CCleaner, one of the most popular system tools on Windows, was confirmed to be compromised early this month, resulting in up to 3% of CCleaner’s users, roughly around 2 million, are/were using two compromised versions of CCleaner on their Windows computers. If you are using CCleaner to help you keep your system clean, here is what you need to know, according to the CCleaner’s official blog post and Cisco Talos post.
Table of Contents
Two things first,
- Only Windows 32-bit edition is affected.
- Two versions released between August 15 and September 12, 2017, are affected. They are:
- CCleaner 5.33.6162
- CCleaner Cloud 1.07.3191
If you are running a version later than these two or running the same version but on a 64-bit of Windows, you are safe.
What can these hacked versions do?
The compromised version will collect the following information about the local system and encrypt them before sending off to a remote IP address or a different location if the IP address becomes unavailable.
- Name of the computer
- List of installed software, including Windows updates
- List of running processes
- MAC addresses of first three network adapters
- Additional information whether the process is running with administrator privileges, whether it is a 64-bit system, etc.
It also reads a reply from the same IP address and downloads a second stage payload from that address, further encrypted by the same algorithm as in the first stage. However, CCleaner stats that they have not detected an execution of the second stage payload and believe that its activation is highly unlikely.
What to do if I am using CCleaner?
Here are steps you need to take:
- Check the version of CCleaner on your computer.
- If it’s older than 5.33.6162 or Cloud 1.07.3191, you are safe. It’s time to update to the latest version. Piriform, the company behind CCleaner, has released version 5.35 on September 20, 2017.
- If it’s the newer or the same version of infected one,
- Update to the latest version if you want to continue using the tool, and
- Run a manual scan of your AV and make sure your system is clean.
- Check the following registry and delete it if you find it existed in your system.
update on August 21, 2017
Cisco Talos published another report concerning the risks caused by this CCleaner hack. It appears that the attack was more sophisticated than previously thought as it attacks a specific list of domains with a second payload, cisco.com is included in the array.
They also discovered more details about the stage 2 payloads. The stage 2 installer is GeeSetup_x86.dll that checks the OS version and then drops either a 32-bit or 64-bit version of a trojanized tool. None of the files are signed or legitmate.
The x86 version is using a trojanized TSMSISrv.dll, which drops VirtCDRDrv (which matches the filename of a legitimate executable that is part of Corel) using a similar method to the backdoored CCleaner tool.
The x64 version drops a trojanized EFACli64.dll file named SymEFA which is the filename taken from a legitimate executable that is part of “Symantec Endpoint”.
You can use the following information to help identify them:
- HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\001
- HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\002
- HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\003
- HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\004
- HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\HBP
- Installer (GeeSetup_x86.dll): dc9b5e8aa6ec86db8af0a7aa897ca61db3e5f3d2e0942e319074db1aaccfdc83
- 32-bit trojanized binary (TSMSISrv.dll): 07fb252d2e853a9b1b32f30ede411f2efbb9f01e4a7782db5eacf3f55cf34902
- 64-bit trojanized binary (EFACli64.dll): 128aca58be325174f0220bd7ca6030e4e206b4378796e82da460055733bb6f4f
- DLL in registry: f0d1f88c59a005312faad902528d60acbf9cd5a7b36093db8ca811f763e1292a
/end of update/
What really happened?
The attack is called Supply Chain Attack that is a very effective way to distribute malicious software into target organization, using the trust relationship between a manufacturer or supplier and a customer.
In short, hackers were able to hack their way to the CCleaner’s site and inject the malicious code into two versions of CCleaner, 5.33.6162 of CCleaner and 1.07.3191 version of CCleaner Cloud. Luckily, both CCleaner and Cisco were able to quickly detect the suspicious downloading activities and stop them from being widely distributed.
As to why and how the hackers made their way in, it’s still under investigation.