Kitz Forum
Announcements => Site Announcements => Topic started by: kitz on September 26, 2017, 09:19:51 AM
-
CCleaner recently infected millions of PC's with a backdoor trojan after hackers injected malicious code into the most recent software update on Piriform's server.
The attack appears to be two staged - although in excess of 2 million users had installed the latest version, the trojan then scanned the PC to see if it was on a list of certain domains at which time it would launch its 2nd payload. Whilst the hackers were specifically attempting to target computers belonging to a list of high-profile technology companies and managed to launch stage 2 on at least 20 targeted machines.
This attack is very well thought out and it is quite worrying though for several reasons:
- There are (or were) at least 2 million PCs out there with an infected copy of CCleaner installed with the backdoor trojan
- It shows that hackers are always looking for new ways to infect PCs by targeting genuine software servers. It is believed this is an unprecedented number of downloads for a supply chain type attack.
- Stage One of the trojan has remained dormant on a few million computers and sat there undetected for several weeks.
- The attack could easily been much larger - imagine if they had targeted users on specific ISPs (such as BT) rather than a handful of high profile IT firms.
- Despite this being known about since Sept 12th, there has been very little mention of it.
- It's only within the past few days that AV programs have started to detect and identify the Virus signature.
Numbers of infected copies installed does seem to vary ranging from in "excess of 2 million" to "many millions" based on the fact that the modified version was available between Aug 15 - Sept 12, where downloads are 5 million per week.
More info - Arstechnica (https://arstechnica.co.uk/information-technology/2017/09/ccleaner-malware-outbreak-is-much-worse-than-it-first-appeared/)
-
First I knew about it was when my AV told me I was infected with Backdoor:Win32/Floxif.gen!A
Piriform doesn't appear to be very pro-active about the breach and you have to dig quite deep into their site to find information. Whilst they have pushed out automatic updates for users who pay, those with the free version appear to have received no notification.
It seems to have been played down because only 20-70 (depending upon which report you read) got targeted for the main payload. I feel distinctly uncomfortable about the number of machines out there sat out there with a backdoor on the system.
Whilst the trojan only ran on Win 32 bit systems, registry values were also amended on 64 bit systems.
HKEY_LOCAL_MACHINE\SOFTWARE\Piriform\Agomo
The values in question are:
MUID, TCID and NID
Thinking about it this could account for the wildly varying figures - I'm only guessing but based on info:
If >20 million infected copies were downloaded, but if it only ran on 32 bit systems which is why perhaps the >2 million figure.
For the systems it ran on it gathered the following info
Computer name
A list of installed software, including Windows updates
A list of the currently running processes
The MAC addresses of the first three network adapters
Other system information that is relevant for the malware like admin privileges, whether it is a 64-bit system, etc.
There's also some more technical details here at Malwarebytes (https://blog.malwarebytes.com/security-world/2017/09/infected-ccleaner-downloads-from-official-servers/)
-
I got infected with this too :( On 2 machines.
Both my main PC and my MSI Gaming laptop were infected. Windows Defender didn't pop up and tell me till 23rd September.
What's really annoying, I did a fresh Windows install a few weeks ago. Within an hour I'd infected myself by installing CCleaner. I used to always spoof the MAC addresses of my Network Adapters but as it was a fresh install I hadn't got round to it. Intel make it such a pain to do this with their newer drivers so the MAC of my dual LAN that's attached to my motherboard is it there now.
Why do they collect these MAC addresses? What can they do with them?
I changed my computer name also.
Seems it was loaded on to version 5.33 before CCleaner had even uploaded it for release to the public.
-
All of this is a good example of why I am wary of allowing any system to auto update itself.
If you are anything like me, by the time a system is a few years old, you’ll have installed all sorts of extra bits n bobs from sources that you trusted at the time. Given half a chance, much of it will carry on phoning home for updates on a regular basis, long after you’ve forgotten it’s there. And maybe to websites that have fallen into disrepair, no longer so trustworthy...
The only software on which I allow fully automatic updates is AV but even then, who’s to say somebody won’t manage to poison an AV update one of these days, even from one of the major AV vendors? Unlikely, but nothing is impossible, as we’ve now seen.
-
They're not automatic updates (or at least arent for the free version).
CCleaner advises you when there's a newer version available at which point you go to their site and download the update direct from their site.
I'm not sure how it advises you of an update - I think it may check after a system restart as I seem to recall going getting it after a Windows update reboot. This PC seldom gets rebooted, usually only after a Wupdate so can quite often go a month or more without reboot.
