back to article CCleaner targeted top tech companies in attempt to lift IP

Cisco's security limb Talos has probed the malware-laden CCleaner utility that Avast so kindly gave to the world and has concluded its purpose was to create secondary attacks that attempted to penetrate top technology companies. Talos also thinks the malware may have succeeded in delivering a payload to some of those firms …

  1. Yet Another Anonymous coward Silver badge

    CCleaner targetted?

    I think the virus which infected CCleaner attacked them.

    You don't claim "Intel targeted" for every single virus running on x86

    1. Prst. V.Jeltz Silver badge

      Re: CCleaner targetted?

      CCleaner didnt get infected. its a program . Machines get infected.

      I'm not sure what you mean with your Intel analogy ,

      What appears to have happened here is that some ner-do-well has hacked into AVGs house , and planted their virus inside the downloadable update for CCleaner.

      So AVG and their cleaner program were "targetted" but not by the malware.

      I'd still like to know exactly how the malware got in there

    2. Rob D.

      Re: CCleaner targetted?

      Agreed. The article title implies the CCleaner app/maker is responsible whereas the real interest here should be who and why. The article does go in to that and raises several interesting points which no doubt are being investigated by several groups so it seems strange not to make that obvious in the title.

      'CCleaner hack targeted top tech companies to lift IP' would have been a far more accurate reflection of content (or some variation if there's some limit on title lengths).

      Either way, this story has some way to run yet, and there are also the initial Avast assurances that 'no-one got damaged' which were quick to come out and possibly will be as quick to fall apart.

      1. phuzz Silver badge

        Re: CCleaner targetted?

        "The article title implies the CCleaner app/maker is responsible"

        Well, they share some of the blame for not having better security, but it sounds like they were specifically targeted which is a very difficult thing to defend from.

        1. Anonymous Coward
          Facepalm

          Re: CCleaner targetted?

          "it sounds like they were specifically targeted which is a very difficult thing to defend from."

          A security company being targeted, who would have guessed?

  2. Anonymous Coward
    Anonymous Coward

    How did...

    CCleaner get infected in the first place?

    1. sitta_europea Silver badge

      Re: How did...

      You haven't been paying attention, have you?

      1. Anonymous Coward
        Anonymous Coward

        'You haven't been paying attention, have you?'

        We still don't really know much about it dude. Sure we know WHAT happened, but not the HOW, or how Avast let their guard down especially after NotPetya which used a similar attack vector etc...

        ---------

        "Avast cryptographically signs installations and updates for CCleaner, so that no imposter can spoof its downloads without possessing an unforgeable cryptographic key. But the hackers had apparently infiltrated Avast's development or distribution process before that signature occurred, so that the firm was putting its stamp of approval on malware, and pushing it out to consumers."

        ---------

        https://www.wired.com/story/ccleaner-malware-supply-chain-software-security/

    2. Destroy All Monsters Silver badge

      Re: How did...

      Inside job on the build server AFAIK.

      This falls under "poisoning the software supply chain".

      Inb4 "Putin did it and Merkel is next etc."

  3. Anonymous Coward
    Anonymous Coward

    "Peoples Republic's timezone"

    Also Perth, Western Australia.

    But chances are...

    1. This post has been deleted by its author

      1. Doctor Syntax Silver badge

        Re: "Peoples Republic's timezone"

        "the IP address which the malware phones home to is located in....the USA. Saratoga Springs? Langley?"

        Whois says the registrant is in Seattle.

        1. Yet Another Anonymous coward Silver badge

          Re: "Peoples Republic's timezone"

          Whois says the registrant is in Seattle.

          Blame Amazon

        2. jasonbrown1965

          Re: "Peoples Republic's timezone"

          Washington among the top states for company registration transparency, but still far from good, let alone perfect, see:

          https://sunlightfoundation.com/2014/08/14/washington-a-better-practices-state-for-llc-transparency/

          For a comparison of how far such measures have to go, one of the top three countries, New Zealand (yeah, from there) only recently passed legislation ending the worst abuses of its foreign trust laws.

          All too often, these ranking surveys such as reported in the above article, and similar, such as Transparency International "least corrupt" fail to point out how utterly hopeless existing corporate law is in establishing ultimate beneficiaries.

          tl;dr - registration in Seattle may not prove anything?

    2. Anonymous Coward
      Anonymous Coward

      Re: "Peoples Republic's timezone"

      But what about....

      Canada

      1. Spacedinvader
        Trollface

        Re: "Peoples Republic's timezone"

        Oh aye, blame Canada!

        1. Anonymous Coward
          Anonymous Coward

          Re: "Peoples Republic's timezone"

          It's not even a real country anyway.

    3. Fan of Mr. Obvious

      Re: "Peoples Republic's timezone"

      Agreed. The "blame China" key no longer has any paint on it. How about some hard forensics to back up the claims rather than notations about attributes that are meaningless without more fact?

