Ccleaner infection more virulent than thought

[sman]

https://www.ghacks.net/2017/09/21/ccleaner-malware-second-payload-discovered/

Quote

Talos Group suggested to restore the computer system using a backup that was created prior to the infection. The new evidence reinforces this, and the researchers suggest strongly that it may not be enough to simply update CCleaner to get rid of the malware.

 

[Aura]

Pretty sure that advice only applies to computers which belongs to the domains targetted by the second payload, and not all of them.

[sman]

Don't know whether there can be backdoor access to those domains?..as any public server of the domains could be a source for backdoor..

[sman]

Oh. Reuters gives a more detailed picture in https://www.reuters.com/article/us-security-avast/hackers-used-avasts-ccleaner-breach-to-attack-technology-companies-idUSKCN1BW04K

Quote

But researchers at Cisco, one of the companies that had warned Avast of the attack, said Wednesday that a control server seized by U.S. law enforcement showed that the hackers had installed additional malicious software on a selected group of at least 20 machines.

Quote

More troubling, they could have been looking to get malicious code inside those companies’ products, which are used by high-value targets in government and business around the world.

Quote

Vlcek said consumer CCleaner users still did not need to restore their computers from backups.

 

[sman]

Hmm.. Avast latest update says the 2nd stage infection could be in the order of hundreds and consumers to upgrade to v 5.35.., as per https://blog.avast.com/progress-on-ccleaner-investigation

Quote

First of all, analysis of the data from the CnC server has proven that this was an APT (Advanced Persistent Threat) programmed to deliver the 2^nd stage payload to select users. Specifically, the server logs indicated 20 machines in a total of 8 organizations to which the 2^nd stage payload was sent, but given that the logs were only collected for little over three days, the actual number of computers that received the 2^nd stage payload was likely at least in the order of hundreds. This is a change from our previous statement, in which we said that to the best of our knowledge, the 2^nd stage payload never delivered.

Quote

Finally, it is extremely important to us to resolve the issue on customer machines. For consumers, we stand by the recommendation to upgrade CCleaner to the latest version (now 5.35, after we have revoked the signing certificate used to sign the impacted version 5.33) and use a quality antivirus product, such as Avast Antivirus. For corporate users, the decision may be different and will likely depend on corporate IT policies. At this stage, we cannot state that the corporate machines could not be compromised, even though the attack was highly targeted.

 

[sman]

In fact, there r 2 school of thoughts on the action required while Cisco recommends that impacted users should restore their systems from backups or reinstall the operating system completely. , Avast calls for upgrade to v.5.35..

source - http://www.securityweek.com/attack-software-firm-was-sophisticated-highly-targeted

Quote

Thorough cleanup necessary

Cisco points out that, while updating to the latest versions of CCleaner would ensure that the backdoor code in the installer is removed, further action might be required to remove additional malware that could be present on the system. Thus, they reinforce their previous recommendation that impacted users should restore their systems from backups or reinstall the operating system completely.

Avast, on the other hand, recommends updating to CCleaner version 5.35, as the digital certificate used to sign the infected version 5.33 has been revoked. The company also recommends that consumers use an anti-malware application.

“For corporate users, the decision may be different and will likely depend on corporate IT policies. At this stage, we cannot state that the corporate machines could not be compromised, even though the attack was highly targeted,” the security firm notes.

 

[exile360]

On 9/21/2017 at 9:28 AM, sman said:

In fact, there r 2 school of thoughts on the action required while Cisco recommends that impacted users should restore their systems from backups or reinstall the operating system completely. , Avast calls for upgrade to v.5.35..

source - http://www.securityweek.com/attack-software-firm-was-sophisticated-highly-targeted

 

Right, it's a backdoor so theoretically the bad guys could have done anything to the system while the infection was active, including installing other threats, breaking/disabling security features, opening other backdoors into the system and basically anything else they might want to do.