Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

ABTV

9/19/2017
03:00 PM
Simon Marshall
Simon Marshall
Simon Marshall
50%
50%

CCleaner Infection Reveals Sophisticated Hack

The hack that put malware on an update of a popular security program was not the work of a first-time malware author.

In mid-July, Avast Software, one of the world's largest security companies, acquired Piriform, the humble creator of CCleaner, the wildly successful PC tune-up utility.

Avast claims to stop about 1 billion security attacks worldwide per month, and has a big cloud-based machine learning engine that sits at the inflow of training data from 400 million live users. CCleaner has about 130 million users. Most are on PC, but 15 million of them are on the Android platform.

A few weeks ago, hackers decided that was a big enough target for a complex infection which dropped its payload through CCleaner and began activity at an as-yet-unspecified time. It now looks like it was planned at least two months ago, in stealth mode, in advance of the acquisition announcement.

Avast says it was notified of an infection Friday last week from a private Israeli organization. The company spoke to US law enforcement agencies, and then took action to notify its own customers on Monday morning, following the protocol of investigating/remediating before announcing.

This action potentially saved millions of PCs from the second stage of a one-two punch designed to first gather private device information, and then secondly to check-in with a third-party server and deliver a second-stage payload. All we know is that the second stage backdoor was capable of launching deviant code on devices after receiving new orders from a third-party control server(s). Avast has not detected an execution of the second stage payload and believes that its activation now is unlikely.

Nevertheless, the fact the initial infection went unobserved for so long is due to the highly unusual nature of the infection, which sat cuckoo-like within the very code for the CCleaner application, delivering its first payload, and then the second had it not been stopped. The infection was threaded into the Piriform CCleaner build server as a line of code within a regularly updated version of CCleaner itself, which was then assigned a digital certificate and left the lab with the sparkling semblance of legitimacy.

Phase one of the attack collected certain information described by Avast as 'non-sensitive,' from a user's Windows registry key related to encryption and communications. It also ransacked local system information including the name of the computer, the list of installed software -- including Windows updates, a list of running processes, MAC addresses of network adapters and finally information about administrator privileges and whether the system was 32bit or not.

Phase one transmitted this information to a third-party server in the US, which was taken down by Avast on Friday. Apparently, no further information was transmitted to this server after phase one. Paul Yung, vice president of products at Piriform, said in a statement "...that the threat has now been resolved in the sense that the rogue server is down," but there was no additional available information about whether users' computers had been affected after the server shut-down with anything more than the initial data grab.

Ondrej Vlcek, CTO of Avast, told SecurityNow that the point of the attack was to hurt Avast. "At this point, we don't know how long the infection was in place... but the attackers must have known that Piriform was about to be owned by Avast." He describes the infection as 'very skillfully designed' to remain cloaked and evade the standard procedure for testing new software for weaknesses before it goes out into the wild.

"My view is that whoever designed this (had) carefully analyzed where the backdoors should be, and then added multiple layers and sophistication to the infection," said Vlcek. "It evaded our sandboxing process, and was definitely a very innovative attack. It went unnoticed for about a month."

Interestingly enough, in an apparent tussle to identify who was first -- and most proactive -- to be on top of this infection, Talos, Cisco's threat-intelligence group, says that it initially found the weakness, but Avast disputes this. "This is incorrect. Cisco was not the source of information about this threat. We knew about the threat when they contacted us on [Friday] and had already taken action to stop it."


Want to learn more about the technology and business opportunities and challenges for the cable industry in the commercial services market? Join Light Reading in New York on November 30 for the 11th annual Future of Cable Business Services event. All cable operators and other service providers get in free.

At this point, Avast reckons that about 700,000 users remain on the CCleaner version number that was infected of a total initial number of 2.27m Avast-declared user infections. Other users were automatically updated to a clean version through the cloud.

When challenged that a Piriform or Avast employee could have launched this attack themselves, Vlcek said there was no further information available at this point.

Now, Piriform faces the dismantling of its IT organization and replacement as Avast's bigger fist seeks to crush any further security interruptions by seemingly 'importing' them.

Piriform continues to work with US law enforcement.

Related posts:

— Simon Marshall, Technology Journalist, special to Security Now

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Manchester United Suffers Cyberattack
Dark Reading Staff 11/23/2020
As 'Anywhere Work' Evolves, Security Will Be Key Challenge
Robert Lemos, Contributing Writer,  11/23/2020
Cloud Security Startup Lightspin Emerges From Stealth
Kelly Sheridan, Staff Editor, Dark Reading,  11/24/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-20934
PUBLISHED: 2020-11-28
An issue was discovered in the Linux kernel before 5.2.6. On NUMA systems, the Linux fair scheduler has a use-after-free in show_numa_stats() because NUMA fault statistics are inappropriately freed, aka CID-16d51a590a8c.
CVE-2020-29368
PUBLISHED: 2020-11-28
An issue was discovered in __split_huge_pmd in mm/huge_memory.c in the Linux kernel before 5.7.5. The copy-on-write implementation can grant unintended write access because of a race condition in a THP mapcount check, aka CID-c444eb564fb1.
CVE-2020-29369
PUBLISHED: 2020-11-28
An issue was discovered in mm/mmap.c in the Linux kernel before 5.7.11. There is a race condition between certain expand functions (expand_downwards and expand_upwards) and page-table free operations from an munmap call, aka CID-246c320a8cfe.
CVE-2020-29370
PUBLISHED: 2020-11-28
An issue was discovered in kmem_cache_alloc_bulk in mm/slub.c in the Linux kernel before 5.5.11. The slowpath lacks the required TID increment, aka CID-fd4d9c7d0c71.
CVE-2020-29371
PUBLISHED: 2020-11-28
An issue was discovered in romfs_dev_read in fs/romfs/storage.c in the Linux kernel before 5.8.4. Uninitialized memory leaks to userspace, aka CID-bcf85fcedfdd.