Kitz ADSL Broadband Information
adsl spacer  
Support this site
Home Broadband ISPs Tech Routers Wiki Forum
 
     
   Compare ISP   Rate your ISP
 
Please login or register.

Login with username, password and session length
Advanced search  

News:

Author Topic: CCleaner infected with backdoor trojan  (Read 1165 times)

kitz

  • Administrator
  • Senior Kitizen
  • *
  • Posts: 30238
  • Trinity: Most guys do.
    • http://www.kitz.co.uk
CCleaner infected with backdoor trojan
« on: September 26, 2017, 09:19:51 AM »

CCleaner recently infected millions of PC's with a backdoor trojan after hackers injected malicious code into the most recent software update on Piriform's server.

The attack appears to be two staged - although  in excess of 2 million users had installed the latest version, the trojan then scanned the PC to see if it was on a list of certain domains at which time it would launch its 2nd payload. Whilst the hackers were specifically attempting to target computers belonging to a list of high-profile technology companies and managed to launch stage 2 on at least 20 targeted machines.   

This attack is very well thought out and it is quite worrying though for several reasons:
  • There are (or were) at least 2 million PCs out there with an infected copy of CCleaner installed with the backdoor trojan
  • It shows that hackers are always looking for new ways to infect PCs by targeting genuine software servers.  It is believed this is an unprecedented number of downloads for a supply chain type attack.
  • Stage One of the trojan has remained dormant on a few million computers and sat there undetected for several weeks.
  • The attack could easily been much larger - imagine if they had targeted users on specific ISPs (such as BT) rather than a handful of high profile IT firms.
  • Despite this being known about since Sept 12th, there has been very little mention of it.
  • It's only within the past few days that AV programs have started to detect and identify the Virus signature.

Numbers of infected copies installed does seem to vary ranging from in "excess of 2 million" to "many millions" based on the fact that the modified version was available between Aug 15 - Sept 12, where downloads are 5 million per week.

More info - Arstechnica
Logged
Please do not PM me with queries for broadband help as I may not be able to respond.
-----
How to get your router line stats :: ADSL Exchange Checker

kitz

  • Administrator
  • Senior Kitizen
  • *
  • Posts: 30238
  • Trinity: Most guys do.
    • http://www.kitz.co.uk
Re: CCleaner infected with backdoor trojan
« Reply #1 on: September 26, 2017, 09:30:27 AM »

First I knew about it was when my AV told me I was infected with Backdoor:Win32/Floxif.gen!A

Piriform doesn't appear to be very pro-active about the breach and you have to dig quite deep into their site to find information.   Whilst they have pushed out automatic updates for users who pay, those with the free version appear to have received no notification.   
It seems to have been played down because only 20-70 (depending upon which report you read) got targeted for the main payload.   I feel distinctly uncomfortable about the number of machines out there sat out there with a backdoor on the system.


Whilst the trojan only ran on Win 32 bit systems, registry values were also amended on 64 bit systems.
Code: [Select]
HKEY_LOCAL_MACHINE\SOFTWARE\Piriform\Agomo

The values in question are:
MUID, TCID and NID

Thinking about it this could account for the wildly varying figures - I'm only guessing but based on info:
If >20 million infected copies were downloaded, but if it only ran on 32 bit systems which is why perhaps the >2 million figure.

For the systems it ran on it gathered the following info

    Computer name
    A list of installed software, including Windows updates
    A list of the currently running processes
    The MAC addresses of the first three network adapters
    Other system information that is relevant for the malware like admin privileges, whether it is a 64-bit system, etc.




There's also some more technical details here at Malwarebytes 

Logged
Please do not PM me with queries for broadband help as I may not be able to respond.
-----
How to get your router line stats :: ADSL Exchange Checker

j0hn

  • Reg Member
  • ***
  • Posts: 991
Re: CCleaner infected with backdoor trojan
« Reply #2 on: September 26, 2017, 12:36:47 PM »

I got infected with this too  :( On 2 machines.
Both my main PC and my MSI Gaming laptop were infected. Windows Defender didn't pop up and tell me till 23rd September.

What's really annoying, I did a fresh Windows install a few weeks ago. Within an hour I'd infected myself by installing CCleaner. I used to always spoof the MAC addresses of my Network Adapters but as it was a fresh install I hadn't got round to it. Intel make it such a pain to do this with their newer drivers so the MAC of my dual LAN that's attached to my motherboard is it there now.
Why do they collect these MAC addresses? What can they do with them?
I changed my computer name also.

