nav search
Data Center Software Security Transformation DevOps Business Personal Tech Science Emergent Tech Bootnotes BOFH

back to article
CCleaner targeted top tech companies in attempt to lift IP

Silver badge

CCleaner targetted?

I think the virus which infected CCleaner attacked them.

You don't claim "Intel targeted" for every single virus running on x86

3
5
Silver badge

Re: CCleaner targetted?

CCleaner didnt get infected. its a program . Machines get infected.

I'm not sure what you mean with your Intel analogy ,

What appears to have happened here is that some ner-do-well has hacked into AVGs house , and planted their virus inside the downloadable update for CCleaner.

So AVG and their cleaner program were "targetted" but not by the malware.

I'd still like to know exactly how the malware got in there

14
1

Re: CCleaner targetted?

Agreed. The article title implies the CCleaner app/maker is responsible whereas the real interest here should be who and why. The article does go in to that and raises several interesting points which no doubt are being investigated by several groups so it seems strange not to make that obvious in the title.

'CCleaner hack targeted top tech companies to lift IP' would have been a far more accurate reflection of content (or some variation if there's some limit on title lengths).

Either way, this story has some way to run yet, and there are also the initial Avast assurances that 'no-one got damaged' which were quick to come out and possibly will be as quick to fall apart.

7
0
Silver badge

Re: CCleaner targetted?

"The article title implies the CCleaner app/maker is responsible"

Well, they share some of the blame for not having better security, but it sounds like they were specifically targeted which is a very difficult thing to defend from.

1
6
Silver badge
Facepalm

Re: CCleaner targetted?

"it sounds like they were specifically targeted which is a very difficult thing to defend from."

A security company being targeted, who would have guessed?

1
0
Anonymous Coward

How did...

CCleaner get infected in the first place?

15
1
Bronze badge

Re: How did...

You haven't been paying attention, have you?

4
9
Anonymous Coward

'You haven't been paying attention, have you?'

We still don't really know much about it dude. Sure we know WHAT happened, but not the HOW, or how Avast let their guard down especially after NotPetya which used a similar attack vector etc...

---------

"Avast cryptographically signs installations and updates for CCleaner, so that no imposter can spoof its downloads without possessing an unforgeable cryptographic key. But the hackers had apparently infiltrated Avast's development or distribution process before that signature occurred, so that the firm was putting its stamp of approval on malware, and pushing it out to consumers."

---------

https://www.wired.com/story/ccleaner-malware-supply-chain-software-security/

13
0
Silver badge

Re: How did...

Inside job on the build server AFAIK.

This falls under "poisoning the software supply chain".

Inb4 "Putin did it and Merkel is next etc."

2
3
Anonymous Coward

"Peoples Republic's timezone"

Also Perth, Western Australia.

But chances are...

4
0

This post has been deleted by its author

Anonymous Coward

Re: "Peoples Republic's timezone"

But what about....

Canada

2
0
Trollface

Re: "Peoples Republic's timezone"

Oh aye, blame Canada!

10
0
Anonymous Coward

Re: "Peoples Republic's timezone"

It's not even a real country anyway.

8
2
Silver badge

Re: "Peoples Republic's timezone"

"the IP address which the malware phones home to is located in....the USA. Saratoga Springs? Langley?"

Whois says the registrant is in Seattle.

4
0
Silver badge

Re: "Peoples Republic's timezone"

Whois says the registrant is in Seattle.

Blame Amazon

1
0

Re: "Peoples Republic's timezone"

Agreed. The "blame China" key no longer has any paint on it. How about some hard forensics to back up the claims rather than notations about attributes that are meaningless without more fact?

2
1

Re: "Peoples Republic's timezone"

Washington among the top states for company registration transparency, but still far from good, let alone perfect, see:

https://sunlightfoundation.com/2014/08/14/washington-a-better-practices-state-for-llc-transparency/

For a comparison of how far such measures have to go, one of the top three countries, New Zealand (yeah, from there) only recently passed legislation ending the worst abuses of its foreign trust laws.

All too often, these ranking surveys such as reported in the above article, and similar, such as Transparency International "least corrupt" fail to point out how utterly hopeless existing corporate law is in establishing ultimate beneficiaries.

tl;dr - registration in Seattle may not prove anything?

0
0

Re: "Peoples Republic's timezone"

If i lived in Perth this is the kind of thing desperation would drive me to for entertainment

0
1

This post has been deleted by its author

Anonymous Coward

And yet when I suggested the only way to safely fix a malware infected host...

