nav search
Data Center Software Security Transformation DevOps Business Personal Tech Science Emergent Tech Bootnotes BOFH

back to article
Avast urges devs to secure toolchains after hacked build box led to CCleaner disaster

Anonymous Coward

CC Cleaner is an enterprise tool?

IME, third party optimisation tools like CC Cleaner are STRONGLY disapproved of by enterprise IT teams, and ITSec staff. For home users, tinkerers, might have some use, but the only installation on corporate systems I could see being useful would be for compatibility testing (which shouldn't be internet facing, or loose on the corporate network?).

I therefore wonder if the 40 infected machines were on unapproved installations by users? Some might need admin privileges for development purposes, but I still wonder why CC Cleaner found its way onto these corporate systems.

5
9

Re: CC Cleaner is an enterprise tool?

I have always found the presence of CCleaner (and the like) a useful flag that the machine has been tampered with by someone who doesn't know what they're doing - and that it needs nuking as a result.

7
16
Bronze badge

Re: CC Cleaner is an enterprise tool?

Well we wouldn't have to use tools like this if Microsoft provided the functionality people clearly need and want out of the box.

27
5
Anonymous Coward

Re: CC Cleaner is an enterprise tool?

we wouldn't have to use tools like this if Microsoft provided the functionality people clearly need and want out of the box

IME, anything that claims to "optimise your PC" is pure snake oil, and whatever the shortcomings of Microsoft's products, things like registry cleaners do more harm than good, even when they're not addled with malware. A bit like "battery optimisers" on phones. Installing these products represents a triumph of youthful optimism over sensible caution, or hard earned experience.

I'm with Mr Obvious (above) that finding this on a machine is usually a sign of somebody who doesn't know what they are doing.

7
14
Silver badge

Re: CC Cleaner is an enterprise tool?

It appears that you and Mr Obvious only think it's used for 'optimisation'.

I use it to clean up new machines. Try finding McAfee on Windows 'uninstall'.

Whizz through a simple interface turning off al sorts of things.

Handy little tool, not 'optimisation'.

18
2
Silver badge

Re: CC Cleaner is an enterprise tool?

"Handy little tool, not 'optimisation'."

Surely cleaning vendors' bloatware is optimisation.

4
0
Silver badge
Facepalm

Re: CC Cleaner is an enterprise tool?

What Avast can now say is that the hacker gang infiltrated Piriform’s build server in April.

Sorry, this makes no sense to me.

Any software, any document, any application that I am intimately involved in creating and/or approving, I would certainly notice a dramatic change in file size. If I am one of 30 CCleaner developers I would be alarmed if my application went from 6MB to 9.5MB, and if I didn't notice somebody else would.

Occam's Razor: Imagine you work for a company like Avast and you have samples of everyone's malware. You need to infect some machines for whatever purposes. You know it will be eventually discovered, that's inevitable. It would be simple to just take samples of Chinese malware and use it for your own purposes. Do it after it's all approved.

1
1

Re: CC Cleaner is an enterprise tool?

Yes, in a business environment where the only thing that should be on the pc is whatever IT put there, CCleaner would suggest a user trying to 'fix' a business pc they might have accidentally infected.

However, for the home user or a 1 pc business CCleaner is suggested as a final step when trying to recover a pc when nuking is not, or is the last, option. Doesn't happen? Wanna bet? You've never been called to look at a friend's home office pc that's running some ancient accounting software, no idea of where any of the original install software is, unknown/nonexistent/untested backups and the complaint is 'it's acting funny'?

I used CCleaner on my home pc just last month - it's running Windows 10 and the forced update made it unbootable, I restored from a drive image and wanted a text printout of installed programs. There's a tool in CCleaner that lets you do just that - export a list of installed programs. Which I did, before nuking the drive and reinstalling the os.

0
0
FAIL

XcodeGhost again, cmon people!

The Register covered the XCodeGhost fiasco where some high profile app developers were releasing code built using compromised tools:

https://www.theregister.co.uk/2015/09/23/xcodeghost_ios_app_infection_toll_rises_to_four_thousand/

I said it then, and I'll repeat: What commercial software company would dare allow a developer machine to create a customer build? Requiring a 'pristine' build environment is software engineering 101.

You commit your code - the build server checks out the code and performs the build in a clean environment.

