Notebookcheck
, , , , , ,
search relation.
, , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,
 

CCleaner hijacked by hackers to open a backdoor for remote code execution

CCleaner's binary was modified by hackers to insert a backdoor. (Source: Piriform)
CCleaner's binary was modified by hackers to insert a backdoor. (Source: Piriform)
Piriform, makers of the popular PC cleaning software CCleaner, said that a few versions of the program's 32-bit binary were hijacked by hackers who could insert a two-stage backdoor capable of remote code execution. Investigation is on to understand what exactly caused the hijack that resulted in about 2.27 million users getting affected.
, , , , , ,
search relation.
, , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,
 

CCleaner, the popular PC cleaning app from Piriform (now part of Avast), has been found to be infected with malware that can potentially sniff out user data in the background without the user even knowing it. The malware is a backdoor that disguised itself within the app's runtime and therefore, went largely unnoticed until Piriform noticed something suspicious. On September 12, certain 32-bit versions of CCleaner (5.33.6162) and CCleaner Cloud (1.07.3191) were found to transmit data to an unknown IP address, prompting Piriform to start an investigation in collaboration with Avast Threat Labs. This led to the conclusion that the program's binary was illegally modified to transmit user info to the hacker. 

In a technical blog post, Paul Yung, VP, Products from Piriform, detailed about the illegal code modification that affected nearly 2.27 million users of the product. Hackers inserted a two-stage backdoor that could remotely execute code and transmit back user info in an encrypted form. Of particular importance is the fact that the original binary had a valid digital certificate, which could imply that Piriform's certification process itself was compromised. The highly obfuscated illegal code created a 16KB DLL that executed in a separate thread and continued to run in the background while the actual program was being run. 

Piriform says that the suspicious code stored certain information in the registry key, HKLM_Software_Piriform_Agomo that also included the IP address of the Command and Control (CnC) server. It collected a host of information about the infected system including its name, software installed, MAC addresses etc. All this information was encrypted and transmitted to a remote address (216.126.x.x), which then sent a second-stage payload containing further encrypted information. The action of the second-stage payload is not yet detected.  

At this stage, Piriform is cautious not to speculate too much into how its binaries were compromised and is apparently taking actions to prevent it from happening again. The company is urging all users to upgrade to version 5.34, which contains the correct clean code. However, the fact that nearly 2.3 million users were affected is still a serious concern. The rate at which these users update to newer versions of the program is highly variable and the malware could still lurk around even though the rogue server in question has been disbanded. We will be sure to keep you posted as soon as Piriform publishes the results of its ongoing investigation.

With reports like these, it is becoming a challenge to predict what hackers will target next. In the interest of secure computing, we encourage all readers to regularly apply software and OS security updates, and follow safe computing practices. 

Source(s)

static version load dynamic
Loading Comments
Comment on this article
, , , , , ,
search relation.
, , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,
 
Vaidyanathan Subramaniam
Vaidyanathan Subramaniam - Managing Editor - 1355 articles published on Notebookcheck since 2012
Though a cell and molecular biologist by training, I have been drawn towards computers from a very young age ever since I got my first PC in 1998. My passion for technology grew quite exponentially with the times, and it has been an incredible experience from being a much solicited source for tech advice and troubleshooting among family and friends to joining Notebookcheck in 2017 as a professional tech journalist. Now, I am a Lead Editor at Notebookcheck covering news and reviews encompassing a wide gamut of the technology landscape for Indian and global audiences. When I am not hunting for the next big story or taking complex measurements for reviews, you can find me unwinding to a nice read, listening to some soulful music, or trying out a new game.
contact me via: @Geeky_Vaidy
Please share our article, every link counts!
> Notebook / Laptop Reviews and News > News > News Archive > Newsarchive 2017 09 > CCleaner hijacked by hackers to open a backdoor for remote code execution
Vaidyanathan Subramaniam, 2017-09-19 (Update: 2017-09-19)