Windows cleanup utility CCleaner infected with Malware

Windows cleanup utility CCleaner infected with Malware

A malware package that could allow affected computers to be remotely accessed or controlled with what appears to be a legitimate signing certificate. The malware was distributed through the update server for the Windows cleanup utility CCleaner, was apparently inserted by an attacker who compromised the software “supply chain” of Piriform, which was acquired by Avast in July. There have been more than 2 billion downloads of CCleaner worldwide, so the potential impact of the malware is huge.

Software updates are increasingly being targeted by distributors of malware, because they provide a virtually unchecked path to infect millions or even billions of computers. “Watering hole” attacks, such as the ones used against Facebook, Apple, and Twitter four years ago, are often used to compromise the computers used by software developers. When successful, they can give malware authors their compilation tools and signing certificates, as well as access to their workflow for software updates.

A bug in the malware code prevented the software from using the IP address created by the domain-generation algorithm—the code never accessed the address it created and may have simply been an incomplete feature intended to be updated later. The malware code for the algorithm would look for the DNS records of the domains generated by the algorithm based on the date for two IP addresses and then perform a calculation using the values of the two addresses to find another IP address. This would have made discovery of the actual second C&C server through DNS request monitoring difficult at best.


CCleaner malware infected at least 20 computers from a carefully selected list of high-profile technology companies with a mysterious payload.

Of 700,000 infected PCs, 20 of them is belonging to highly targeted companies according to an analysis published Wednesday by Cisco Systems’ Talos Group.

The CCleaner backdoor was active for 31 days, the total number of infected computers is ‘likely at least in the order of hundreds’, researchers from Avast, the antivirus company that acquired CCleaner in July, said in their own analysis published Thursday.

From September 12 to September 16, the highly advanced second stage was reserved for computers inside 20 companies or Web properties, including Cisco, Microsoft, Gmail, VMware, Akamai, Sony, and Samsung. The 20 computers that installed the payload were from eight of those targeted organizations, Avast said, without identifying which ones. Because the covers only a small fraction of the time the backdoor was active, both Avast and Talos believe the true number of targets and victims was much bigger.



[amazon_link asins=’B011XO54NY,B00MUTIDNA,B072841DS1,B015RUMM5I,B01GZZX4HY,B00UP4FYP2,B0130YUUKW,B00UP4DYBI’ template=’ProductGrid’ store=’softcarecs-21′ marketplace=’IN’ link_id=’fb9f4873-a04f-11e7-9eb6-0d7d77cf3c1c’]



Linux & Windows Geek, Blogger & System Administrator

Leave your message

Scroll Up