The CCleaner Malware Fiasco Targeted at Least 20 Specific Tech Firms

An anonymous reader shares a report: Hundreds of thousands of computers getting penetrated by a corrupted version of an ultra-common piece of security software was never going to end well. But now it's becoming clear exactly how bad the results of the recent CCleaner malware outbreak may be. Researchers now believe that the hackers behind it were bent not only on mass infections, but on targeted espionage that tried to gain access to the networks of at least 20 tech firms. Earlier this week, security firms Morphisec and Cisco revealed that CCleaner, a piece of security software distributed by Czech company Avast, had been hijacked by hackers and loaded with a backdoor that evaded the company's security checks. It wound up installed on more than 700,000 computers. On Wednesday, researchers at Cisco's Talos security division revealed that they've now analyzed the hackers' "command-and-control" server to which those malicious versions of CCleaner connected. On that server, they found evidence that the hackers had attempted to filter their collection of backdoored victim machines to find computers inside the networks of 20 tech firms, including Intel, Google, Microsoft, Akamai, Samsung, Sony, VMware, HTC, Linksys, D-Link and Cisco itself. In about half of those cases, says Talos research manager Craig Williams, the hackers successfully found a machine they'd compromised within the company's network, and used their backdoor to infect it with another piece of malware intended to serve as a deeper foothold, one that Cisco now believes was likely intended for industrial espionage.

Reflections On trusting trust

[goombah99]

If you never read this essay here it is
https://www.ece.cmu.edu/~gange...

Malware is slowly moving up the software chain to where this is becoming increasingly plausible.

Re:Reflections On trusting trust

[forkfail]

Difficult to see that level of trust being achieved in this day of ad ridden smartphone aps that demand privelages far beyond what is needed (yet are so often granted because look! shiny virtual candy and puppies and magic swords and achievements and levels and you wouldn't want to consider those 2000 hours and $1200 you spent building your city a waste, would you?)

Re:Reflections On trusting trust

Is Drumpf Russia's medal for meddling with HER votes?

Re:Reflections On trusting trust

[Maritz]

Sorry, but most people who are aware of Trump's unlimited limitations would agree that this comment is a bucket of shit written by an idiot.

Re:Reflections On trusting trust

[Zero__Kelvin]

It was always plausible. It seems you didn't read it or don't understand what you read.

And people thought I was crazy...

[TWX]

...for outlining why I thought specific 32 bit platforms, like those used by corporate computing because they tend to maintain their existing image over time even if they have 64 bit machines rather than migrating to a 64 bit OS. Home computers have been sold with essentially only 64 bit OSes preinstalled for several years. Only ancient home computers and business computers are still 32 bit. Natural filter, reduces the amount of unwanted communications to the Command and Control servers.

Re:And people thought I was crazy...

[TWX]

To restate for the mentally impaired, by targeting 32 bit computing platforms as this infection did, it naturally filters-out nearly all home computers. That means that the majority of computers that get infected and phone-home are business computers, which is what they want to target.

A business is a place where people go to make money. Except your mom, she goes to the local street corner, which is how she got saddled with you.

Re:And people thought I was crazy...

[ArchieBunker]

What the fuck are you talking about? 64 bit desktops have been sold for over a decade now. Why would a business be using a 32 bit OS unless they are still stuck on XP?

Re:And people thought I was crazy...

[JohnFen]

Why would a business be using a 32 bit OS unless they are still stuck on XP?

An understandable question to which there isn't a single answer (except in the abstract: because it's cheaper and safer* for them to stay with what they have).

*safer, in this context, means that when you upgrade (especially an upgrade on the scale of this) you are taking a risk that things are going to break. Not upgrading means you aren't taking that risk. Most businesses will not upgrade unless they have a very strong reason to.

Re:And people thought I was crazy...

I'll say,

Ive worked in Corporate IT depts for nearly 20 years, the day Windows 7 came out we went with 64bit, and Office followed shortly after, a few exceptions were people finance that stayed on the 32bit version of office 2010 because their add-ins and stuff "took a while" to get updated.

