![]() ![]() Key opened: HKEY_CURRE NT_USER\So ftware\Pol icies\Micr osoft\Wind ows\Safer\ CodeIdenti fiers text IMAGE _SCN_MEM_E XECUTE, IM AGE_SCN_CN T_CODE, IM AGE_SCN_ME M_READ text section and no other executable section debug / backup)Ĭode function: 0_2_0049E5 8D GetLast Error,GetC urrentProc ess,OpenPr ocessToken ,GetLastEr ror,Lookup PrivilegeV alueW,Adju stTokenPri vileges,Ge tLastError ,įile created: C:\Users\u ser\AppDat a\Local\Te mp\CCleane r.exe.png Static PE information: Resource n ame: RT_IC ON type: G LS_BINARY_ LSB_FIRSTīinary contains paths to development resourcesĬlassification label: sus26.evad functionality to adjust token privileges (e.g. Static PE information: Resource n ame: RT_BI TMAP type: GLS_BINAR Y_LSB_FIRS T exeįound potential string decryption / allocating functionsĬode function: String fun ction: 004 41A5C appe ars 226 ti mesĬode function: String fun ction: 004 41A8F appe ars 39 tim esĬode function: String fun ction: 004 6DA6D appe ars 36 tim es Source: C:\Users\u ser\Deskto p\CCleaner. String found in binary or memory: oopops.sou rceforge.n et com/http:/ /ENTS_WINDO W_MESSAGES oftware macromedi a.com/shoc kwave/down load/ http ://sdc.sho /shockwave /download/ index.cgi? String found in binary or memory: adobp/1.0/ String found in binary or memory: isknight.o rg/ In the interest of secure computing, we encourage all readers to regularly apply software and OS security updates, and follow safe computing practices.Source: CCleaner.e xe, 000000 00.0000000 2.12784275 10.0000000 07FAE0000. With reports like these, it is becoming a challenge to predict what hackers will target next. We will be sure to keep you posted as soon as Piriform publishes the results of its ongoing investigation. The rate at which these users update to newer versions of the program is highly variable and the malware could still lurk around even though the rogue server in question has been disbanded. However, the fact that nearly 2.3 million users were affected is still a serious concern. The company is urging all users to upgrade to version 5.34, which contains the correct clean code. The action of the second-stage payload is not yet detected.Īt this stage, Piriform is cautious not to speculate too much into how its binaries were compromised and is apparently taking actions to prevent it from happening again. All this information was encrypted and transmitted to a remote address (.x), which then sent a second-stage payload containing further encrypted information. It collected a host of information about the infected system including its name, software installed, MAC addresses etc. Piriform says that the suspicious code stored certain information in the registry key, HKLM_Software_Piriform_Agomo that also included the IP address of the Command and Control (CnC) server. ![]() The highly obfuscated illegal code created a 16KB DLL that executed in a separate thread and continued to run in the background while the actual program was being run. Of particular importance is the fact that the original binary had a valid digital certificate, which could imply that Piriform's certification process itself was compromised. Hackers inserted a two-stage backdoor that could remotely execute code and transmit back user info in an encrypted form. In a technical blog post, Paul Yung, VP, Products from Piriform, detailed about the illegal code modification that affected nearly 2.27 million users of the product. This led to the conclusion that the program's binary was illegally modified to transmit user info to the hacker. On September 12, certain 32-bit versions of CCleaner () and CCleaner Cloud () were found to transmit data to an unknown IP address, prompting Piriform to start an investigation in collaboration with Avast Threat Labs. The malware is a backdoor that disguised itself within the app's runtime and therefore, went largely unnoticed until Piriform noticed something suspicious. CCleaner, the popular PC cleaning app from Piriform (now part of Avast), has been found to be infected with malware that can potentially sniff out user data in the background without the user even knowing it. ![]()
0 Comments
Leave a Reply. |