Hackers Used CCleaner Security App As Malware Host For Nearly A Month
Users of the popular CCleaner program by Piriform are being advised to update the application after researchers at Cisco's Talos division discovered hackers had hidden malware inside. The contaminated utility served as a beacon call for additional forms of malware—using a backdoor, an attacker could run code from a remote IP address.
The threat was discovered in CCleaner 5.33 released on August 15, and CCleaner Cloud 1.07 released on August 24. According to Piriform, which is owned by security outfit Avast, the affected version of CCleaner may have been used by up to 3 percent of its userbase. That works out to around 2.27 million people, by the company's own accounting.
"The compromise could cause the transmission of non-sensitive data (computer name, IP address, list of installed software, list of active software, list of network adapters) to a 3rd party computer server in the USA. We have no indications that any other data has been sent to the server.," Piriform stated in a blog post.
As implemented, the malware sent encrypted information about infected PCs to the hacker's server. The hackers also used what's known as a domain generation algorithm (DGA), which is capable of creating new domains to send and receive stolen data after the original server went down. This functionality represents a level of sophistication.
Source: Cisco Talso
"In analyzing DNS-based telemetry data related to this attack, Talos identified a significant number of systems making DNS requests attempting to resolve the domains associated with the aforementioned DGA domains. As these domains have never been registered, it is reasonable to conclude that the only conditions in which systems would be attempting to resolve the IP addresses associated with them is if they had been impacted by this malware," Talos stated.
CCleaner users are advised to download the most recent version, CCleaner 5.34, found on Piriform's website. In the meantime, Piriform is working with third-party download sites to remove the tainted version and to update to the latest build.
The threat was discovered in CCleaner 5.33 released on August 15, and CCleaner Cloud 1.07 released on August 24. According to Piriform, which is owned by security outfit Avast, the affected version of CCleaner may have been used by up to 3 percent of its userbase. That works out to around 2.27 million people, by the company's own accounting.
"The compromise could cause the transmission of non-sensitive data (computer name, IP address, list of installed software, list of active software, list of network adapters) to a 3rd party computer server in the USA. We have no indications that any other data has been sent to the server.," Piriform stated in a blog post.
As implemented, the malware sent encrypted information about infected PCs to the hacker's server. The hackers also used what's known as a domain generation algorithm (DGA), which is capable of creating new domains to send and receive stolen data after the original server went down. This functionality represents a level of sophistication.
Source: Cisco Talso
"In analyzing DNS-based telemetry data related to this attack, Talos identified a significant number of systems making DNS requests attempting to resolve the domains associated with the aforementioned DGA domains. As these domains have never been registered, it is reasonable to conclude that the only conditions in which systems would be attempting to resolve the IP addresses associated with them is if they had been impacted by this malware," Talos stated.
CCleaner users are advised to download the most recent version, CCleaner 5.34, found on Piriform's website. In the meantime, Piriform is working with third-party download sites to remove the tainted version and to update to the latest build.
