A Vast Number of Machines at Risk. Update 91. 8 CCleaner Cloud version 1. Update 91. 9 This issue was discovered and reported by both Morphisec and Cisco in separate in field cases and reported separately to Avast. Supply chain attacks are a very effective way to distribute malicious software into target organizations. This is because with supply chain attacks, the attackers are relying on the trust relationship between a manufacturer or supplier and a customer. Pro-Antivirus.png' alt='Old Version Avast Antivirus' title='Old Version Avast Antivirus' />This trust relationship is then abused to attack organizations and individuals and may be performed for a number of different reasons. The Nyetya worm that was released into the wild earlier in 2. Frequently, as with Nyetya, the initial infection vector can remain elusive for quite some time. Luckily with tools like AMP the additional visibility can usually help direct attention to the initial vector. Avast-Free-Antivirus-for-Windows-8-Picture1.jpg' alt='Old Version Avast Antivirus' title='Old Version Avast Antivirus' />CNET Download Find the latest free software, apps, downloads, and reviews for Windows, Mac, iOS, and Android. Avast News Avast Free Antivirus leads the charge. Avast scores high on malware protection while still running very fast. Talos recently observed a case where the download servers used by software vendor to distribute a legitimate software package were leveraged to deliver malware to unsuspecting victims. For a period of time, the legitimate signed version of CCleaner 5. What is the best antivirus and firewall available For example is ZoneAlarm any good Why NOT interested in Programs that constantly require a ton of RAM or CPU. In our 2015 review of the top free antivirus programs we found several we could recommend with the best of these as good as any commercial product. Read 357 customer reviews of the Avast Antivirus www. AntiVirus Software at Review Centre. Avast also contained a multi stage malware payload that rode on top of the installation of CCleaner. CCleaner boasted over 2 billion total downloads by November of 2. Given the potential damage that could be caused by a network of infected computers even a tiny fraction of this size we decided to move quickly. On September 1. 3, 2. Cisco Talos immediately notified Avast of our findings so that they could initiate appropriate response activities. The following sections will discuss the specific details regarding this attack. Technical Details. CCleaner is an application that allows users to perform routine maintenance on their systems. It includes functionality such as cleaning of temporary files, analyzing the system to determine ways in which performance can be optimized and provides a more streamlined way to manage installed applications. Figure 1 Screenshot of CCleaner 5. On September 1. 3, 2. Cisco Talos identified a specific executable which was triggering our advanced malware protection systems. Upon closer inspection, the executable in question was the installer for CCleaner v. CCleaner download servers. Talos began initial analysis to determine what was causing this technology to flag CCleaner. We identified that even though the downloaded installation executable was signed using a valid digital signature issued to Piriform, CCleaner was not the only application that came with the download. During the installation of CCleaner 5. CCleaner binary that was included also contained a malicious payload that featured a Domain Generation Algorithm DGA as well as hardcoded Command and Control C2 functionality. We confirmed that this malicious version of CCleaner was being hosted directly on CCleaners download server as recently as September 1. In reviewing the Version History page on the CCleaner download site, it appears that the affected version 5. August 1. 5, 2. 01. On September 1. 2, 2. Recover My Email Serial Number more. The version containing the malicious payload 5. This version was signed using a valid certificate that was issued to Piriform Ltd by Symantec and is valid through 1. Piriform was the company that Avast recently acquired and was the original company who developed the CCleaner software application. Figure 2 Digital Signature of CCleaner 5. A second sample associated with this threat was discovered. This second sample was also signed using a valid digital certificate, however the signing timestamp was approximately 1. The presence of a valid digital signature on the malicious CCleaner binary may be indicative of a larger issue that resulted in portions of the development or signing process being compromised. Ideally this certificate should be revoked and untrusted moving forward. When generating a new cert care must be taken to ensure attackers have no foothold within the environment with which to compromise the new certificate. Only the incident response process can provide details regarding the scope of this issue and how to best address it. Interestingly the following compilation artifact was found within the CCleaner binary that Talos analyzed S workspaceccleanerbranchesv. CCleanerReleaseCCleaner. Given the presence of this compilation artifact as well as the fact that the binary was digitally signed using a valid certificate issued to the software developer, it is likely that an external attacker compromised a portion of their development or build environment and leveraged that access to insert malware into the CCleaner build that was released and hosted by the organization. It is also possible that an insider with access to either the development or build environments within the organization intentionally included the malicious code or could have had an account or similar compromised which allowed an attacker to include the code. It is also important to note that while previous versions of the CCleaner installer are currently still available on the download server, the version containing the malicious payloads has been removed and is no longer available. Malware Installation and Operation. Within the 3. 2 bit CCleaner v. Python For Nokia N95'>Python For Nokia N95. CCleaner v. 5. 3. CCInfection. Base0x. C. This was done to redirect code execution flow within the CCleaner binary to the malicious code prior to continuing with the normal CCleaner operations. The code that is called is responsible for decrypting data which contains the two stages of the malicious payload, a PIC Position Independent Code PE loader as well as a DLL file that effectively functions as the malware payload. Installer Un Plugin Dreambox'>Installer Un Plugin Dreambox. The malware author had tried to reduce the detection of the malicious DLL by ensuring the IMAGEDOSHEADER was zeroed out, suggesting this attacker was trying to remain under the radar to normal detection techniques. The binary then creates an executable heap using Heap. CreateHEAPCREATEENABLEEXECUTE,0,0. Space is then allocated to this new heap which is where the contents of the decrypted data containing the malware is copied. As the data is copied to the heap, the source data is erased. The PE loader is then called and begins its operation. Once the infection process has been initiated, the binary erases the memory regions that previously contained the PE loader and the DLL file, frees the previously allocated memory, destroys the heap and continues on with normal CCleaner operations. The PE loader utilizes position independent coding practices in order to locate the DLL file within memory. It then maps the DLL into executable memory, calls the DLLEntry. Point to begin execution of the DLL being loaded and the CCleaner binary continues as normal. Once this occurs the malware begins its full execution, following the process outlined in the following sections. The DLL file CBkdr. IMAGEDOSHEADER zeroed out. The DLLEntry. Point creates an execution thread so that control can be returned to the loader. This thread is responsible for calling CCBkdrGet. Shellcode. From. C2. And. Call. It also sets up a Return Oriented Programming ROP chain that is used to deallocate the memory associated with the DLL and exit the thread. CCBkrdrGet. Shellcode. From. C2. And. Call. This function is responsible for much of the malicious operations that Talos observed while analyzing this malware. First, it records the current system time on the infected system. It then delays for 6. In order to implement this delay functionality, the malware calls a function which attempts to ping 2.