SlideShare a Scribd company logo

The CCleaner Infection

L
Leonardo Antichi

The CCleaner utility was infected with malware for a period of time, allowing hackers to distribute malware to millions of users. The legitimate version of CCleaner 5.33 contained malware that was installed along with the program. The hackers were able to do this by compromising part of the development or build environment and inserting malware into the CCleaner version that was publicly released. This attack exploited the trust relationship between software developers and users to widely distribute malware through a popular cleaning utility.

Technology
1 of 13
Download to read offline
The CCleaner infection A smart way to infect million of users
CCleaner What is this? 2 Developed by Piriform, CCleaner, aka Crap Cleaner, is a utility program to clean potentially unwanted files. The application is popularly known for cleaning the temporary internet files generated by browsers such as Internet Explorer, Microsoft Edge, Chrome. It also claim to cleans malicious programs. For a period of time, the legitimate signed version of CCleaner 5.33 being distributed by Avast also contained a multi-stage malware payload that rode on top of the installation of CCleaner.
In a few words… ◎ Infected CCleaner 5.33 installer ◎ Certification Company SIGNED infected version ◎ Malware was simply installed with the program 3  Certificate Version was signed using a valid certificate that was issued to Piriform Ltd by Symantec and is valid through 10/10/2018  Process Compromised External (Internal?) attacker compromised a portion of their development or build environment and leveraged that access to insert malware into the CCleaner build that was released and hosted by the organization Certificate for Malware?
The infection lifecicle A brief introduction on the pattern of the infection 4
The Malware structure 5 Malware Installation and Operation •Binary calls the code CC_InfectionBase • Binary creates an executable heap using HeapCreate •PE loader is then called and begins its operation: •Erases the memory regions that previously contained the PE loader and the DLL file •Frees the previously allocated memory •Destroys the heap •Continues on with normal CCleaner operations. CBkrdr.dll •DLL file (CBkdr.dll) was modified in an attempt to evade detection and had the IMAGE_DOS _HEADER zeroed out •Calls CCBkdr_GetShellcode FromC2AndCall. Sets up a ROP chain used to deallocate the memory and exit the thread. Command and Control •Sends information to C&C servers •Payload structure: •HTTPS POST request to 216[.]126[.]225[.]148 •Transmit command to infected PC Malware bug? Talos identified a software bug present in the malicious code related to the C&C function. The sample analyzed reads a DGA computed IP address located in the following registry location, but currently does nothing with it: HKLMSOFTWAREPiriformAgomo:NID It is unknown what the purpose of this IP address is at this time, as the malware does not appear to make use of it during subsequent operation
Malware Operation Flow 6 In this flowchart is explained the working flow of the malware. It is also important to points out that the C2 (the C&C operation) generates random DNS name to avoid DNS block
ALMOST ONE MONTH INFECTION Piriform has officially confirmed the security incident with CCleaner 5.33.6162 and CCleaner Cloud 1.07.3191. It started on August 15 and has been stopped on September 12. The company also updated the app to fix the flaw and the defected version has been pulled from the server. The Attack Resoults WHAT HAVE BEEN EXPLOITED? Sensitive information such as MAC addresses of adapters and network, the software of Windows, installer software information were leaked and sent to the attackers. The affected PCs could have been remotely controlled by the hacker and they could have also installed additional binaries. The company is also suggesting the affected users to update the app to the latest version to avoid any risk. 7
The impact WORLDWIDE 8 The impact of this attack could be severe given the extremely high number of systems possibly affected. CCleaner claims to have over 2 billion downloads worldwide as of November 2016 and is reportedly adding new users at a rate of 5 million a week. If even a small fraction of those systems were compromised an attacker could use them for any number of malicious purposes.
2,000,000,000 CCleaner downloads worldwide as of November 2016 9 Potentially, the impact of this kind of infection is ENORMOUS!
“ Supply chain attacks are a very effective way to distribute malicious software. This is because of the trust relationship between a manufacturer or supplier and a customer. - Thalos 10
A philosophical problem, more than just an attack TRUST EXPLOIT This is a prime example of the extent that attackers are willing to go through in their attempt to distribute malware to organizations and individuals around the world. By exploiting the trust relationship between software vendors and the users of their software, attackers can benefit from users' inherent trust in the files and web servers used to distribute updates. PATCHING Usually, in the mind of security aware people patching is one of the main response to attacks and vulnerabilities but these software supply-chain attacks break all the models. They pass antivirus and basic security checks and, in those cases, patching is the attack vector. 11
Thanks! If you have any questions please contact me at: @Leonardo Antichi antichi.leonardo@gmail.com 12 😉
References: ◎http://blog.talosintelligence.com/2017/09/avast- distributes-malware.html ◎https://www.windowslatest.com/2017/09/18/ccleaner- windows-distributing-malware-pcs/ ◎https://www.which.co.uk/news/2017/09/ccleaner- malware-hack-what-it-is-and-what-you-need-to-do/ ◎https://www.wired.com/story/ccleaner-malware- supply-chain-software-security/ 13

