Announcements > Site Announcements

CCleaner infected with backdoor trojan

(1/3) > >>

kitz:
CCleaner recently infected millions of PC's with a backdoor trojan after hackers injected malicious code into the most recent software update on Piriform's server.

The attack appears to be two staged - although  in excess of 2 million users had installed the latest version, the trojan then scanned the PC to see if it was on a list of certain domains at which time it would launch its 2nd payload. Whilst the hackers were specifically attempting to target computers belonging to a list of high-profile technology companies and managed to launch stage 2 on at least 20 targeted machines.   

This attack is very well thought out and it is quite worrying though for several reasons:

* There are (or were) at least 2 million PCs out there with an infected copy of CCleaner installed with the backdoor trojan
* It shows that hackers are always looking for new ways to infect PCs by targeting genuine software servers.  It is believed this is an unprecedented number of downloads for a supply chain type attack.
* Stage One of the trojan has remained dormant on a few million computers and sat there undetected for several weeks.
* The attack could easily been much larger - imagine if they had targeted users on specific ISPs (such as BT) rather than a handful of high profile IT firms.
* Despite this being known about since Sept 12th, there has been very little mention of it.
* It's only within the past few days that AV programs have started to detect and identify the Virus signature.
Numbers of infected copies installed does seem to vary ranging from in "excess of 2 million" to "many millions" based on the fact that the modified version was available between Aug 15 - Sept 12, where downloads are 5 million per week.

More info - Arstechnica

kitz:
First I knew about it was when my AV told me I was infected with Backdoor:Win32/Floxif.gen!A

Piriform doesn't appear to be very pro-active about the breach and you have to dig quite deep into their site to find information.   Whilst they have pushed out automatic updates for users who pay, those with the free version appear to have received no notification.   
It seems to have been played down because only 20-70 (depending upon which report you read) got targeted for the main payload.   I feel distinctly uncomfortable about the number of machines out there sat out there with a backdoor on the system.


Whilst the trojan only ran on Win 32 bit systems, registry values were also amended on 64 bit systems.

--- Code: ---HKEY_LOCAL_MACHINE\SOFTWARE\Piriform\Agomo

The values in question are:
MUID, TCID and NID
--- End code ---

Thinking about it this could account for the wildly varying figures - I'm only guessing but based on info:
If >20 million infected copies were downloaded, but if it only ran on 32 bit systems which is why perhaps the >2 million figure.

For the systems it ran on it gathered the following info

    Computer name
    A list of installed software, including Windows updates
    A list of the currently running processes
    The MAC addresses of the first three network adapters
    Other system information that is relevant for the malware like admin privileges, whether it is a 64-bit system, etc.




There's also some more technical details here at Malwarebytes 

j0hn:
I got infected with this too  :( On 2 machines.
Both my main PC and my MSI Gaming laptop were infected. Windows Defender didn't pop up and tell me till 23rd September.

What's really annoying, I did a fresh Windows install a few weeks ago. Within an hour I'd infected myself by installing CCleaner. I used to always spoof the MAC addresses of my Network Adapters but as it was a fresh install I hadn't got round to it. Intel make it such a pain to do this with their newer drivers so the MAC of my dual LAN that's attached to my motherboard is it there now.
Why do they collect these MAC addresses? What can they do with them?
I changed my computer name also.

Seems it was loaded on to version 5.33 before CCleaner had even uploaded it for release to the public.

sevenlayermuddle:
All of this is a good example of why I am wary of allowing any system to auto update itself.

If you are anything like me, by the time a system is a few years old, you’ll have installed all sorts of extra bits n bobs from sources that you trusted at the time.   Given half a chance, much of it will carry on phoning home for updates on a regular basis, long after you’ve forgotten it’s there.  And maybe to websites that have fallen into disrepair, no longer so trustworthy...

The only software on which I allow fully automatic updates is AV but even then, who’s to say somebody won’t manage to poison an AV update one of these days,  even from one of the major AV vendors?    Unlikely, but nothing is impossible, as we’ve now seen.

kitz:
They're not automatic updates (or at least arent for the free version).   
CCleaner advises you when there's a newer version available at which point you go to their site and download the update direct from their site.

I'm not sure how it advises you of an update - I think it may check after a system restart as I seem to recall going getting it after a Windows update reboot.  This PC seldom gets rebooted,  usually only after a Wupdate so can quite often go a month or more without reboot. 

Navigation

[0] Message Index

[#] Next page