-
Windows Defender didn't pop up and tell me till 23rd September.
It was undetected by most AVs. From what I can make out, only Morphisec first detected some sort of suspicious activity but even they had no idea at the time what was responsible. It wasn't until 12th of Sep that Morphisec advised CCleaner. Despite now being aware and releasing a clean version they still kept this info from the public until the 18th. It still seemed fairly low key though and although they say they pushed out the new versions to those on their subscription service, there has been no notification to the others. As I said earlier I had to scout around their site to find any info. Presumably because it was so low key that no updated virus patterns were released until a few days later.
There is a timeline here (https://www.bleepingcomputer.com/news/security/avast-publishes-full-list-of-companies-affected-by-ccleaner-second-stage-malware/) released by bleeping computer yesterday.
July 3 ⮞ Attackers breach Piriform infrastructure.
July 19 ⮞ Avast announces it bought Piriform, company behind CCleaner.
July 31, 06:32 ⮞ Attackers install C&C server.
August 11, 07:36 ⮞ Attackers initiate data gathering procedures in preparation for August 15 when they poison the CCleaner binary, and later the CCleaner Cloud binary.
August 15 ⮞ Piriform, now part of Avast, releases CCleaner 5.33. The CCleaner 5.33.6162 version was infected with (the Floxif) malware.
August 20 and 21 ⮞ Morphisec's security product detects and stops first instances of CCleaner malicious activity, but they did not have insight into what exactly they stopped.
August 24 ⮞ Piriform releases CCleaner Cloud v1.07.3191 that also included the Floxif trojan.
September 10 20:59 ⮞ C&C server runs out of space and stops data collection. Attackers make a backup of the original database.
September 11 ⮞ Morphisec customers share detection logs detailing CCleaner-related malicious activity with the company's engineers.
September 12 07:56 ⮞ Attackers wipe C&C server.
September 12 08:02 ⮞ Attackers reinstall C&C server.
September 12 ⮞ Morphisec notifies Avast and Cisco of the suspicious CCleaner activity. Avast starts its own investigation and also notifies US law enforcement. Cisco also starts its own investigation.
September 14 ⮞ Cisco notifies Avast of its own findings.
September 15 ⮞ Authorities seize C&C server.
September 15 ⮞ Avast releases CCleaner 5.34 and CCleaner Cloud 1.07.3214. These are clean versions.
September 18 ⮞ CCleaner incident becomes public following Cisco, Morphisec, and Avast/Piriform reports.
September ?? ⮞ ServerCrate provides a copy of the backup server to Avast.
So basically its been sat on millions of systems undetected for god knows how long. :(
-
CCleaner checks for an updated version when you run it.
If there's a new version and you click update it sends you to
https://www.piriform.com/ccleaner/download?upgrade
The download link then takes you to filehippo
However if you remove the ?upgrade at the end of the link it downloads direct from piriform
https://www.piriform.com/ccleaner/download
I always make sure I get the latest version direct from piriforms own site. What can you do when it's infected before it's even released though.
It was in the Windows Defender definitions for a few days before my system picked it up. I think it was only my scheduled weekly scan that picked it up.
-
I saw a notification of this on 19th September. I subscribe to http://feeds.feedburner.com/piriform?format=xml
-
I'm very sceptical about the necessity or even usefulness of any cleaning program. I think it makes more sense to configure your web browser to clear its history rather than getting another program to do it, if that's what you want it for. Or use private browsing mode. Beyond that, there's deleting some files which don't really need to be deleted to save a negligible amount of disk space with the claim of making your computer faster.
-
another reason to not auto update software.
leave the risk to others I say :)
-
As mentioned above CCleaner free edition doesn't have an auto update function. It notifies of new releases but you need to go to their site and manually download/install it.
-
As mentioned above CCleaner free edition doesn't have an auto update function. It notifies of new releases but you need to go to their site and manually download/install it.
I strongly suspect there will be an option to turn off the “check for updates” feature. And even if it is left enabled, I bet you don’t have to accept its suggestion?
Personally I tend to carefully consider updates to see if there is some benefit for me. Does it fix a security flaw that might affect me? Does it provide some new feature that I actually want? If No and No, I am unlikely to install the update.
But I hasten to add, I know full well I am tempting fate with these comments. What’s the betting I’ll fall prey to some awful malware tmorrow, that would have been averted if only I’d enabled updates? :D
-
The Avast blog has a good, technical series of articles on their forensic efforts on CCleaner as they unravel.
https://blog.avast.com/topic/security-news