Recommended

How virus affects computer
How virus affects computerHow virus affects computer
How virus affects computerMadiha Ahmed
 
Sophos Day Belgium - The IT Threat Landscape and what to look out for
Sophos Day Belgium - The IT Threat Landscape and what to look out forSophos Day Belgium - The IT Threat Landscape and what to look out for
Sophos Day Belgium - The IT Threat Landscape and what to look out forSophos Benelux
 
An inconvenient truth: Evading the Ransomware Protection in windows 10 @ Hack...
An inconvenient truth: Evading the Ransomware Protection in windows 10 @ Hack...An inconvenient truth: Evading the Ransomware Protection in windows 10 @ Hack...
An inconvenient truth: Evading the Ransomware Protection in windows 10 @ Hack...Soya Aoyama
 
Viruses ppt finale
Viruses ppt finaleViruses ppt finale
Viruses ppt finalemishrasb4
 
Trend Micro VForum Agentless Scanning Presentation
Trend Micro VForum Agentless Scanning PresentationTrend Micro VForum Agentless Scanning Presentation
Trend Micro VForum Agentless Scanning PresentationGraeme Wood
 
7 Reasons Your Applications are Attractive to Adversaries
7 Reasons Your Applications are Attractive to Adversaries7 Reasons Your Applications are Attractive to Adversaries
7 Reasons Your Applications are Attractive to AdversariesDerek E. Weeks
 
70-272 Chapter10
70-272 Chapter1070-272 Chapter10
70-272 Chapter10Gene Carboni
 
Living off the land and fileless attack techniques
Living off the land and fileless attack techniquesLiving off the land and fileless attack techniques
Living off the land and fileless attack techniquesSymantec Security Response
 

Recommended

How virus affects computer
How virus affects computerHow virus affects computer
How virus affects computerMadiha Ahmed
 
Sophos Day Belgium - The IT Threat Landscape and what to look out for
Sophos Day Belgium - The IT Threat Landscape and what to look out forSophos Day Belgium - The IT Threat Landscape and what to look out for
Sophos Day Belgium - The IT Threat Landscape and what to look out forSophos Benelux
 
An inconvenient truth: Evading the Ransomware Protection in windows 10 @ Hack...
An inconvenient truth: Evading the Ransomware Protection in windows 10 @ Hack...An inconvenient truth: Evading the Ransomware Protection in windows 10 @ Hack...
An inconvenient truth: Evading the Ransomware Protection in windows 10 @ Hack...Soya Aoyama
 
Viruses ppt finale
Viruses ppt finaleViruses ppt finale
Viruses ppt finalemishrasb4
 
Trend Micro VForum Agentless Scanning Presentation
Trend Micro VForum Agentless Scanning PresentationTrend Micro VForum Agentless Scanning Presentation
Trend Micro VForum Agentless Scanning PresentationGraeme Wood
 
