Author Topic: Avast "spreading malware"  (Read 2396 times)

0 Members and 1 Guest are viewing this topic.

Offline Eddy

  • Avast Evangelist
  • Maybe Bot
  • ***
  • Posts: 31301
  • Watching (over?) you
    • Malware removal, Biljart and other things.
« Last Edit: September 19, 2017, 02:02:08 PM by Eddy »

Offline sloshnmosh1

  • Jr. Member
  • **
  • Posts: 37
Re: Avast "spreading malware"
« Reply #1 on: September 18, 2017, 10:36:24 PM »
Yeppers!
Avast had just purchased the popular CC Cleaner just a couple months ago and now there's a hidden backdoor in the product.
The infected version also had a signed certificate so this looks REAL fishy!

Users of Avast-owned security application CCleaner for Windows have been advised to update their software immediately, after researchers discovered criminal hackers had installed a backdoor in the tool. The tainted application allows for download of further malware, be it ransomware or keyloggers, with fears millions are affected. According to Avast's own figures, 2.27 million ran the affected software, though the company said users should not panic.

The affected app, CCleaner, is a maintenance and file clean-up software run by a subsidiary of anti-virus giant Avast. It has 2 billion downloads and claims to be getting 5 million extra a week, making the threat particularly severe, researchers at Cisco Talos warned. Comparing it to the NotPetya ransomware outbreak, which spread after a Ukrainian accounting app was infected, the researchers discovered the threat on September 13 after CCleaner 5.33 caused Talos systems to flag malicious activity.

Further investigation found the CCleaner download server was hosting the backdoored app as far back as September 11. Talos warned in a blog Monday that the affected version was released on August 15, but on September 12 an untainted version 5.34 was released. For weeks then, the malware was spreading inside supposedly-legitimate security software.

CCleaner Windows app infectedCisco Talos
The CCleaner app, designed to help users carry out good cyber hygiene, was itself infected.


The malware would send encrypted information about the infected computer - the name of the computer, installed software and running processes - back to the hackers' server. The hackers also used what's known as a domain generation algorithm (DGA); whenever the crooks' server went down, the DGA could create new domains to receive and send stolen data. Use of DGAs shows some sophistication on the part of the attackers.

Downplaying the threat?

CCleaner's owner, Avast-owned Piriform, has sought to ease concerns. Paul Yung, vice president of product at Piriform, wrote in a post Monday: "Based on further analysis, we found that the 5.33.6162 version of CCleaner and the 1.07.3191 version of CCleaner Cloud was illegally modified before it was released to the public, and we started an investigation process.

"The threat has now been resolved in the sense that the rogue server is down, other potential servers are out of the control of the attacker.

"Users of CCleaner Cloud version 1.07.3191 have received an automatic update. In other words, to the best of our knowledge, we were able to disarm the threat before it was able to do any harm."

Not all are convinced by the claims of Piriform, acquired by Avast in July. "I have a feeling they are downplaying it indeed," said Martijn Grooten, editor of security publication Virus Bulletin. Of the Piriform claim it had no evidence of much wrongdoing by the hacker, Grooten added: "As I read the Cisco blog, there was a backdoor that could have been used for other purposes.

"This is pretty severe. Of course, it may be that they really only stole ... 'non-sensitive data' ... but it could be useful in follow-up targeted attacks against specific users."

In its blog, Talos' researchers concluded: "This is a prime example of the extent that attackers are willing to go through in their attempt to distribute malware to organizations and individuals around the world. By exploiting the trust relationship between software vendors and the users of their software, attackers can benefit from users' inherent trust in the files and web servers used to distribute updates."

Avast CTO: No need to panic

Avast chief technology officer Ondrej Vlcek said there was, however, little reason to panic. He told Forbes the company used its Avast security tool to scan machines on which the affected CCleaner app was installed (in 30 per cent of Avast installs, CCleaner was also resident on the PC). That led to the conclusion that the attackers hadn't launched the second phase of their attack to cause more harm to victims.

"2.27 million is certainly a large number, so we're not downplaying in any way. It's a serious incident. But based on all the knowledge, we don't think there's any reason for users to panic," Vlcek added. "To the best of our knowledge, the second-stage payload never activated... It was prep for something bigger, but it was stopped before the attacker got the chance." He said Cisco Talos wasn't the first to notify Avast of the issues, another unnamed third party was.