.. was to nuke it all and reimage it from scratch, the downvoting commentards were out in force.

The ONLY way to be sure malware and the subsequent backdoor are removed it to rebuild the machine from scratch. You will also have to reflash the firmware and use disk formatting tools beforehand to be really sure.

14
10
Silver badge

Re: And yet when I suggested the only way to safely fix a malware infected host...

yeah but thats a bit of a faff isnt it. Easier to use a reputable AV and be 99% sure.

I mean , as soon as you plug that shiny new re-flashed rebuilt reinstalled PC into the internet you are instantly "not sure" again , so you just wasted 3 or 4 hours.

14
5
Anonymous Coward

Re: And yet when I suggested the only way to safely fix a malware infected host...

Especially if you are running Windows 10 !

Seriously, it would be great if a security bod could carry out a forensic search on a PC subjected to this Ccleaner hack, both before and after removing it, then report back whether they've found any remnants anywhere. It's not a 3-4 hour job for most users to re-install Win and everything else, it's a couple of days, a weekend behind the desk. Yeah I know, images, but in my style of computing those images are never stable for long, better to go for a clean start all over again, and that takes times.

9
2
Silver badge

Re: And yet when I suggested the only way to safely fix a malware infected host...

"the downvoting commentards were out in force."

That might have been because you were suggesting reinstalling Windows.

12
1
Silver badge
Joke

Re: And yet when I suggested the only way to safely fix a malware infected host...

<quote>The ONLY way to be sure malware and the subsequent backdoor are removed it is to replace the hard drive, and to rebuild the machine from scratch. </quote>

There FTFY!

0
0

Re: And yet when I suggested the only way to safely fix a malware infected host...

The ONLY way to be sure malware and the subsequent backdoor are removed it to rebuild the machine from scratch.

That did used to be the case. Unfortunately, these days malware which can persist in the "Mgmt Engine" and/or other attached peripherals seems like it's starting to be a thing.

For reference, if that kind of thing is of interest:

https://www.blackhat.com/eu-17/briefings/schedule/#how-to-hack-a-turned-off-computer-or-running-unsigned-code-in-intel-management-engine-8668

3
0
Anonymous Coward

Seems odd these companies were using the 32Bit version.

CCleaner is a combined installer for 32Bit/64Bit versions, given the so-called high-profile targets, why would they be specifically using the 32Bit version. The mitigation story seems to be falling apart, and quickly.

3
0
Anonymous Coward

Re: Seems odd these companies were using the 32Bit version.

They'd use the 32 bit version possibly for better compatibility with other apps. They may also have Win 7-32 bit installed.

2
0
Anonymous Coward

Re: Seems odd these companies were using the 32Bit version.

Another new version released ccleaner535.exe (within 2 days), so they probably found some more malware code.

0
0
Bronze badge

I still don't understand how this happened

You compile the source code

You make it into an MSI

You stick it on your web server

Erm... at what point does it get pwned by malware?

5
1
Silver badge

Re: I still don't understand how this happened

I also wondered that.

The only thing I can imagine is that someone pwned the webserver enough that they could swap the compiled msi for thier own.

I dont know how hard it would be to fool the client ccleaner that it got its update but it could certainly unload the malware.

Think about it - every malware writers wet dream is a surefire "infection vector" ( is that the buzzword?) that dosent rely on some idiot clicking on an attachment - as is the route 99% of the time. As such anyone whose hacked into the servers of a massively popular program that updates regularly is in an enviable position. (bonus points if its an AV company!)

I bet that ccleaner access was sold on the' black hat market' rather than perpetrated by the same people who made the payload.

1
2
Silver badge

Re: I still don't understand how this happened

We'd all like to know how. They could have corrupted the source directly, corrupted the build processes, or patched and resigned the executable. But as security gets tighter, these kind of attacks are going to get more prevalent.

3
0
Bronze badge

Re: I still don't understand how this happened

Good grief... where are the InfoSec professionals?

Stop being so lazy. You should at least be able to understand how to work a search engine to find out the details of what happened; without going, "Duh... I don't get it".

This was an attack on the supply chain. You may want to learn a lot more about these types of attacks. They aren't new. In fact, supply chain attacks on computers have been going on since the late 60s, and really took off during the 80s.

Image what you can do if you, as a hacker, can gain control of a third party download server which provides new applications as well as updates/upgrades. For instance, you can add your own malicious packages to the applications and libraries being downloaded. Very stealthy, and the consumer presses the "OKAY" button to let it run with system (or similar) permissions. The attack becomes even more deadly, because it's a well known and trusted application.