7 Reasons Your Applications are Attractive to Adversaries
7 Reasons Your Applications are Attractive to Adversaries7 Reasons Your Applications are Attractive to Adversaries
7 Reasons Your Applications are Attractive to AdversariesDerek E. Weeks
 
70-272 Chapter10
70-272 Chapter1070-272 Chapter10
70-272 Chapter10Gene Carboni
 
Living off the land and fileless attack techniques
Living off the land and fileless attack techniquesLiving off the land and fileless attack techniques
Living off the land and fileless attack techniquesSymantec Security Response
 
Why One Virus Engine is Not Enough
Why One Virus Engine is Not EnoughWhy One Virus Engine is Not Enough
Why One Virus Engine is Not EnoughGFI Software
 
Cloud Security or: How I Learned to Stop Worrying & Love the Cloud
Cloud Security or: How I Learned to Stop Worrying & Love the CloudCloud Security or: How I Learned to Stop Worrying & Love the Cloud
Cloud Security or: How I Learned to Stop Worrying & Love the CloudMarkAnnati
 
Whats New in OSSIM v2.2?
Whats New in OSSIM v2.2?Whats New in OSSIM v2.2?
Whats New in OSSIM v2.2?AlienVault
 
Sophos introduces the Threat Landscape
Sophos introduces the Threat LandscapeSophos introduces the Threat Landscape
Sophos introduces the Threat LandscapeSophos Benelux
 
Antivirus update reaction times of major antivirus vendors
Antivirus update reaction times of major antivirus vendorsAntivirus update reaction times of major antivirus vendors
Antivirus update reaction times of major antivirus vendorsUltraUploader
 
Metascan Multi-scanning Technology
Metascan Multi-scanning TechnologyMetascan Multi-scanning Technology
Metascan Multi-scanning TechnologyOPSWAT
 
DFIR Austin Training (Feb 2020): Remote Access & Deploying Agents
DFIR Austin Training (Feb 2020): Remote Access & Deploying AgentsDFIR Austin Training (Feb 2020): Remote Access & Deploying Agents
DFIR Austin Training (Feb 2020): Remote Access & Deploying AgentsChristopher Gerritz
 
OSSIM Overview
OSSIM OverviewOSSIM Overview
OSSIM Overviewn|u - The Open Security Community
 
Using Multiple Antivirus Engine Scanning to Protect Critical Infrastructure
Using Multiple Antivirus Engine Scanning to Protect Critical InfrastructureUsing Multiple Antivirus Engine Scanning to Protect Critical Infrastructure
Using Multiple Antivirus Engine Scanning to Protect Critical InfrastructureOPSWAT
 
Mr. Roland Abi Najem - Security
Mr. Roland Abi Najem - SecurityMr. Roland Abi Najem - Security
Mr. Roland Abi Najem - Securitypromediakw
 
The Role of Application Control in a Zero-Day Reality
The Role of Application Control in a Zero-Day RealityThe Role of Application Control in a Zero-Day Reality
The Role of Application Control in a Zero-Day RealityLumension
 
Introduction to Metascan Client
Introduction to Metascan ClientIntroduction to Metascan Client
Introduction to Metascan ClientOPSWAT
 
Jenkins- An open integration tool
Jenkins- An open integration toolJenkins- An open integration tool
Jenkins- An open integration toolRebecca D'souza
 
Chapter 09
Chapter 09Chapter 09
Chapter 09 Google
 
WannaCry ransomware outbreak - what you need to know
WannaCry ransomware outbreak - what you need to knowWannaCry ransomware outbreak - what you need to know
WannaCry ransomware outbreak - what you need to knowSymantec Security Response
 
A Closer Look on C&C Panels
A Closer Look on C&C PanelsA Closer Look on C&C Panels
A Closer Look on C&C PanelsTandhy Simanjuntak
 
Op Sy 03 Ch 61
Op Sy 03 Ch 61Op Sy 03 Ch 61
Op Sy 03 Ch 61 Google
 
Cscu module 03 protecting systems using antiviruses
Cscu module 03 protecting systems using antivirusesCscu module 03 protecting systems using antiviruses
Cscu module 03 protecting systems using antivirusesSejahtera Affif
 