Seems it was loaded on to version 5.33 before CCleaner had even uploaded it for release to the public.
Logged
BT FTTC 55/10 ECI Huawei Cab - Zyxel VMG1312-B10A bridge mode + Asus RT-AC68U running Asuswrt-Merlin - minted on MDWS via DslStats

sevenlayermuddle

  • Helpful
  • Kitizen
  • *
  • Posts: 3273
Re: CCleaner infected with backdoor trojan
« Reply #3 on: September 26, 2017, 01:52:02 PM »

All of this is a good example of why I am wary of allowing any system to auto update itself.

If you are anything like me, by the time a system is a few years old, you’ll have installed all sorts of extra bits n bobs from sources that you trusted at the time.   Given half a chance, much of it will carry on phoning home for updates on a regular basis, long after you’ve forgotten it’s there.  And maybe to websites that have fallen into disrepair, no longer so trustworthy...

The only software on which I allow fully automatic updates is AV but even then, who’s to say somebody won’t manage to poison an AV update one of these days,  even from one of the major AV vendors?    Unlikely, but nothing is impossible, as we’ve now seen.
Logged

kitz

  • Administrator
  • Senior Kitizen
  • *
  • Posts: 30238
  • Trinity: Most guys do.
    • http://www.kitz.co.uk
Re: CCleaner infected with backdoor trojan
« Reply #4 on: September 26, 2017, 02:29:52 PM »

They're not automatic updates (or at least arent for the free version).   
CCleaner advises you when there's a newer version available at which point you go to their site and download the update direct from their site.

I'm not sure how it advises you of an update - I think it may check after a system restart as I seem to recall going getting it after a Windows update reboot.  This PC seldom gets rebooted,  usually only after a Wupdate so can quite often go a month or more without reboot. 
Logged
Please do not PM me with queries for broadband help as I may not be able to respond.
-----
How to get your router line stats :: ADSL Exchange Checker

kitz

  • Administrator
  • Senior Kitizen
  • *
  • Posts: 30238
  • Trinity: Most guys do.
    • http://www.kitz.co.uk
Re: CCleaner infected with backdoor trojan
« Reply #5 on: September 26, 2017, 02:50:06 PM »

Windows Defender didn't pop up and tell me till 23rd September.


It was undetected by most AVs.  From what I can make out, only Morphisec first detected some sort of suspicious activity but even they had no idea at the time what was responsible.  It wasn't until 12th of Sep that Morphisec advised CCleaner.  Despite now being aware and releasing a clean version they still kept this info from the public until the 18th.  It still seemed fairly low key though and although they say they pushed out the new versions to those on their subscription service, there has been no notification to the others.   As I said earlier I had to scout around their site to find any info.   Presumably because it was so low key that no updated virus patterns were released until a few days later.

There is a timeline here released by bleeping computer yesterday.

Code: [Select]
July 3 ⮞ Attackers breach Piriform infrastructure.
July 19 ⮞ Avast announces it bought Piriform, company behind CCleaner.
July 31, 06:32  ⮞  Attackers install C&C server.
August 11, 07:36  ⮞  Attackers initiate data gathering procedures in preparation for August 15 when they poison the CCleaner binary, and later the CCleaner Cloud binary.
August 15 ⮞ Piriform, now part of Avast, releases CCleaner 5.33. The CCleaner 5.33.6162 version was infected with (the Floxif) malware.
August 20 and 21 ⮞ Morphisec's security product detects and stops first instances of CCleaner malicious activity, but they did not have insight into what exactly they stopped.
August 24 ⮞ Piriform releases CCleaner Cloud v1.07.3191 that also included the Floxif trojan.
September 10 20:59  ⮞  C&C server runs out of space and stops data collection. Attackers make a backup of the original database.
September 11 ⮞ Morphisec customers share detection logs detailing CCleaner-related malicious activity with the company's engineers.
September 12 07:56  ⮞  Attackers wipe C&C server.
September 12 08:02  ⮞  Attackers reinstall C&C server.
September 12 ⮞ Morphisec notifies Avast and Cisco of the suspicious CCleaner activity. Avast starts its own investigation and also notifies US law enforcement. Cisco also starts its own investigation.
September 14 ⮞ Cisco notifies Avast of its own findings.
September 15  ⮞  Authorities seize C&C server.
September 15 ⮞ Avast releases CCleaner 5.34 and CCleaner Cloud 1.07.3214. These are clean versions.
September 18 ⮞ CCleaner incident becomes public following Cisco, Morphisec, and Avast/Piriform reports.
September ?? ⮞ ServerCrate provides a copy of the backup server to Avast.

