What the Windows CCleaner Did

CCleaner, a program owned by Avast, is the center of a major security scare. Why should you be worried? Well, this product is used by millions of Windows users worldwide to run maintenance on their registry and file systems on their consumer Windows machines. The product has had over two billion downloads in its lifetime, and according to Avast, it gets downloaded over five million times a week. More worrying is that according to Avast’s own figures, the infected product was downloaded and installed on over 2.27 million devices. Avast has removed the infected download and replaced it with a non-affected version.

If you are a user of Avast CCleaner, it is imperative that you check your version and, if you are running version 5.33, upgrade your version immediately. The cloud version 1.07.3191 was also reported as being affected; this version too has been updated.

First, let’s give credit where credit is due: this was found by Cisco’s Talos labs on September 13, 2017. They informed Avast of the issue, and Avast quickly moved to remedy it.

For a full, detailed look at the threat, read the response details on TalosIntelligence.com. Briefly, Talos found that the aforementioned version of CCleaner was infected with malware that introduced an infected DLL that effectively copied user data and sent it to hackers’ servers. This DLL was called by CCleaner, then ran the necessary payload and returned control to CCleaner to continue with its normal operations. The hackers also included a DGA (domain-generation algorithm) to generate new domains to enable the collection of data should the primary collection be taken offline.

The hackers had effectively compromised the development environment within Avast, or more likely Piriform, the original owner of CCleaner, which Avast purchased. They managed to rewrite a call to redirect processing to their malicious code and, once completed, return control back to the application in exactly the same position to allow CCleaner to continue its processes without “interruption.”

This attack is quite elaborate in its design and shows a level of complexity that is impressive. The use of the DGA’s and PIC’s (position-independent code) PE loaders, and DLL’s zeroed out IMAGE_DOS_HEADERS, suggest that the author was attempting to remain under the radar of normal detection techniques. The hacker or team that created this attack are not just teenage script jockeys, but very capable programmers.

The most worrying thing about this particular infection is that it was digitally signed by Avast’s own certificates, with a trusted root of Symantec. This means that, as this is a trusted certificate, it will just load on any operating system on which the MSI or installation is interactively called. For the product to have been infected at the code level and then complied into the actual product is worrying, as the hackers must have had a deep level of access. Further, this compromise has exploited the inherent trust relationship between the software vendor and the users of its software. When you click to verify that a certificate is who and what it purports to be, you naturally check the trust path on the certificate that is being used to verify the efficacy of the install routine. I think that Avast/Piriform have attempted to downplay the severity of the breach and infections. From the perspective of brand protection, this makes sense, but let’s not beat around the bush here. Someone or many unknowns have breached the software vault of a fairly major software house, infected the code base of their premier product, managed to get that product through their Q&A department, and then managed to get the resultant infected payload verified with a trusted certificate.

These reports of breaches are getting more and more numerous—breaches caused both by malware, which infects PCs to filch personal data, and by ransomware, which encrypts your data and holds it hostage, forcing you to pay to get the public key to enable the unencryption keys. It is now really time to start taking more care of your edge, by taking a greater and stricter position regarding security. When will a single breach be a nonentity? Hopefully never. But it is imperative that those that are breached inform the public as soon as possible to enable quicker remediation.

Posted in SecurityTagged , , , ,