This article takes a look at the recent breach of the Avast Owned System Utility Software “CCleaner”.
This September, there have recently been articles surfacing about the Avast Owned Piriform CCleaner software being hacked. As early as August, articles from the Cisco Talos Intelligence Website at http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html and from Forbes at https://www.forbes.com/sites/thomasbrewster/2017/09/18/ccleaner-cybersecurity-app-infected-with-backdoor/ detailed instances of computer being attacked through CCleaner.
Here at Triella, we have evidence that it may have occurred much earlier than that.
CCleaner is a system optimizing utility tool that many software programs use to clean up their file system and registry when Windows is performing poorly or is having issues, and because a free version is offered for download, it has been a widely used and an up-until now trusted tool for many years.
Since they were already on many existing systems, all the hackers needed to do was get an update to the software in order to exploit it. That was version 5.33, and the threat was patched with the subsequent update release 5.34, giving it enough time to infect over 2 million systems with a back door exploit.
At Triella, I manage and monitor the majority of our client’s antivirus systems, and earlier this year, after extensive research and with my recommendation, we started providing our clients with Webroot Cloud based malware protection. Webroot detects threats very differently than other antivirus programs our clients had been using, and because it was Cloud based and not on-premise we were able to over-come many issues we had been facing with other server-client based solutions. Being Cloud based also meant that it was always up-to-date.
On June 25th, we were alerted to a client site that had a threat detected and was blocked by Webroot on a server. The threat was called CCleaner.exe and it was flagged as W32.Hacktool.Rpdpatch.
CCleaner was a tool we were familiar with and used for client desktops but not normally for servers. We had it on client systems already and Webroot never flagged it before this.
At the time, Webroot was also having an issue where they would block some safe programs as malware, an issue that was fixed a few days before this detection. (Better to be over protective than under protective)
Based on the above, my first reaction may have been to whitelist the threat as a false positive, but my 20 years of experience and instinct left me suspicious, and instead I reported it directly to Webroot support, and ensured the server remained protected.
Hackers are becoming more and more sophisticated, and they are getting more difficult to catch. Not everyone will have 20 years of IT experience or recognize these identifiers, whether it is malicious email spam or websites, or some other vessel for malware, but having the right protection for today’s ever evolving threats is more important than ever. I can’t tell you how often other antivirus software lets malware threats by and compromised systems only to leave the option of restoring data from backups for servers, and having to completely re-image desktops. Thankfully, for Triella and our clients on Webroot, we made the decision to move forward at just the right time.
Interested in getting a head of the curve on your antivirus and malware protection? Triella offers Webroot to our clients on a monthly basis. The software takes up little resource on your computer and is one of the best solutions for antivirus protection on the market. With the result of the CCleaner hack and security issues surrounding Kaspersky Antivirus, you need to ensure your business is sufficiently protected.
For more information on Webroot, call us at 647-426-1004.
Paul Comtois is a Client Support Specialist at Triella, a technology consulting company specializing in providing technology audits, planning advice, project management and other CIO-related services to small and medium sized firms. Paul can be reached at 647.426.1004. For additional articles, go to www.triella.com/publications. Triella is a VMware Professional Partner, Microsoft Certified Partner, Citrix Solution Advisor – Silver, Dell Preferred Partner, Authorized Worldox Reseller and a Webroot Reseller.
© 2017 by Triella Corp. All rights reserved. Reproduction with credit is permitted.