Company I work for now which is a fortune 50 company - Windows 10/64bit/Office2016 has been the standard company wide image for some time now with UEFI/Secure boot, and bitlocker enforced on ALL machines (yes including desktops). Remember wannacry? Yeah that got in, and the security department shut it down very quickly with a SEP policy to block the ports it was using - client machines don't need SMB incoming open typically. And I occasionally see emails going past requesting a machine get reimaged because its got noticed "phoning home".

Must be pretty backwards company to still be in the 32bit world and the limitation that go with it.

Re:And people thought I was crazy...

[Maritz]

I suspect your assertion that corporations mainly use old 32 bit computers is largely bollocks. It's 2017.

Re:And people thought I was crazy...

[david_thornley]

We used 64-bit XP, because some of our software would overflow the available 32-bit memory space on particularly large inputs. I understand it had compatibility problems, but not for what we were doing.

Re:And people thought I was crazy...

[TWX]

You misread it. It isn't that corporations mainly run 32-bit OS, it's that one won't find 32-bit OS anywhere else besides corporations.

Cleaner

[Impy+the+Impiuos+Imp]

Ben Kenobi: ...so you can see it was cleaning them...from a certain point of view.

Why would those companies use CCleaner?

[wardrich86]

Seems weird that major tech firms would even bother with the likes of CCleaner... I'd assume they'd just re-image the PC's once they start getting fucky. In fact, I"m not even sure that most people use CCleaner.

Re:Why would those companies use CCleaner?

[TWX]

If it's simply a hop-off point, all you need is one engineer who operates outside of his IT department whose specific software needs mandate he has local admin rights on his computer. He runs the tool he uses at home instead of calling IT, and suddenly his box is now the initial penetration point to access the company network.

Re:Why would those companies use CCleaner?

[The-Ixian]

This is why you don't let users install software and implement application (executable) whitelisting.

Re:Why would those companies use CCleaner?

[The-Ixian]

It always seemed like snakeoil to me. It would "find" a bunch of stuff then tell you it fixed it. While I don't doubt that it did actually delete those registry entries, it never seemed to make a difference in performance on any of the computers I had tried it on.

The only valuable feature I found with it was to remove entries for programs that were still listed in the "Programs and Features" list but for which the installer was missing/broken. But I have since learned how to just manually snip those out of the registry or just use Autoruns.

Re:Why would those companies use CCleaner?

[The-Ixian]

Application whitelisting would at least provide an audit trail in this case if not block the attempt to install altogether if the whitelist is controlled by another department.

Re:Why would those companies use CCleaner?

[sinij]

To me, CCcleaner isn't performance tool, it is privacy tool.

Re:Why would those companies use CCleaner?

[JohnFen]

I was wondering about this myself. I've never, ever seen the likes of CCleaner used in a professional setting. But, clearly, some do.

Re:Problem between keyboard and chair...

[TWX]

You clearly overestimate the intelligence of management, supervisors, and service technicians.

We had a lead technician still trying to use Regclean a few years ago. On Windows 7 and Windows 8.1 computers. Same technician kept setting ethernet interfaces to 10Mbit Half Duplex because he somehow interpreted the time that 10/half was needed to push far beyond the 100m channel-length for a waaaaay overlength data drop as the Setting That We Should All Set.

My point is that a lot of myth and misunderstanding goes into IT, and often we get good results despite the stupidity, rather than because of it. I have no doubt that some technicians swore by CCleaner and used it in the corporate setting, and some IT departments even routinely used it in lieu of reimaging infected computers.

Don't trust foreign sources for apps

My rule of thumb is never trust a source with foreign ties. We learned this from Kaspersky that its hard to distinguish if they are completely above board or not. Experts have said since Windows 7 that a registry cleaner is absolutely not recommended and could do more harm then good. Obviously they were not thinking in terms of malware. But don't install stuff on your PC that isn't needed.

Re:Don't trust foreign sources for apps

[Vlad_the_Inhaler]

All I have learned from Kaspersky is that some politician alleged Kaspersky may possibly be spying. No evidence, nothing. Nothing to indicate the politician knows anything above the Internet consisting of virtual tubes either. Everything else followed on from there.
I actually trust Kaspersky to do the job more than I trust a lot of the competition, they have discovered some serious state-sponsored malware in the past. I don't know if Symantec still make virus scanners but when Google, Mozilla et al start initiating the process to "untrust" their certificates, I wouldn't run one of their scanners in a sandbox.

Re:Don't trust foreign sources for apps

[JohnFen]

My rule of thumb is never trust a source with foreign ties.

Which implies that you do trust domestic sources. It sounds like you should reevaluate how and what you decide to trust.

Re:Don't trust foreign sources for apps

[theCat]

That Kaspersky is as good as they are might be a good reason for nation states and global corporations to want to give them a hard time. IT has clearly become a modern munition, everyone is playing with fire, and there is a perverse incentive to undermine tools that make that play harder or less fruitful.

Re: Don't trust foreign sources for apps

Actually, given how things stand right now, the question will become: do you still have an independent country, when a foreign power can compromise your entire infrastructure at will?

Paranoia isn't paranoia if they really are our to get you.

Re:Don't trust foreign sources for apps

[Maritz]

Go back to reddit and rant about foreigners, moron.

Funny, I see a LOT more ranting about foreigners on slashdot.

Re:Don't trust foreign sources for apps

[Vlad_the_Inhaler]

There have been a number of well documented cases where US 3-letter agencies have managed to have exploits inserted into software written by US companies. Some times the point of entry was the top of the company, some times it was done surreptitiously. It is not a reach to expect virus scanners from US companies to turn something of a blind eye to all this.
The one which most affected me was RSA, they manufacture devices which display 6-digit numbers for use in passwords for VPN tunnels, the numbers change every minute. The "random seeds" used turned out not to be that random at all. RSA still exists but as a subdivision of - I think - EMC.

Re:Don't trust foreign sources for apps

[david_thornley]

I don't trust software with foreign or domestic ties, and I feel a lot safer from Putin's snoops than Trump's. Russia has no legal authority over me, and no reason to be particularly concerned about me, unlike the US. I'll grant you that I don't know whether Kaspersky does anything for the Russian government, but I don't know whether the domestic products do anything for the US government. I know that no anti-virus that failed to detect the Sony rootkit is on my side.

Re:Don't trust foreign sources for apps

[dddux]

I completely agree. That's why I don't trust Windows.

Re:Russia or China

[TWX]

Why China? The companies targeted already manufacture most of their products in China, so China already has access to their technology.

Watching the watchmen

[QuadEddie]

This is yet another example of the anti-virus being the virus. Seen it many times and thatâ(TM)s why I donâ(TM)t use any anti virus products

Re:Watching the watchmen

[Maritz]

This isn't anti-virus. So not really that great an example of anti-virus being anything.

CCleaner as Security Software?

[CrashNBrn]

CCleaner was always garbage that hosed the registry and "cleaned up" /TEMP. Completely useless and in many cases caused problems due to removal of placeholder registry items.

Re:CCleaner as Security Software?

[Maritz]

Does mayo work? Asking for a friend.

Mayo is made from eggs, vinegar, salt and lemon juice. Do not put this on your dick, you'll give yourself a yeast or bacterial infection which could even make its way into your bladder.

That digressed quickly.

"Security software"?

[sremick]

Anyone who thought that CCleaner was "security software" has no business using it, let alone submitting an article to Slashdot about it.

It's a junk/orphan file cleanup utility. Not "security software". Not antivirus or anti-malware. Where do these idiots come from reporting this shit?

Comment removed

[account_deleted]

Comment removed based on user account deletion

Nope.

[Gravis+Zero]

If you simply wish to verify you are not getting a trojan embedded into your binary by a compiler then you simply need to cross-compile a compiler from multiple compilers on multiple architectures and then compare the binaries each of the cross-compiled compilers produce. An example of this would be building GCC for x86 using itself and using Clang/LLVM on ARM (targetting x86). If the resulting builds of the GCC for x86 compiler produce identical binaries then it's extremely unlikely that either compiler is compromised. With each additional compiler and architecture used, it become exponentially less likely that the compile has been compromised.

It would require a sophisticated AI to create a self-perpetuating trojan that would run on all modern platforms and embed itself in all modern compilers. However, if your "Hello World" program starts producing a 10MB binary, you may want to be concerned.

Re:Nope.

[SilentChasm]

To do that, you would first need to make sure that the programs could be built with deterministic compilation. I don't believe that many projects have put in the time necessary to do that. That also ignores any optimizations or other features different compilers may use on the source code when compiling it.

https://en.wikipedia.org/wiki/Deterministic_compilation

Re:Nope.

[Gravis+Zero]

You misunderstand. The point is to compile a compiler on using multiple platforms and compilers and use the resulting compilers to then build a program. If the compilers produce the same program binary same for each built version of the compiled compiler then it's unlikely to be compromised. This works because you are using the same compiler to build the program binary, just that the compiler was built using different methods.

Re:Nope.

[goombah99]

and what does your turtle rest on?

Re:Nope.

[Zero__Kelvin]

Yes, many of us know about David Wheeler and his idea. Like so many ideas it works in theory, but not in practice. Trying to get the same source code to compile under different versions of GCC is hard enough. Getting it to compile in such a reflexive manner is not something that happens in reality I'm afraid.

Re:Nope.

[Gravis+Zero]

Yes, many of us know about David Wheeler and his idea.

It's the first I've heard of him or his idea.

Trying to get the same source code to compile under different versions of GCC is hard enough.

I'm not talking about using multiple versions of the same compiler, I'm talking about compiling a single version of a compiler using cross-architecture compilation and completely different compilers. The result is getting similar binaries of the same compiler for the same platform and target. Despite being similar, the compilers will produce identical binaries if they are not infected. Writing a trojan that will embed itself regardless of platform, operating system or compiler is something only AI can hope to achieve.

Re:Nope.

[Gravis+Zero]

is it a turtle binary or the turtle source code? ;)

Re:Nope.

[Zero__Kelvin]

You don't have any understanding of how compilers work. I PROMISE you that the result will not be anything even close to identical binaries.

Re:Nope.

[Gravis+Zero]

I'm going to cut you a break and attribute this to miscommunication.

Re:Nope.

[david_thornley]

It's multiple turtles. Ideally, one for each elephant's foot. The idea is that They aren't going to compromise them all.

Suppose I take source code for the clang compiler, and compile it with clang, g++, Visual C++, and as many other compilers as I can get. Odds are that one of those compilers hasn't been compromised by Them, or at least not every one by the same Them. If everything's on the up and up, all of these compiled versions of clang should produce essentially the same code, so if two of them produce noticeably different code there's something going on.

Re:Nope.

[david_thornley]

Why not? Let's take NSA C++. If it's written in reasonably portable C++, without undefined behavior or significant unspecified or implementation-defined behavior, it will compile to much different binaries on different platforms with different compilers. However, if all of these compilers are standard-conforming and the code is standard-compliant, the different binaries will do the same thing. Given identical input, they will produce output according to the abstract C++ execution model, and the implementation is required to do the same accesses to volatile variables and produce the same output.

Where is the flaw in my reasoning?

Re:Nope.

[Zero__Kelvin]

Lets start with the fact that compilers are highly complex beasts, and are never written "in reasonably portable C++, without undefined behavior or significant unspecified or implementation-defined behavior", and then add to that the fact that there is not a 1 to 1 mapping of source code to assembly. Each compiler will take a different approach to implementing the source as assembly, and indeed different compiler options and targets will change the resultant binary, often in radical ways. The same compiler may not even produce the same binary when compiling the same source every time you run it in fact (see also multi-threading.)

There is a reason why you often here this old "all you have to do is ..." argument, but can't find an actual example of it ever having been done anywhere on the internet.

Re:Nope.

[david_thornley]

I suspect you're overstating the amount of implementation-dependent behavior in compilers, although it's been twenty years since I looked into it. Otherwise, I don't see how gcc and clang would be that portable.

However, the idea is not that two compilers spit out binaries that look alike. The idea is that, given a program, two compilers will spit out binaries that act alike. Two compiler binaries that act alike will put out mostly identical code given some source code.

The mapping of source to assembly is certainly not 1-1, as different source code can map to the same assembly, and different compilers will put out different assembly code for the same source. That doesn't mean the compilation process isn't deterministic.

Re:Nope.

[Zero__Kelvin]

"However, the idea is not that two compilers spit out binaries that look alike. The idea is that, given a program, two compilers will spit out binaries that act alike. Two compiler binaries that act alike will put out mostly identical code given some source code. "

This is completely false, and in the final summation you are contradicting yourself trying to say that they won't look alike, but will act alike, which will mean they look alike.

Re:Nope.

[david_thornley]

Given portable source code, that doesn't rely on undefined behavior or effects of unspecified or implementation-dependent behavior, any good C++ compiler will produce code that is identical to any other in accesses to volatile objects and calls to system I/O routines (that being what the Standard requires). It won't be the same object code, because there's lots of different ways to accomplish the same thing.

Therefore, the output of good compilers, given the source code of a compiler, will be different binary programs that do the same thing.

It is not only false to say that programs that produce the same output must be the same, it's stupid to say that.

Re: Nope.

[Zero__Kelvin]

Right, but the whole theory, and it is a broken theory, is that you can prove they do the same thing by looking at the executable generated. It is easy to prove this is false. Build GCC with -S, -O2, and -O3 and compare the generated code. They will be radically different, and that is using the same source and compiler. For extra credit, prove that Thompson's malicious code doesn't only activate when built with -O2.

Chinese state hackers again

[Sarusa]

The code and techniques look like APT17 aka DeputyDog - hacking into tech firms, military and governments for the Chinese government for at least 10 years.

They realized CCleaner was a fantastic indirect vector into a whole lot of firms, and god knows what else they've got their fingers in that people haven't noticed since most firms are Equifax level incompetent with security.

Does this mean Avast shouldn't be trusted?

[RMFconsulting]

I use Avast free for a lot of my clients. Since CCCleaner is run by them, does that imply that I shouldn't trust Avast either?

Re:Does this mean Avast shouldn't be trusted?

[Maritz]

Another guy likes to go onto porn sites, told him to use RedTube instead if he really needs to see boobs bouncing.

That's fucking weird.

In what sense is 'redtube' not a porn site?

Re:Does this mean Avast shouldn't be trusted?

[david_thornley]

Sketchy sites includes all of those that use third-party ads, which is probably all commercial sites. My wife got infected from the New York Times site once. "Safe browsing" is a myth.

Firewalls are to blame

[aberglas]

They give the illusion of security behind the wall.

If everything was exposed naked to the internet, it would have to be designed properly to be secure in the first place.

"Sneaking behind a corporate firewall" only works if the machines behind that wall are not properly protected from each other.

Re:Russia or China

[Maritz]

Russia are engaged in low-intensity warfare with the US. They're funding and inciting extremes at both ends of the political spectrum. It's working a treat, and the President can't get his tongue far enough up Dear Leader Vlad's ass.

I fully expect them to be behind both this and Equifax, and numerous others. And you can be sure that whoever challenges Trump in 3 years will have plenty of relevatory 'hacks' at inconvenient times, right on schedule.

A fucking pathetic effort, to be honest.

Re:None of them were Linux companies

[Maritz]

The CCleaner Malware Fiasco Targeted at Least 20 Specific Tech Firms

None of them were Linux companies.

All of them own or lease structures featuring at least one SINK. Join the dots people.

Re:macOS

[Maritz]

There's no doubt you get a certain security through obscurity from using such an unfashionable OS. Following your logic though, your should probably be on BeOS or TempleOS.

Re:Russia or China

[fedos]

It was Lithuania.