Viruses and virus countetmeasures
Viruses and virus countetmeasuresViruses and virus countetmeasures
Viruses and virus countetmeasuresprawinrajanIT
 
Ransomeware : A High Profile Attack
Ransomeware : A High Profile AttackRansomeware : A High Profile Attack
Ransomeware : A High Profile AttackIRJET Journal
 
NewsByte Mumbai October 2017
NewsByte Mumbai October 2017NewsByte Mumbai October 2017
NewsByte Mumbai October 2017chauhananand17
 
How to Audit
How to AuditHow to Audit
How to Auditayousif
 

More Related Content

What's hot

Why One Virus Engine is Not Enough
Why One Virus Engine is Not EnoughWhy One Virus Engine is Not Enough
Why One Virus Engine is Not EnoughGFI Software
 
Cloud Security or: How I Learned to Stop Worrying & Love the Cloud
Cloud Security or: How I Learned to Stop Worrying & Love the CloudCloud Security or: How I Learned to Stop Worrying & Love the Cloud
Cloud Security or: How I Learned to Stop Worrying & Love the CloudMarkAnnati
 
Whats New in OSSIM v2.2?
Whats New in OSSIM v2.2?Whats New in OSSIM v2.2?
Whats New in OSSIM v2.2?AlienVault
 
Sophos introduces the Threat Landscape
Sophos introduces the Threat LandscapeSophos introduces the Threat Landscape
Sophos introduces the Threat LandscapeSophos Benelux
 
Antivirus update reaction times of major antivirus vendors
Antivirus update reaction times of major antivirus vendorsAntivirus update reaction times of major antivirus vendors
Antivirus update reaction times of major antivirus vendorsUltraUploader
 
Metascan Multi-scanning Technology
Metascan Multi-scanning TechnologyMetascan Multi-scanning Technology
Metascan Multi-scanning TechnologyOPSWAT
 
DFIR Austin Training (Feb 2020): Remote Access & Deploying Agents
DFIR Austin Training (Feb 2020): Remote Access & Deploying AgentsDFIR Austin Training (Feb 2020): Remote Access & Deploying Agents
DFIR Austin Training (Feb 2020): Remote Access & Deploying AgentsChristopher Gerritz
 
Using Multiple Antivirus Engine Scanning to Protect Critical Infrastructure
Using Multiple Antivirus Engine Scanning to Protect Critical InfrastructureUsing Multiple Antivirus Engine Scanning to Protect Critical Infrastructure
Using Multiple Antivirus Engine Scanning to Protect Critical InfrastructureOPSWAT
 
Mr. Roland Abi Najem - Security
Mr. Roland Abi Najem - SecurityMr. Roland Abi Najem - Security
Mr. Roland Abi Najem - Securitypromediakw
 
The Role of Application Control in a Zero-Day Reality
The Role of Application Control in a Zero-Day RealityThe Role of Application Control in a Zero-Day Reality
The Role of Application Control in a Zero-Day RealityLumension
 
Introduction to Metascan Client
Introduction to Metascan ClientIntroduction to Metascan Client
Introduction to Metascan ClientOPSWAT
 
Jenkins- An open integration tool
Jenkins- An open integration toolJenkins- An open integration tool
Jenkins- An open integration toolRebecca D'souza
 
Chapter 09
Chapter 09Chapter 09
Chapter 09 Google
 
WannaCry ransomware outbreak - what you need to know
WannaCry ransomware outbreak - what you need to knowWannaCry ransomware outbreak - what you need to know
WannaCry ransomware outbreak - what you need to knowSymantec Security Response
 
Op Sy 03 Ch 61
Op Sy 03 Ch 61Op Sy 03 Ch 61
Op Sy 03 Ch 61 Google
 
Cscu module 03 protecting systems using antiviruses
Cscu module 03 protecting systems using antivirusesCscu module 03 protecting systems using antiviruses
Cscu module 03 protecting systems using antivirusesSejahtera Affif
 
