...