New version of CC Cleaner has trojan

Discussions of applications and operating systems and any problems, tips or suggestions. Win XP, 9x/2k, Linux, NT, photo editing, Virus/Spyware help
Post Reply
User avatar
wvjohn
Posts: 9238
Joined: Wed Nov 22, 2000 7:09 am
Contact:

New version of CC Cleaner has trojan

Post by wvjohn »

Sure hope Best Buy get word since it's their #1 goto.

A software package update for a Windows utility product distributed by antivirus vendor Avast has been spreading an unsavory surprise: a malware package that could allow affected computers to be remotely accessed or controlled with what appears to be a legitimate signing certificate. The malware, which was distributed through the update server for the Windows cleanup utility CCleaner, was apparently inserted by an attacker who compromised the software "supply chain" of Piriform, which was acquired by Avast in July. There have been more than 2 billion downloads of CCleaner worldwide, so the potential impact of the malware is huge.

Software updates are increasingly being targeted by distributors of malware, because they provide a virtually unchecked path to infect millions—or even billions—of computers. A compromised software update server for Ukraine software vendor M.E.Doc was used to distribute the NotPetya ransomware attack in July. "Watering hole" attacks, such as the ones used against Facebook, Apple, and Twitter four years ago, are often used to compromise the computers used by software developers. When successful, they can give malware authors what amounts to the keys to the software developer's kingdom—their compilation tools and signing certificates, as well as access to their workflow for software updates.

In a blog post this morning, Cisco Talos Intelligence's Edmund Brumaghin, Ross Gibb, Warren Mercer, Matthew Molyett, and Craig Williams reported that Talos had detected the malware during beta testing of a new exploit-detection technology. The malware was part of the signed installer for CCleaner v5.3 and included code that called back to a command-and-control server as well as a domain-generation algorithm intended to find a new C&C server if the hard-coded IP address of the primary server was lost. Copies of the malicious software installer were distributed to CCleaner users between August 15 and September 12, 2017, using a valid certificate issued to Piriform Ltd by Symantec.

Talos registered all of the domains associated with the algorithm, which had not been previously configured, to "black hole" the malware and prevent it from reestablishing communications in the future. The hard-coded IP address pointed to a server at the virtual dedicated hosting service ServerCrate, which was taken down after the malware was reported to Avast.

The malware checked to see if it was running with administrative privileges and shut down if it was not. It also went into a timed "sleep" mode if it did not get a response from a secure HTTP request to the primary C&C server. In cases where the samples found by Talos did successfully communicate with the C&C server, they would generate a system profile of the computer they had infected and post it back to the server. They would then retrieve shellcode from the server to execute locally and then clear the code from memory. It's not apparent what type of remote code may have been executed on infected systems.

A diagram of how the CCleaner-attached malware discovered by Talos works.
Enlarge / A diagram of how the CCleaner-attached malware discovered by Talos works.
Cisco Talos
A bug in the malware code prevented the software from using the IP address created by the domain-generation algorithm—the code never accessed the address it created and may have simply been an incomplete feature intended to be updated later. The malware code for the algorithm would look for the DNS records of the domains generated by the algorithm based on the date for two IP addresses and then perform a calculation using the values of the two addresses to find another IP address. This would have made discovery of the actual second C&C server through DNS request monitoring difficult at best.
User avatar
FlyingPenguin
Flightless Bird
Posts: 32773
Joined: Wed Nov 22, 2000 11:13 am
Location: Central Florida
Contact:

Re: New version of CC Cleaner has trojan

Post by FlyingPenguin »

The affected version was 5.33. I'm still using the portable 5.32 version on my toolkit flashdrive because - and what just happened re-inforces that - I never like to jump on the latest version of any tool.

It also only compromised the 32-bit version, which almost no one uses anymore.

https://forum.piriform.com/index.php?showtopic=48869
"Turns out I’m 'woke.' All along, I thought I was just compassionate, kind, and good at history. "

Image
Post Reply