Viruses and virus countetmeasures
Viruses and virus countetmeasuresViruses and virus countetmeasures
Viruses and virus countetmeasuresprawinrajanIT
 

What's hot (19)

Why One Virus Engine is Not Enough
Why One Virus Engine is Not EnoughWhy One Virus Engine is Not Enough
Why One Virus Engine is Not Enough
 
Cloud Security or: How I Learned to Stop Worrying & Love the Cloud
Cloud Security or: How I Learned to Stop Worrying & Love the CloudCloud Security or: How I Learned to Stop Worrying & Love the Cloud
Cloud Security or: How I Learned to Stop Worrying & Love the Cloud
 
Whats New in OSSIM v2.2?
Whats New in OSSIM v2.2?Whats New in OSSIM v2.2?
Whats New in OSSIM v2.2?
 
Sophos introduces the Threat Landscape
Sophos introduces the Threat LandscapeSophos introduces the Threat Landscape
Sophos introduces the Threat Landscape
 
Antivirus update reaction times of major antivirus vendors
Antivirus update reaction times of major antivirus vendorsAntivirus update reaction times of major antivirus vendors
Antivirus update reaction times of major antivirus vendors
 
Metascan Multi-scanning Technology
Metascan Multi-scanning TechnologyMetascan Multi-scanning Technology
Metascan Multi-scanning Technology
 
DFIR Austin Training (Feb 2020): Remote Access & Deploying Agents
DFIR Austin Training (Feb 2020): Remote Access & Deploying AgentsDFIR Austin Training (Feb 2020): Remote Access & Deploying Agents
DFIR Austin Training (Feb 2020): Remote Access & Deploying Agents
 
OSSIM Overview
OSSIM OverviewOSSIM Overview
OSSIM Overview
 
Using Multiple Antivirus Engine Scanning to Protect Critical Infrastructure
Using Multiple Antivirus Engine Scanning to Protect Critical InfrastructureUsing Multiple Antivirus Engine Scanning to Protect Critical Infrastructure
Using Multiple Antivirus Engine Scanning to Protect Critical Infrastructure
 
Mr. Roland Abi Najem - Security
Mr. Roland Abi Najem - SecurityMr. Roland Abi Najem - Security
Mr. Roland Abi Najem - Security
 
The Role of Application Control in a Zero-Day Reality
The Role of Application Control in a Zero-Day RealityThe Role of Application Control in a Zero-Day Reality
The Role of Application Control in a Zero-Day Reality
 
Introduction to Metascan Client
Introduction to Metascan ClientIntroduction to Metascan Client
Introduction to Metascan Client
 
Jenkins- An open integration tool
Jenkins- An open integration toolJenkins- An open integration tool
Jenkins- An open integration tool
 
Chapter 09
Chapter 09Chapter 09
Chapter 09
 
WannaCry ransomware outbreak - what you need to know
WannaCry ransomware outbreak - what you need to knowWannaCry ransomware outbreak - what you need to know
WannaCry ransomware outbreak - what you need to know
 
A Closer Look on C&C Panels
A Closer Look on C&C PanelsA Closer Look on C&C Panels
A Closer Look on C&C Panels
 
Op Sy 03 Ch 61
Op Sy 03 Ch 61Op Sy 03 Ch 61
Op Sy 03 Ch 61
 
Cscu module 03 protecting systems using antiviruses
Cscu module 03 protecting systems using antivirusesCscu module 03 protecting systems using antiviruses
Cscu module 03 protecting systems using antiviruses
 
Viruses and virus countetmeasures
Viruses and virus countetmeasuresViruses and virus countetmeasures
Viruses and virus countetmeasures
 

Similar to The CCleaner Infection

Ransomeware : A High Profile Attack
Ransomeware : A High Profile AttackRansomeware : A High Profile Attack
Ransomeware : A High Profile AttackIRJET Journal
 
NewsByte Mumbai October 2017
NewsByte Mumbai October 2017NewsByte Mumbai October 2017
NewsByte Mumbai October 2017chauhananand17
 
