CCleaner Infection Reveals Sophisticated Hack

In mid-July, Avast Software, one of the world's largest security companies, acquired Piriform, the humble creator of CCleaner, the wildly successful PC tune-up utility.

Avast claims to stop about 1 billion security attacks worldwide per month, and has a big cloud-based machine learning engine that sits at the inflow of training data from 400 million live users. CCleaner has about 130 million users. Most are on PC, but 15 million of them are on the Android platform.

A few weeks ago, hackers decided that was a big enough target for a complex infection which dropped its payload through CCleaner and began activity at an as-yet-unspecified time. It now looks like it was planned at least two months ago, in stealth mode, in advance of the acquisition announcement.

Avast says it was notified of an infection Friday last week from a private Israeli organization. The company spoke to US law enforcement agencies, and then took action to notify its own customers on Monday morning, following the protocol of investigating/remediating before announcing.

This action potentially saved millions of PCs from the second stage of a one-two punch designed to first gather private device information, and then secondly to check-in with a third-party server and deliver a second-stage payload. All we know is that the second stage backdoor was capable of launching deviant code on devices after receiving new orders from a third-party control server(s). Avast has not detected an execution of the second stage payload and believes that its activation now is unlikely.

Nevertheless, the fact the initial infection went unobserved for so long is due to the highly unusual nature of the infection, which sat cuckoo-like within the very code for the CCleaner application, delivering its first payload, and then the second had it not been stopped. The infection was threaded into the Piriform CCleaner build server as a line of code within a regularly updated version of CCleaner itself, which was then assigned a digital certificate and left the lab with the sparkling semblance of legitimacy.

Phase one of the attack collected certain information described by Avast as 'non-sensitive,' from a user's Windows registry key related to encryption and communications. It also ransacked local system information including the name of the computer, the list of installed software -- including Windows updates, a list of running processes, MAC addresses of network adapters and finally information about administrator privileges and whether the system was 32bit or not.

Phase one transmitted this information to a third-party server in the US, which was taken down by Avast on Friday. Apparently, no further information was transmitted to this server after phase one. Paul Yung, vice president of products at Piriform, said in a statement "...that the threat has now been resolved in the sense that the rogue server is down," but there was no additional available information about whether users' computers had been affected after the server shut-down with anything more than the initial data grab.

Ondrej Vlcek, CTO of Avast, told SecurityNow that the point of the attack was to hurt Avast. "At this point, we don't know how long the infection was in place... but the attackers must have known that Piriform was about to be owned by Avast." He describes the infection as 'very skillfully designed' to remain cloaked and evade the standard procedure for testing new software for weaknesses before it goes out into the wild.

"My view is that whoever designed this (had) carefully analyzed where the backdoors should be, and then added multiple layers and sophistication to the infection," said Vlcek. "It evaded our sandboxing process, and was definitely a very innovative attack. It went unnoticed for about a month."

Interestingly enough, in an apparent tussle to identify who was first -- and most proactive -- to be on top of this infection, Talos, Cisco's threat-intelligence group, says that it initially found the weakness, but Avast disputes this. "This is incorrect. Cisco was not the source of information about this threat. We knew about the threat when they contacted us on [Friday] and had already taken action to stop it."

Want to learn more about the technology and business opportunities and challenges for the cable industry in the commercial services market? Join Light Reading in New York on November 30 for the 11th annual Future of Cable Business Services event. All cable operators and other service providers get in free.

At this point, Avast reckons that about 700,000 users remain on the CCleaner version number that was infected of a total initial number of 2.27m Avast-declared user infections. Other users were automatically updated to a clean version through the cloud.

When challenged that a Piriform or Avast employee could have launched this attack themselves, Vlcek said there was no further information available at this point.

Now, Piriform faces the dismantling of its IT organization and replacement as Avast's bigger fist seeks to crush any further security interruptions by seemingly 'importing' them.

Piriform continues to work with US law enforcement.

Related posts:

— Simon Marshall, Technology Journalist, special to Security Now