Publish the list of companies that build on developer PC's far and wide - so we all know to avoid anything they ever produce ever again. Have we learned nothing about software engineering in the past 35 years?

8
6
Silver badge

Re: XcodeGhost again, cmon people!

There's a difference, Piriform was hacked and their official download was compromised and end users had no reason to suspect, XCodeGhost was an obviously unofficial version which end users (app developers) downloaded knowingly ignoring possible malware issues because it downloaded faster than from Apple's server.

6
0
TVU
Bronze badge

Re: XcodeGhost again, cmon people!

"There's a difference, Piriform was hacked and their official download was compromised and end users had no reason to suspect, XCodeGhost was an obviously unofficial version which end users (app developers) downloaded knowingly ignoring possible malware issues because it downloaded faster than from Apple's server"

I might be wrong in this but I thought it was only the free version of CCleaner that was compromised and that was the one that was hosted on FileHippo (not any longer though the last time I checked).

0
0
Silver badge

Mount hobby horse. Charge!!!!!!

"You commit your code - the build server checks out the code and performs the build in a clean environment.",

*cough* From the article: "...the hacker gang infiltrated Piriform’s build server..." i.e. it was the build server that was compromised. *cough*

13
0
Silver badge

Re: XcodeGhost again, cmon people!

"Requiring a 'pristine' build environment is software engineering 101."

Putting 'pristine' in quotes says it all, really. You may think your build environment is pristine but if it's been got at you end up in exactly the situation Piriform found themselves in.

8
0
Anonymous Coward

Re: XcodeGhost again, cmon people!

> What commercial software company would dare

> allow a developer machine to create a customer build?

I think you might be surprised by quite how small many successful software companies are.

4
0
Anonymous Coward

Re: XcodeGhost again, cmon people!

"Publish the list of companies that build on developer PC's far and wide - so we all know to avoid anything they ever produce ever again. Have we learned nothing about software engineering in the past 35 years?"

Yes, that if we were to practice what you preach, we probably would be left with NOTHING. THAT'S how far this goes. Plus you forget one-man houses who pretty much only have ONE computer. It MUST be BOTH developer AND builder out of necessity.

4
0

Re: Mount hobby horse. Charge!!!!!!

@Brewster - the detail in the article is very thin - it says 'This was the system used by a lead developer at the 30-person outfit to generate code' which suggests to me that it wasn't what most would consider a 'secure build environment' - more like some environment you log into. I decided to assume the author knew more than what's been written and go with the spirit of the headline 'Avast urges devs to secure toolchains'. Ie: the build system wasn't secure, and I'd argue was barely deserving of the name.

@everyone - have u not heard of VMware? Teams of 1 can definitely have secure independent build systems.

1
0
Silver badge

Re: Mount hobby horse. Charge!!!!!!

And have YOU heard of hypervisor attacks, aka Red Pills?

0
0
Silver badge

Mycroft Holmes would be so proud...

"Forensic work by Avast has identified that operations were performed and builds created by the CCleaner hackers during the working day of the Beijing timezone".

Oooh, "forensic", eh? Well that must be right then.

Thank goodness that black hats have the goodness always to work 9 to 5.

7
1
Silver badge

Re: Mycroft Holmes would be so proud...

It is UTC+8, not like it could be Perth or Indonesia or Malaysia or Philippines or some other country working on night shift to make it look like China.

3
3
Silver badge
Trollface

Re: Mycroft Holmes would be so proud...

Any ambiguity is clearly the fault of the people who ran the server - they should have just included a form with an obligatory "country" field on their "black hat login" page...

7
0
Silver badge

Re: Mycroft Holmes would be so proud...

If it is Chinese state sponsored hackers they would likely be working a regular day shift. It wasn't just the time, but also the association with APT17 that led them to suggest this.

From what I've read, China's state sponsored hackers are full time employees. That's unlike Russia where a lot of their state sponsored hackers are ordinary blackhats who are induced into doing the state's bidding either out of patriotism or to avoid jail.

3
0

This post has been deleted by its author

Anonymous Coward

TheRegister needs to ask them to confirm that the code from every release from April was checked and not just v5.33.6162

2
0
Anonymous Coward

Reputation index

0 1 2 3 4 5 6 7 8 9 10

Scale:

0 = being CCleaner

10 = good but make your own checks

0
1

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

The Register - Independent news and views for the tech community. Part of Situation Publishing