    4. Anonymous Coward
      Anonymous Coward

      Re: "Peoples Republic's timezone"

      If i lived in Perth this is the kind of thing desperation would drive me to for entertainment

  4. This post has been deleted by its author

  5. Anonymous Coward
    Anonymous Coward

    And yet when I suggested the only way to safely fix a malware infected host...

    .. was to nuke it all and reimage it from scratch, the downvoting commentards were out in force.

    The ONLY way to be sure malware and the subsequent backdoor are removed it to rebuild the machine from scratch. You will also have to reflash the firmware and use disk formatting tools beforehand to be really sure.

    1. Prst. V.Jeltz Silver badge

      Re: And yet when I suggested the only way to safely fix a malware infected host...

      yeah but thats a bit of a faff isnt it. Easier to use a reputable AV and be 99% sure.

      I mean , as soon as you plug that shiny new re-flashed rebuilt reinstalled PC into the internet you are instantly "not sure" again , so you just wasted 3 or 4 hours.

      1. Anonymous Coward
        Anonymous Coward

        Re: And yet when I suggested the only way to safely fix a malware infected host...

        Especially if you are running Windows 10 !

        Seriously, it would be great if a security bod could carry out a forensic search on a PC subjected to this Ccleaner hack, both before and after removing it, then report back whether they've found any remnants anywhere. It's not a 3-4 hour job for most users to re-install Win and everything else, it's a couple of days, a weekend behind the desk. Yeah I know, images, but in my style of computing those images are never stable for long, better to go for a clean start all over again, and that takes times.

    2. Doctor Syntax Silver badge

      Re: And yet when I suggested the only way to safely fix a malware infected host...

      "the downvoting commentards were out in force."

      That might have been because you were suggesting reinstalling Windows.

    3. Fatman
      Joke

      Re: And yet when I suggested the only way to safely fix a malware infected host...

      <quote>The ONLY way to be sure malware and the subsequent backdoor are removed it is to replace the hard drive, and to rebuild the machine from scratch. </quote>

      There FTFY!

    4. Justin Clift

      Re: And yet when I suggested the only way to safely fix a malware infected host...

      The ONLY way to be sure malware and the subsequent backdoor are removed it to rebuild the machine from scratch.

      That did used to be the case. Unfortunately, these days malware which can persist in the "Mgmt Engine" and/or other attached peripherals seems like it's starting to be a thing.

      For reference, if that kind of thing is of interest:

      https://www.blackhat.com/eu-17/briefings/schedule/#how-to-hack-a-turned-off-computer-or-running-unsigned-code-in-intel-management-engine-8668

  6. Anonymous Coward
    Anonymous Coward

    Seems odd these companies were using the 32Bit version.

    CCleaner is a combined installer for 32Bit/64Bit versions, given the so-called high-profile targets, why would they be specifically using the 32Bit version. The mitigation story seems to be falling apart, and quickly.

    1. Anonymous Coward
      Anonymous Coward

      Re: Seems odd these companies were using the 32Bit version.

      They'd use the 32 bit version possibly for better compatibility with other apps. They may also have Win 7-32 bit installed.

    2. Anonymous Coward
      Anonymous Coward

      Re: Seems odd these companies were using the 32Bit version.

      Another new version released ccleaner535.exe (within 2 days), so they probably found some more malware code.

  7. Mr Dogshit

    I still don't understand how this happened

    You compile the source code

    You make it into an MSI

    You stick it on your web server

    Erm... at what point does it get pwned by malware?

    1. Prst. V.Jeltz Silver badge

      Re: I still don't understand how this happened

      I also wondered that.

      The only thing I can imagine is that someone pwned the webserver enough that they could swap the compiled msi for thier own.

      I dont know how hard it would be to fool the client ccleaner that it got its update but it could certainly unload the malware.

      Think about it - every malware writers wet dream is a surefire "infection vector" ( is that the buzzword?) that dosent rely on some idiot clicking on an attachment - as is the route 99% of the time. As such anyone whose hacked into the servers of a massively popular program that updates regularly is in an enviable position. (bonus points if its an AV company!)

      I bet that ccleaner access was sold on the' black hat market' rather than perpetrated by the same people who made the payload.

      1. Aodhhan

        Re: I still don't understand how this happened

        Good grief... where are the InfoSec professionals?

        Stop being so lazy. You should at least be able to understand how to work a search engine to find out the details of what happened; without going, "Duh... I don't get it".

        This was an attack on the supply chain. You may want to learn a lot more about these types of attacks. They aren't new. In fact, supply chain attacks on computers have been going on since the late 60s, and really took off during the 80s.

        Image what you can do if you, as a hacker, can gain control of a third party download server which provides new applications as well as updates/upgrades. For instance, you can add your own malicious packages to the applications and libraries being downloaded. Very stealthy, and the consumer presses the "OKAY" button to let it run with system (or similar) permissions. The attack becomes even more deadly, because it's a well known and trusted application.

        ...get it yet?

        There are many third party download server services available (for hire) which aren't owned or controlled by the actual software vendor. If you've downloaded an application from the Internet, it's very likely you've used one.