So basically its been sat on millions of systems undetected for god knows how long.   :(
Logged
Please do not PM me with queries for broadband help as I may not be able to respond.
-----
How to get your router line stats :: ADSL Exchange Checker

j0hn

  • Reg Member
  • ***
  • Posts: 991
Re: CCleaner infected with backdoor trojan
« Reply #6 on: September 26, 2017, 04:46:53 PM »

CCleaner checks for an updated version when you run it.
If there's a new version and you click update it sends you to
https://www.piriform.com/ccleaner/download?upgrade
The download link then takes you to filehippo

However if you remove the ?upgrade at the end of the link it downloads direct from piriform
https://www.piriform.com/ccleaner/download

I always make sure I get the latest version direct from piriforms own site. What can you do when it's infected before it's even released though.

It was in the Windows Defender definitions for a few days before my system picked it up. I think it was only my scheduled weekly scan that picked it up.
Logged
BT FTTC 55/10 ECI Huawei Cab - Zyxel VMG1312-B10A bridge mode + Asus RT-AC68U running Asuswrt-Merlin - minted on MDWS via DslStats

jelv

  • Helpful
  • Reg Member
  • *
  • Posts: 577
Re: CCleaner infected with backdoor trojan
« Reply #7 on: September 26, 2017, 05:24:33 PM »

I saw a notification of this on 19th September. I subscribe to http://feeds.feedburner.com/piriform?format=xml
Logged
Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the Universe trying to produce bigger and better idiots. So far, the Universe is winning. Rick Cook, The Wizardry Compiled

ejs

  • Kitizen
  • ****
  • Posts: 1392
Re: CCleaner infected with backdoor trojan
« Reply #8 on: September 26, 2017, 06:15:20 PM »

I'm very sceptical about the necessity or even usefulness of any cleaning program. I think it makes more sense to configure your web browser to clear its history rather than getting another program to do it, if that's what you want it for. Or use private browsing mode. Beyond that, there's deleting some files which don't really need to be deleted to save a negligible amount of disk space with the claim of making your computer faster.
Logged

Chrysalis

  • Content Team
  • Kitizen
  • *
  • Posts: 4947
Re: CCleaner infected with backdoor trojan
« Reply #9 on: September 26, 2017, 08:00:47 PM »

another reason to not auto update software.

leave the risk to others I say :)
Logged
Sky Fiber Pro - Billion 8800NL bridge & PFSense BOX running PFSense 2.4 - ECI Cab

j0hn

  • Reg Member
  • ***
  • Posts: 991
Re: CCleaner infected with backdoor trojan
« Reply #10 on: September 26, 2017, 08:10:19 PM »

As mentioned above CCleaner free edition doesn't have an auto update function.  It notifies of new releases but you need to go to their site and manually download/install it.
Logged
BT FTTC 55/10 ECI Huawei Cab - Zyxel VMG1312-B10A bridge mode + Asus RT-AC68U running Asuswrt-Merlin - minted on MDWS via DslStats

sevenlayermuddle

  • Helpful
  • Kitizen
  • *
  • Posts: 3273
Re: CCleaner infected with backdoor trojan
« Reply #11 on: September 26, 2017, 08:22:12 PM »

As mentioned above CCleaner free edition doesn't have an auto update function.  It notifies of new releases but you need to go to their site and manually download/install it.

I strongly suspect there will be an option to turn off the “check for updates” feature.  And even if it is left enabled, I bet you don’t have to accept its suggestion?

Personally I tend to carefully consider updates to see if there is some benefit for me.   Does it fix a security flaw that might affect me?  Does it provide some new feature that I actually want?     If No and No, I am unlikely to install the update. 

But I hasten to add, I know full well I am tempting fate with these comments.  What’s the betting I’ll fall prey to some awful malware tmorrow, that would have been averted if only I’d enabled updates?    :D

Logged

petef

  • Member
  • **
  • Posts: 55
Re: CCleaner infected with backdoor trojan
« Reply #12 on: October 03, 2017, 11:26:22 AM »

The Avast blog has a good, technical series of articles on their forensic efforts on CCleaner as they unravel.

https://blog.avast.com/topic/security-news
Logged
 

anything