CCleaner malware puts over 2 billion machines at risk

By September 23, 2017blog, news

Update for customers asking about CCleaner malware: it seems that malicious software has been discovered as being distributed alongside CCleaner between August 15th, 2017 – September 13th, 2017.

While editing this blog post, I aim to provide an as unbiased point of view as possible, considering that this website also serves a PC System Utilities software product to its audience. For this reason, we should look at this event with humbleness and regard it as a good motivation to increase our awareness regarding the security of the software that we use.

Why was CCleaner used to distribute malware?

One way to distribute malware to different organisations is through software supply chains. This is usually very effective as it is based on the trust created between the software developer and the end-user.

An example of this is the worm Nyetya, that recently re-coined the term ‘ransomware’ using proof of concept network level spreading behavior.

According to the developers of CCleaner, more than 2 billion downloads had been registered by November 2016 and a growth rate of approximately 5 million downloads per week for its flagship product.

ccleaner growth rateFigure 1: CCleaner growth statistics

CCleaner malware – a ‘numbers game’

As recent events show, these look like just the numbers needed for a motivated malware developer / advanced attacker to step in and take control of the software distribution network.

Sadly, Cisco’s Talos Intelligence Group recently discovered that CCleaner version 5.33 contained malware attached to it. More specifically, a backdoor that allows the receiving and processing of remote command & control commands.

 

Figure 2: Screenshot of the Cisco’s notification date for Avast

 

As a result, the CCleaner version released on August 15th, 2017 presented risks of infection for an unprecedented number of computers (including those that run on critical infrastructures) and enormous potential damage to software users across the world.

Since then, it is now estimated that over 700,000 machines were infected and may still be receiving command & control remote tasks from the owners of what now seems to be the fastest growing botnet of 2017.

ccleaner malwareFigure 3: Screenshot of CCleaner – Version History

 

Few weeks later, on September 13th, 2017, Cisco’s Talos informed Avast (the antivirus company that had recently acquired Piriform) of the attack and to initiate relevant action on the matter.

According to Talos, “over 700,000 machines reported to the malicious software command & control server over this time period, and more than 20 machines have received the second-stage payload”.

During the installation of CCleaner 5.33, the 32-bit CCleaner binary was also contained in a malicious payload that featured Domain Generation Algorithm (DGA) as well as hardcoded Command and Control (C2) functionality. We have confirmed that this malicious version of CCleaner was hosted directly on CCleaner’s download server as of September 11, 2017.

 

It remains a mystery if the CCleaner version update released on September 12th, 2017 was related to the necessity of removing malware or if removing the backdoor from the distribution repository happened only after the notification by Cisco on September 13th, 2017.

Getting to understand the CCleaner malware incident

The infected CCleaner version 5.33 was distributed through the official CCleaner download site, using a software installer that could trick most security solutions. The malicious installer was signed using a certificate issued to Piriform Ltd by Symantec, with validity date until 10/2018.

In its analysis, Talos found the following compilation artefact in the CCleaner binary:

  • S:\workspace\ccleaner\branches\v5.33\bin\CCleaner\Release\CCleaner.pdb

With the fact that the software installer was validly signed, along with the presence of this malicious compilation artefact attached, several hypotheses have been thought about the malware and how it became part of the system. None has been confirmed so far.

What is certain is that the version containing the infected loads has been removed and is no longer available for download.

CCleaner malware indicators of compromise: registry keys

Talos also identified what is believed to be a software bug in malicious code related to the C2 function. A DGA computed IP address was found at the following location in the registry:

  • HKLM\SOFTWARE\Piriform\Agomo: NID

This IP address apparently does nothing and its purpose is unknown because the malware does not use it. Once the malware transmits the system profile information to the C2 server it can use an HTTPS POST request. Then, it stores the current system time value plus two days at the following registry location:

  • HKLM\SOFTWARE\Piriform\Agomo: TCID

CCleaner malware indicators of compromise: files

Any file names that own the following SHA-256 unique signatures are supposed to be part of the first phase infection:

According to VirusTotal, a multi-antivirus web scanner that is now owned by Google, the CCleaner malware has received the detection verdict of ‘Trojan.PRForm.A’ from Ad-Aware and ‘Backdoor.Win32.InfeCleaner.a’ from Kaspersky.

Avast, the antivirus company that currently owns CCleaner, is now detecting its own infected software, CCleaner version 5.3, under the verdict ‘Win32:TlsHack-A [Trj]’. Avast recently acquired Piriform, the makers of CCleaner, only few weeks before the incident occurred.

What to do in order to be 100% sure that the CCleaner malware is no longer in my system?

In order to be 100% sure, it is recommended that users who downloaded CCleaner v5.3 should restore their systems to a state before August 15, 2017, or the full reinstallation of the operating system.

What if restoring the operating system is not an option?

There are naturally multiple inconveniences that can jump to mind when it comes to restoring your operating system to an older state. Luckily, there are ways in which you could maybe get a 96% chance of have gotten rid of the CCleaner malware without a system restore.

Here are the steps that you need to follow:

  1. Make sure that your system does not still have the CCleaner – version 5.3 installed. If it is still installed, you can use the Software Uninstaller tool in an attempt to completely remove it.
  2. Scan your computer using a reputable antivirus product. If in doubt which one to choose, please consider the results of these independent antivirus tests.
  3. Install a second opinion antivirus solution in order to have an extra point of view. If you need our help, let us know. We will be glad to assist!

Unfortunately, security events that are not completely understood are often downplayed in severity. This can work counter to a victim’s best interests.

Therefore, companies should remain conservative with their advice before all of the details of the attack have been determined.