        1. Anonymous Coward
          Holmes

          Re: I still don't understand how this happened

          @Aodhhan - "Stop being so lazy."

          Chill. It's a discussion forum. People are discussing it.

    2. Brewster's Angle Grinder Silver badge

      Re: I still don't understand how this happened

      We'd all like to know how. They could have corrupted the source directly, corrupted the build processes, or patched and resigned the executable. But as security gets tighter, these kind of attacks are going to get more prevalent.

  8. John Savard

    I'm sorry, but this recommendation is simply not acceptable.

    With the update to CCleaner, software should be included that totally removes all malware that could have been introduced by the infected versions in a transparent manner that does not risk losing data, or require the user to re-install any programs on the system. It should be possible to clean the affected systems in a 100% safe manner that also imposes no inconvenience or effort.

    Of course, admittedly, that may not be technically possible. Eventually, when the regime in China falls, if indeed the people behind this crime are there, they should face a severe penalty so that no one ever again will think to tamper with computers belonging to innocent other people.

    1. Alister

      they should face a severe penalty so that no one ever again will think to tamper with computers belonging to innocent other people.

      So, execution for a first-offence, exorcism for repeat offenders?

    2. Doctor Syntax Silver badge

      "With the update to CCleaner, software should be included that totally removes all malware that could have been introduced by the infected versions"

      Easier said than done. CCleaner phoned home to a server and that server would have supplied the real payload. It's not possible to determine what that was simply by looking at the rogue CCleaner. It's not even possible to be certain by looking at the server; even if the server is sufficiently accessible to determine what it's hosting now that might not be what it had before Talos investigated.

      1. Mikel

        Fitness for purpose

        >It's not possible to determine what that was simply by looking at the rogue CCleaner.

        And yet cleaning all the cr*p out of your Windows is in the name of the product.

    3. Florida1920

      Eventually, when the regime in China falls

      Too bad "CCleaner" can't remove that virus.

  9. PapaD

    Detecting the malware

    What I did find interesting was that Avast's own anti-virus software failed to detect the malware with a full scan, but Windows defender found it quite happily - and then removed it.

    1. Anonymous Coward
      Anonymous Coward

      Re: Detecting the malware

      Windows 10 1607 Defender also now marking/(quarantined) the original CCsetup533.exe as having Backdoor:Win32/Floxit infection.

      1. Anonymous Coward
        Anonymous Coward

        Re: Detecting the malware

        Our Sophos SBE says the following for the main program executable:

        File "C:\program files\CCleaner\CCleaner.exe" belongs to virus/spyware 'Troj/Mogoa-A'.

  10. Fading
    Stop

    Is it just me....

    Or was the infection vector unsuitable for the payload? As I understand the infection it provided the details of the host machine and only if it was part of a particular corporation would the infected machine be used. Is cCleaner used at any of the corporations targeted as I would assume only small companies and individuals were customers/users?

    1. Rob D.

      Re: Is it just me....

      The vector (supply chain attack on popular but relatively small software packages) is proving suitable several ways. The CCleaner attack appears to have successfully loaded secondary content on to some of the select companies targeted (http://blog.talosintelligence.com/2017/09/ccleaner-c2-concern.html) and there have been other successful attacks in recent months (MeDoc in Ukraine and Netsarang in South Korea).

      Seems likely that more of this is going to occur - anywhere there is an implicit trust relationship between a vendor and a user, where there is a decent chance that user is going to have elevated access in relevant targets, that supply chain is going to be probed.

    2. Yet Another Anonymous coward Silver badge

      Re: Is it just me....

      I would assume only small companies and individuals were customers/users?

      Once you are inside the corporate network security is generally much weaker.

      So only only need one developer / CxO / salesperson with either root access on their work machine or permission to connect a personal machine to the network and ....

  11. Scroticus Canis
    Meh

    Restore from backups or reimage.

    "...should restore from backups or reimage systems to ensure that they completely remove not only the backdoored version of CCleaner but also any other malware that may be resident on the system."

    Only true if the backups are clean. Seen restores of backed up malware before.

  12. oneeye

    Blaming Avast is a Little Unfair

    Since the attack on CCleaner happened only a few weeks after Avast finalized the sale, I think that click-bait titles I've seen, are just a bit unfair. From what I read, it looks like CCleaner was the only one signing Certs for their own products, which is still a stand-alone company "owned by Avast" and likely one of their own employees was hacked to make this attack happen.

  13. Anonymous Coward
    Terminator

    Malware made its way into CCleaner

    How did this malware make its way into CCleaner and what are the names of the machines it infects?

  14. DanceMan

    Disable Auto-Updating

    This is a good reason to keep user control of updating.

  15. razorfishsl

    LOL.....

    D-link , who the hell would want access to their half assed IP.

  16. kbutler.toledo
    FAIL

    causes & faults

    two edged sword...

    may says brexit is the cause

    trump says it must be fake kaspersky

    will the real kas please stand up?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like