...get it yet?

There are many third party download server services available (for hire) which aren't owned or controlled by the actual software vendor. If you've downloaded an application from the Internet, it's very likely you've used one.

1
2
Holmes

Re: I still don't understand how this happened

@Aodhhan - "Stop being so lazy."

Chill. It's a discussion forum. People are discussing it.

2
0
Silver badge

I'm sorry, but this recommendation is simply not acceptable.

With the update to CCleaner, software should be included that totally removes all malware that could have been introduced by the infected versions in a transparent manner that does not risk losing data, or require the user to re-install any programs on the system. It should be possible to clean the affected systems in a 100% safe manner that also imposes no inconvenience or effort.

Of course, admittedly, that may not be technically possible. Eventually, when the regime in China falls, if indeed the people behind this crime are there, they should face a severe penalty so that no one ever again will think to tamper with computers belonging to innocent other people.

0
11
Silver badge

they should face a severe penalty so that no one ever again will think to tamper with computers belonging to innocent other people.

So, execution for a first-offence, exorcism for repeat offenders?

12
0
Silver badge

"With the update to CCleaner, software should be included that totally removes all malware that could have been introduced by the infected versions"

Easier said than done. CCleaner phoned home to a server and that server would have supplied the real payload. It's not possible to determine what that was simply by looking at the rogue CCleaner. It's not even possible to be certain by looking at the server; even if the server is sufficiently accessible to determine what it's hosting now that might not be what it had before Talos investigated.

12
0
Silver badge

Fitness for purpose

>It's not possible to determine what that was simply by looking at the rogue CCleaner.

And yet cleaning all the cr*p out of your Windows is in the name of the product.

0
3
Silver badge

Eventually, when the regime in China falls

Too bad "CCleaner" can't remove that virus.

0
2

Detecting the malware

What I did find interesting was that Avast's own anti-virus software failed to detect the malware with a full scan, but Windows defender found it quite happily - and then removed it.

7
0
Anonymous Coward

Re: Detecting the malware

Windows 10 1607 Defender also now marking/(quarantined) the original CCsetup533.exe as having Backdoor:Win32/Floxit infection.

3
0
Anonymous Coward

Re: Detecting the malware

Our Sophos SBE says the following for the main program executable:

File "C:\program files\CCleaner\CCleaner.exe" belongs to virus/spyware 'Troj/Mogoa-A'.

0
0
Stop

Is it just me....

Or was the infection vector unsuitable for the payload? As I understand the infection it provided the details of the host machine and only if it was part of a particular corporation would the infected machine be used. Is cCleaner used at any of the corporations targeted as I would assume only small companies and individuals were customers/users?

0
0

Re: Is it just me....

The vector (supply chain attack on popular but relatively small software packages) is proving suitable several ways. The CCleaner attack appears to have successfully loaded secondary content on to some of the select companies targeted (http://blog.talosintelligence.com/2017/09/ccleaner-c2-concern.html) and there have been other successful attacks in recent months (MeDoc in Ukraine and Netsarang in South Korea).

Seems likely that more of this is going to occur - anywhere there is an implicit trust relationship between a vendor and a user, where there is a decent chance that user is going to have elevated access in relevant targets, that supply chain is going to be probed.

4
0
Silver badge

Re: Is it just me....

I would assume only small companies and individuals were customers/users?

Once you are inside the corporate network security is generally much weaker.

So only only need one developer / CxO / salesperson with either root access on their work machine or permission to connect a personal machine to the network and ....

0
0
Bronze badge
Meh

Restore from backups or reimage.

"...should restore from backups or reimage systems to ensure that they completely remove not only the backdoored version of CCleaner but also any other malware that may be resident on the system."

Only true if the backups are clean. Seen restores of backed up malware before.

0
0

Blaming Avast is a Little Unfair

Since the attack on CCleaner happened only a few weeks after Avast finalized the sale, I think that click-bait titles I've seen, are just a bit unfair. From what I read, it looks like CCleaner was the only one signing Certs for their own products, which is still a stand-alone company "owned by Avast" and likely one of their own employees was hacked to make this attack happen.

0
1
Silver badge
Terminator

Malware made its way into CCleaner

How did this malware make its way into CCleaner and what are the names of the machines it infects?

0
0

Disable Auto-Updating

This is a good reason to keep user control of updating.

0
0
Bronze badge

LOL.....

D-link , who the hell would want access to their half assed IP.

0
0

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

The Register - Independent news and views for the tech community. Part of Situation Publishing