It's unclear just who was behind the attacks. Yung said the company wouldn't speculate on how the attack happened or possible perpetrators. For now, any concerned users should head to the Piriform website to download the latest software.

https://www.forbes.com/sites/thomasbrewster/2017/09/18/ccleaner-cybersecurity-app-infected-with-backdoor/#21ed556316a8

Offline sloshnmosh1

  • Jr. Member
  • **
  • Posts: 37
Re: Alvast "spreading malware"
« Reply #2 on: September 18, 2017, 11:07:07 PM »
I have a copy of the "tainted" CC Cleaner (5.33.6162-16281) if any of you other independent researchers want to take a peek at it.
Hit me up  on a PM and I will share.
« Last Edit: September 18, 2017, 11:19:05 PM by sloshnmosh1 »

Offline Eddy

  • Avast Evangelist
  • Maybe Bot
  • ***
  • Posts: 31301
  • Watching (over?) you
    • Malware removal, Biljart and other things.
Re: Alvast "spreading malware"
« Reply #3 on: September 18, 2017, 11:13:36 PM »
No need to post all that.
I know the FAQs.
But I do wonder which anti-malware tools are detecting it currently.
Right before I posted the link, only ClamAv did as far as far as I could see.

Offline sloshnmosh1

  • Jr. Member
  • **
  • Posts: 37
Re: Alvast "spreading malware"
« Reply #4 on: September 19, 2017, 12:01:40 AM »

Offline sloshnmosh1

  • Jr. Member
  • **
  • Posts: 37
Re: Alvast "spreading malware"
« Reply #5 on: September 19, 2017, 12:03:57 AM »
So it looks like the "AV" companies are starting to add it to their detection rules Eddy.

Offline sloshnmosh1

  • Jr. Member
  • **
  • Posts: 37
Re: Alvast "spreading malware"
« Reply #6 on: September 19, 2017, 12:11:47 AM »
It uses Symantec certificates.
Google Chrome has decided to remove any Symantec certs from it's browser over time due in part to Symantec not following security protocols.
I removed and/or disabled all Symantec security certificates on all my computers and devices months ago.

Offline Eddy

  • Avast Evangelist
  • Maybe Bot
  • ***
  • Posts: 31301
  • Watching (over?) you
    • Malware removal, Biljart and other things.
Re: Alvast "spreading malware"
« Reply #7 on: September 19, 2017, 12:19:37 AM »
It sure seems like it.
Could be VT hasn't updated the avast vps, but it's strange to see that avast isn't detecting it.

Offline sloshnmosh1

  • Jr. Member
  • **
  • Posts: 37
Re: Alvast "spreading malware"
« Reply #8 on: September 19, 2017, 12:26:30 AM »
Very strange indeed Eddy!
But I wonder if it was "whitelisted" by the Avast AV because it has Avast's signing key?

Offline sloshnmosh1

  • Jr. Member
  • **
  • Posts: 37
Re: Alvast "spreading malware"
« Reply #9 on: September 19, 2017, 12:33:45 AM »
Here is a great article including the technical details (debugging, decompiling) of the infected cleaner.
http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html
The SHA 256 checksums are the same as the sample I uploaded to Virutotal.

Offline Eddy

  • Avast Evangelist
  • Maybe Bot
  • ***
  • Posts: 31301
  • Watching (over?) you
    • Malware removal, Biljart and other things.
Re: Alvast "spreading malware"
« Reply #10 on: September 19, 2017, 12:44:25 AM »
Thanks for the info.
Too bad I'm in the hospital and only have a 'primitive' tablet to work with or I would have been able to do some testing and such myself.

Offline sloshnmosh1

  • Jr. Member
  • **
  • Posts: 37
Re: Alvast "spreading malware"
« Reply #11 on: September 19, 2017, 12:52:19 AM »
I find it humorous that the first "antivirus" program to flag the Trojan was a FREE and OPEN SOURCE program ClamAV!
It's even in the Linux repositories!

Offline sloshnmosh1

  • Jr. Member
  • **
  • Posts: 37
Re: Alvast "spreading malware"
« Reply #12 on: September 19, 2017, 12:58:00 AM »
If that "primitive" tablet is Android (Linux) powered and rooted, you can install GNUroot apk on it and install all kinds of goodies!  Ollydbg, hex editors even ClamAV! 
 :)

Offline sloshnmosh1

  • Jr. Member
  • **
  • Posts: 37
Re: Alvast "spreading malware"
« Reply #13 on: September 19, 2017, 01:06:52 AM »
I hope that your hospital stay is short and you feel better soon Eddy.

Offline Asyn

  • Avast √úberevangelist
  • Certainly Bot
  • *****
  • Posts: 72844
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: Alvast "spreading malware"
« Reply #14 on: September 19, 2017, 05:55:05 AM »
Win 8.1 [x64] - Avast PremSec 21.10.6772.IBC [UI.679] - EEK - Firefox ESR 91.3 [NS/uBO/PB] - TB 91.3.2
Avast-Tools: Secure Browser 96.0 - Cleanup 21.3 - SecureLine 5.14 - Driver Updater 21.3 - CCleaner 5.87
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0