Avast CCleaner used to spread backdoor to two million plus users

News by Doug Olenick

The free computer maintenance app CCleaner, distributed by Avast subsidiary Piriform, maybe have exposed more than two million computers to a multistage malware payload that if exploited could have allowed the computers to be controlled remotely.

Cisco's Talos threat intelligence group believes the malware most likely added by an outside actor, but the researchers did not rule out the possibility that the maneuver was an inside job. Avast acquired Piriform in July and folded the company into Avast's consumer business unit and retained the CCleaner brand.

Piriform vice president Paul Yung said the issued was first noticed on 12 September when an unknown IP address began receiving data in version 5.33.6162 of CCleaner, and CCleaner Cloud version 1.07.3191, on 32-bit Windows systems. Further research discovered that these versions of the app had been illegally modified before being released to the public. An as yet unknown party inserted a two-stage backdoor capable of remote code execution.

"Piriform is unable to speculate on the intent of the attack as the company is still working with US law enforcement on the investigation," a company spokesperson told SC Media.

CCleaner has been downloaded more than two million times, according to a November 2016 press release, and the company is recommending all its users update to the latest version 5.34. 

“We would like to apologise for a security incident that we have recently found in CCleaner version 5.33.6162 and CCleaner Cloud version 1.07.3191,” Yung said, adding, “the threat has now been resolved in the sense that the rogue server is down, other potential servers are out of the control of the attacker, and we're moving all existing CCleaner v5.33.6162 users to the latest version.

The corrupted version of CCleaner was being distributed on CCleaner's download server with a valid certificate as of 11 September 2017, Cisco Talos' researchers said.

The suspicious code was hidden in the application's initialisation code called CRT (Common Runtime) that is normally inserted during compilation by the compiler, Piriform said.

Talos in its investigation also found a compilation artifact. (S:\workspace\ccleaner\branches\v5.33\bin\CCleaner\Release\CCleaner.pdb) within CCleaner's binary that it believes points to how the malware found its way into the software.

“Given the presence of this compilation artifact as well as the fact that the binary was digitally signed using a valid certificate issued to the software developer, it is likely that an external attacker compromised a portion of their development or build environment and leveraged that access to insert malware into the CCleaner build that was released and hosted by the organisation,” Talos researchers wrote.

Talos did not rule out the possibility that the malware was the work of an insider.

“It is also possible that an insider with access to either the development or build environments within the organisation intentionally included the malicious code or could have had an account (or similar) compromised which allowed an attacker to include the code,” it said.

Piriform said the malware also began collecting data on the affected system:

  • Name of the computer
  • List of installed software, including Windows updates
  • List of running processes
  • MAC addresses of first three network adapters
  • Additional information whether the process is running with administrator privileges, whether it is a 64-bit system, etc.

Piriform said that while the data was collected it does not appear to have been sent anywhere.

Cyber-industry executives noted these attackers once again used a trusted software vendor to spread their malware, just as NotPetya was spread to companies using M.E. Docs accounting software.

“This is an example of a software supply-chain attack, where an otherwise trusted software vendor gets compromised and the update mechanism of the programs they distribute is leveraged to distribute malware. This is sort of a holy grail for malware authors because they can efficiently distribute their malware, hide it in a trusted channel, and reach a potentially large number of users,” said Marco Cova, senior security researcher at Lastline.

In an email to SC Media UK, Justin Fier, director for cyber intelligence and analytics at Darktrace commented:“The risk that companies inherit from their suppliers is a pervasive problem for cyber-security. Dynamic supply chains are crucial to keeping up in today's fast-paced business environment, but every new supplier expands a company's threat surface. Quite simply, companies with a supply chain cannot avoid compromises – supply chain breaches are inevitable. 

"The assessment of potential supply chain partners is often a rushed process in terms of evaluating their cyber-security level, and is rarely as in-depth as it should be. It has become critical for companies to adopt an AI technology that is capable of monitoring cyber-risk continually and adaptively, to keep pace with the evolving threat landscape and changing digital environment. While we can't change the security posture of our supply chains, we can have a transparent relationship when it comes to cyber-risk. The Avast breach should come as yet another wake-up call that corporations must have visibility into how their suppliers interact with their systems, as well as a real-time assessment of their suppliers' cyber-risk.”

Ofer Maor, director of enterprise solutions at Synopsys adds, "... attackers are stepping up their game to attack more allegedly secure customers. While recent ransomware attacks mostly affected random users with minimal consideration to the maintenance of their computer (such as installing updates), this attack targets the very users who follow best practices and regularly maintain their computer. And they do it by taking advantage of the very vendor the users expect to trust.

"Attacks like this are likely the result of insufficient security and quality controls by the vendor, allowing attackers to maliciously inject code while the software is being created. These insufficient controls, however, are not the result of extreme negligence. They are, indeed, the standard for many vendors. These types of attacks just demonstrate the need for the software industry to mature itself the way other engineering disciplines have been in the past. We no longer accept lack of such controls in our cars or our bridges, and as the customers, we should no longer accepts such oversights with software."

Javvad Malik, security advocate at AlienVault emailed SC Media UK to conclude: “The attack mirrors the NotPetya ransomware technique of compromising a software provider that is trusted by consumers. A technique that is being used more often, even targeting security companies. It is therefore important that companies deploy effective threat detection and integrity controls to be able to identify where unauthorised access has been attempted or code has been changed.”


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews