"In analyzing DNS-based telemetry data related to this attack, Talos identified a significant number of systems making DNS requests attempting to resolve the domains associated with the aforementioned DGA domains," the Cisco Talos researchers said. With knowledge of the algorithm, attackers can predict which domain name the malware will try to contact on a specific date and can register it in advance so they can send commands.
Ccleaner cloud malware code#
The backdoor program is capable of downloading and executing additional malicious code and, according to the analysis by Cisco Talos, it uses a domain name generation algorithm (DGA) to find its command-and-control servers. Yung confirmed that a "two-stage backdoor" was added to the application's initialization code that's "normally inserted during compilation by the compiler."
"At this stage, we don't want to speculate how the unauthorized code appeared in the CCleaner software, where the attack originated from, how long it was being prepared and who stood behind it," said Paul Yung, Piriform's vice-president of products, in a blog post. CCleaner is downloaded at a rate of over 20 million times per month. The company issued a press release and a more detailed blog post in response to the incident.Īccording to the company, up to 3 percent of CCleaner users might have been impacted by this incident. "It is also possible that an insider with access to either the development or build environments within the organization intentionally included the malicious code or could have had an account (or similar) compromised which allowed an attacker to include the code."ĬCleaner was created by a company called Piriform that was acquired by antivirus maker Avast in July.
Ccleaner cloud malware software#
"Given the presence of this compilation artifact as well as the fact that the binary was digitally signed using a valid certificate issued to the software developer, it is likely that an external attacker compromised a portion of their development or build environment and leveraged that access to insert malware into the CCleaner build that was released and hosted by the organization," the Cisco Talos researchers said in a blog post. There is also a compilation artifact inside the executable suggesting it was compromised before compilation. The rogue installer was digitally signed with the developer's legitimate certificate, which means the malicious code was added to it before it was signed. Instead the backdoored program was distributed from the developer's official servers, as well as third-party download sites. What's worse is that this is not a case where hackers took the CCleaner installer, modified it, and then distributed a malicious version through alternative means. A subsequent investigation revealed that it was not a false positive and that the executable program was indeed carrying a sophisticated backdoor program. The compromise was detected by researchers from Cisco Systems' Talos group after one of the company's products triggered a malware detection on a CCleaner installer. The 32-bit versions of CCleaner v and CCleaner Cloud v were affected.
Ccleaner cloud malware update#
12 should scan their computers for malware and update their apps.
Users who downloaded and installed CCleaner or CCleaner Cloud between Aug.
0 kommentar(er)
