A clearer picture of the CCleaner backdoor incident

On Monday, Cisco and Piriform – the Avast-owned company behind the popular CCleaner utility – announced that certain versions of the software have been backdoored by hackers.

CCleaner backdoor incident

A blog post by security outfit Morphisec later revealed they were the ones who first notified Avast of the problem.

The timeline of the incident and Avast’s response to it is as follows:

  • August 15: Malicious CCleaner (v5.33.6162) made available for download from Piriform’s servers
  • August 24: Malicious CCleaner Cloud (v1.07.3191) made available for download from Piriform’s servers
  • September 11: Morphisec researchers flag the malware after analyzing the logs of some of its products installed at customer sites
  • September 12: Morphisec notifies Avast, Avast releases a clean version of CCleaner (5.33.6163), pushing it out as a lightweight automatic update to CCleaner users where it was possible, and started notifying the remaining users to upgrade to the latest version of the product ASAP
  • September 13: Cisco discovers the malware (also via customer log analysis) and notifies Avast
  • September 15: Avast and law enforcement take down the backdoor’s C&C server. Around the same time, Cisco registered the malware’s secondary DGA domains. As Avast noted in an update today, “the threat was effectively eliminated as the attacker lost the ability to deliver the payload.”
  • September 18: Piriform makes the announcement about the compromise, Cisco Talos releases a blog post detailing the threat, later that day Morphisec releases a short write-up about it.

What we know about the compromise?

In today’s update on the situation, Avast CEO Vince Steckler and CTO Ondrej Vlcek said that the hackers were likely already in the process of hacking into the Piriform servers as Avast was putting everything in place to complete the acquisition of Piriform (in July 2017).

“The compromise may have started on July 3rd. The server was provisioned earlier in 2017 and the SSL certificate for the respective https communication had a timestamp of July 3, 2017. We strongly suspect that Piriform was being targeted while they were operating as a standalone company, prior to the Avast acquisition,” they noted.

Michael Gorelik, VP R&D at Morphisec, explained that, after analyzing the malware, they found that the TLS initialization of callback functions was probably altered by a modification of the visual studio runtime file.

“Such modifications can be done by someone with access to the machine that compiles the code. This makes the code injection very useful and stealth. Moreover, this code is executed before any of the original CCleaner code is executed and the executable is automatically signed by the build machine,” he added.

But how did the attackers managed to compromise this server and this machine? Avast is still not ready to share. As a temporary precaution, they migrated the Piriform build environment to the Avast infrastructure, and are in the process of moving the entire Piriform staff onto the Avast internal IT system.

Advice for affected users

Steckler and Vlcek reiterated that 2.27 million users were affected by the compromise, and that since the compromise discovery, that number has come down to 730,000 (those still using the affected v5.33.6162).

“These users should upgrade even though they are not at risk as the malware has been disabled on the server side,” they advised.

Previously, Cisco has advised compromised users to restore their systems to a state before August 15, 2017 or reinstall them, but Steckler and Vlcek disagree.

“About 30% of CCleaner users also run Avast security software, which enables us to analyze behavioral, traffic and file/registry data from those machines. Based on the analysis of this data, we believe that the second stage payload never activated, i.e. the only malicious code present on customer machines was the one embedded in the ccleaner.exe binary,” they explained.

“Therefore, we consider restoring the affected machines to the pre-August 15 state unnecessary. Customers are advised to update to the latest version of CCleaner, which will remove the backdoor code from their systems. As of now, CCleaner 5.33 users are receiving a notification advising them to perform the update.”