How to Audit
How to AuditHow to Audit
How to Auditayousif
 
Data breach at Target, demystified.
Data breach at Target, demystified.Data breach at Target, demystified.
Data breach at Target, demystified.Cyphort
 
Behind the Curtain: Exposing Advanced Threats
Behind the Curtain: Exposing Advanced ThreatsBehind the Curtain: Exposing Advanced Threats
Behind the Curtain: Exposing Advanced ThreatsCisco Canada
 
IRJET- Zombie - Venomous File: Analysis using Legitimate Signature for Securi...
IRJET- Zombie - Venomous File: Analysis using Legitimate Signature for Securi...IRJET- Zombie - Venomous File: Analysis using Legitimate Signature for Securi...
IRJET- Zombie - Venomous File: Analysis using Legitimate Signature for Securi...IRJET Journal
 
V1_I2_2012_Paper4.doc
V1_I2_2012_Paper4.docV1_I2_2012_Paper4.doc
V1_I2_2012_Paper4.docpraveena06
 
Detection of Distributed Denial of Service Attacks
Detection of Distributed Denial of Service AttacksDetection of Distributed Denial of Service Attacks
Detection of Distributed Denial of Service Attacksijdmtaiir
 
Everything You Need to Know About BlueKeep
Everything You Need to Know About BlueKeepEverything You Need to Know About BlueKeep
Everything You Need to Know About BlueKeepIvanti
 
Briskinfosec - Threatsploit Report Augest 2021- Cyber security updates
Briskinfosec - Threatsploit Report Augest 2021- Cyber security updatesBriskinfosec - Threatsploit Report Augest 2021- Cyber security updates
Briskinfosec - Threatsploit Report Augest 2021- Cyber security updatesBriskinfosec Technology and Consulting
 
The True Cost of Anti-Virus: How to Ensure More Effective and Efficient Endp...
The True Cost of Anti-Virus: How to Ensure More Effective and Efficient Endp...The True Cost of Anti-Virus: How to Ensure More Effective and Efficient Endp...
The True Cost of Anti-Virus: How to Ensure More Effective and Efficient Endp...Lumension
 
INSECURE Magazine - 37
INSECURE Magazine - 37INSECURE Magazine - 37
INSECURE Magazine - 37Felipe Prado
 
Cscu module 03 protecting systems using antiviruses
Cscu module 03 protecting systems using antivirusesCscu module 03 protecting systems using antiviruses
Cscu module 03 protecting systems using antivirusesAlireza Ghahrood
 
RSA Monthly Online Fraud Report -- June 2014
RSA Monthly Online Fraud Report -- June 2014RSA Monthly Online Fraud Report -- June 2014
RSA Monthly Online Fraud Report -- June 2014EMC
 
Cisco 2015 Midyear Security Report Slide Deck
Cisco 2015 Midyear Security Report Slide DeckCisco 2015 Midyear Security Report Slide Deck
Cisco 2015 Midyear Security Report Slide DeckCisco Security
 

Similar to The CCleaner Infection (20)

Ransomeware : A High Profile Attack
Ransomeware : A High Profile AttackRansomeware : A High Profile Attack
Ransomeware : A High Profile Attack
 
NewsByte Mumbai October 2017
NewsByte Mumbai October 2017NewsByte Mumbai October 2017
NewsByte Mumbai October 2017
 
How to Audit
How to AuditHow to Audit
How to Audit
 
Data breach at Target, demystified.
Data breach at Target, demystified.Data breach at Target, demystified.
Data breach at Target, demystified.
 
Behind the Curtain: Exposing Advanced Threats
Behind the Curtain: Exposing Advanced ThreatsBehind the Curtain: Exposing Advanced Threats
Behind the Curtain: Exposing Advanced Threats
 
IRJET- Zombie - Venomous File: Analysis using Legitimate Signature for Securi...
IRJET- Zombie - Venomous File: Analysis using Legitimate Signature for Securi...IRJET- Zombie - Venomous File: Analysis using Legitimate Signature for Securi...
IRJET- Zombie - Venomous File: Analysis using Legitimate Signature for Securi...
 
Conficker worm
Conficker wormConficker worm
Conficker worm
 
V1_I2_2012_Paper4.doc
V1_I2_2012_Paper4.docV1_I2_2012_Paper4.doc
V1_I2_2012_Paper4.doc
 
Detection of Distributed Denial of Service Attacks
Detection of Distributed Denial of Service AttacksDetection of Distributed Denial of Service Attacks
Detection of Distributed Denial of Service Attacks
 
Everything You Need to Know About BlueKeep
Everything You Need to Know About BlueKeepEverything You Need to Know About BlueKeep
Everything You Need to Know About BlueKeep
 
Attacking antivirus
Attacking antivirusAttacking antivirus
Attacking antivirus
 
Globally.docx
Globally.docxGlobally.docx
Globally.docx
 
Briskinfosec - Threatsploit Report Augest 2021- Cyber security updates
Briskinfosec - Threatsploit Report Augest 2021- Cyber security updatesBriskinfosec - Threatsploit Report Augest 2021- Cyber security updates
Briskinfosec - Threatsploit Report Augest 2021- Cyber security updates
 
The True Cost of Anti-Virus: How to Ensure More Effective and Efficient Endp...
The True Cost of Anti-Virus: How to Ensure More Effective and Efficient Endp...The True Cost of Anti-Virus: How to Ensure More Effective and Efficient Endp...
The True Cost of Anti-Virus: How to Ensure More Effective and Efficient Endp...
 
Conficker
ConfickerConficker
Conficker
 
INSECURE Magazine - 37
INSECURE Magazine - 37INSECURE Magazine - 37
INSECURE Magazine - 37
 
Cscu module 03 protecting systems using antiviruses
Cscu module 03 protecting systems using antivirusesCscu module 03 protecting systems using antiviruses
Cscu module 03 protecting systems using antiviruses
 
RSA Monthly Online Fraud Report -- June 2014
RSA Monthly Online Fraud Report -- June 2014RSA Monthly Online Fraud Report -- June 2014
RSA Monthly Online Fraud Report -- June 2014
 
Cisco 2015 Midyear Security Report Slide Deck
Cisco 2015 Midyear Security Report Slide DeckCisco 2015 Midyear Security Report Slide Deck
Cisco 2015 Midyear Security Report Slide Deck
 
Cracking
CrackingCracking
Cracking
 

More from Leonardo Antichi

AES Implementation on FPGA
AES Implementation on FPGAAES Implementation on FPGA
AES Implementation on FPGALeonardo Antichi
 
The Equation Group & Greyfish
The Equation Group & GreyfishThe Equation Group & Greyfish
The Equation Group & GreyfishLeonardo Antichi
 
Short Brocade Presentation
Short Brocade PresentationShort Brocade Presentation
Short Brocade PresentationLeonardo Antichi
 

More from Leonardo Antichi (6)

AES Implementation on FPGA
AES Implementation on FPGAAES Implementation on FPGA
AES Implementation on FPGA
 
The Equation Group & Greyfish
The Equation Group & GreyfishThe Equation Group & Greyfish
The Equation Group & Greyfish
 
Short Brocade Presentation
Short Brocade PresentationShort Brocade Presentation
Short Brocade Presentation
 
Checkpoint Overview
Checkpoint OverviewCheckpoint Overview
Checkpoint Overview
 
Forcepoint Overview
Forcepoint OverviewForcepoint Overview
Forcepoint Overview
 
Behavioral biometrics
Behavioral biometricsBehavioral biometrics
Behavioral biometrics
 

Recently uploaded

Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 

Recently uploaded (20)

Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 

The CCleaner Infection

  • 1. The CCleaner infection A smart way to infect million of users
  • 2. CCleaner What is this? 2 Developed by Piriform, CCleaner, aka Crap Cleaner, is a utility program to clean potentially unwanted files. The application is popularly known for cleaning the temporary internet files generated by browsers such as Internet Explorer, Microsoft Edge, Chrome. It also claim to cleans malicious programs. For a period of time, the legitimate signed version of CCleaner 5.33 being distributed by Avast also contained a multi-stage malware payload that rode on top of the installation of CCleaner.
  • 3. In a few words… ◎ Infected CCleaner 5.33 installer ◎ Certification Company SIGNED infected version ◎ Malware was simply installed with the program 3  Certificate Version was signed using a valid certificate that was issued to Piriform Ltd by Symantec and is valid through 10/10/2018  Process Compromised External (Internal?) attacker compromised a portion of their development or build environment and leveraged that access to insert malware into the CCleaner build that was released and hosted by the organization Certificate for Malware?
  • 4. The infection lifecicle A brief introduction on the pattern of the infection 4
  • 5. The Malware structure 5 Malware Installation and Operation •Binary calls the code CC_InfectionBase • Binary creates an executable heap using HeapCreate •PE loader is then called and begins its operation: •Erases the memory regions that previously contained the PE loader and the DLL file •Frees the previously allocated memory •Destroys the heap •Continues on with normal CCleaner operations. CBkrdr.dll •DLL file (CBkdr.dll) was modified in an attempt to evade detection and had the IMAGE_DOS _HEADER zeroed out •Calls CCBkdr_GetShellcode FromC2AndCall. Sets up a ROP chain used to deallocate the memory and exit the thread. Command and Control •Sends information to C&C servers •Payload structure: •HTTPS POST request to 216[.]126[.]225[.]148 •Transmit command to infected PC Malware bug? Talos identified a software bug present in the malicious code related to the C&C function. The sample analyzed reads a DGA computed IP address located in the following registry location, but currently does nothing with it: HKLMSOFTWAREPiriformAgomo:NID It is unknown what the purpose of this IP address is at this time, as the malware does not appear to make use of it during subsequent operation
  • 6. Malware Operation Flow 6 In this flowchart is explained the working flow of the malware. It is also important to points out that the C2 (the C&C operation) generates random DNS name to avoid DNS block
  • 7. ALMOST ONE MONTH INFECTION Piriform has officially confirmed the security incident with CCleaner 5.33.6162 and CCleaner Cloud 1.07.3191. It started on August 15 and has been stopped on September 12. The company also updated the app to fix the flaw and the defected version has been pulled from the server. The Attack Resoults WHAT HAVE BEEN EXPLOITED? Sensitive information such as MAC addresses of adapters and network, the software of Windows, installer software information were leaked and sent to the attackers. The affected PCs could have been remotely controlled by the hacker and they could have also installed additional binaries. The company is also suggesting the affected users to update the app to the latest version to avoid any risk. 7
  • 8. The impact WORLDWIDE 8 The impact of this attack could be severe given the extremely high number of systems possibly affected. CCleaner claims to have over 2 billion downloads worldwide as of November 2016 and is reportedly adding new users at a rate of 5 million a week. If even a small fraction of those systems were compromised an attacker could use them for any number of malicious purposes.
  • 9. 2,000,000,000 CCleaner downloads worldwide as of November 2016 9 Potentially, the impact of this kind of infection is ENORMOUS!
  • 10. “ Supply chain attacks are a very effective way to distribute malicious software. This is because of the trust relationship between a manufacturer or supplier and a customer. - Thalos 10
  • 11. A philosophical problem, more than just an attack TRUST EXPLOIT This is a prime example of the extent that attackers are willing to go through in their attempt to distribute malware to organizations and individuals around the world. By exploiting the trust relationship between software vendors and the users of their software, attackers can benefit from users' inherent trust in the files and web servers used to distribute updates. PATCHING Usually, in the mind of security aware people patching is one of the main response to attacks and vulnerabilities but these software supply-chain attacks break all the models. They pass antivirus and basic security checks and, in those cases, patching is the attack vector. 11
  • 12. Thanks! If you have any questions please contact me at: @Leonardo Antichi antichi.leonardo@gmail.com 12 😉