Software Vulnerability Information Reputation Center Library Support Communities About Careers Blog BACK Snort ClamAV Razorback Daemonlogger Mo�ow PE-Sig Immunet Teslacrypt Decryption Tool MBR Filter FIRST LockyDump FreeSentry Flokibot Tools Synful Knock Scanner Cisco Smart Install Scanner ROPMEMU Software BACK Vulnerability Reports Microsoft Advisories Vulnerability Information BACK Email & Web Tra�c Reputation AMP Threat Naming Conventions IP Blacklist Download AWBO Exercises Reputation Center BACK Snort Community ClamAV Community Project Aspis SpamCop Support CommunitiesM O N D AY, S E P T E M B E R 1 8 , 2 0 1 7 This post was authored by: Edmund Brumaghin, Ross Gibb, Warren Mercer, Matthew Molyett, and Craig Williams Update 9/18: CCleaner Cloud version 1.07.3191 is also reported to be affected Update 9/19: This issue was discovered and reported by both Morphisec and Cisco in separate in-�eld cases and reported separately to Avast. Update 9/19: There has been some confusion on how the DGA domains resolve. The fallback command and control scheme in use by the CCBkdr involves: 1. Generating a Monthly Domain name (all of which are controlled by Talos for 2017) 2. Request the A records for the domain. 3. 16 bits of the true destination IP are encoded in the �rst A record, 16 bits are encoded in the second A record 4. The true destination IP is then computed and connected to. To control the connections Talos has to create two IPs such that they can be fed into the application to resolve to the sinkhole IP. 32 bits of random data were generated. 16 bits of that were combined with 16 bits of the destination address to create the �rst A record. The remaining 16 random bits were combined with the remaining bits of the destination address to create the second A record. The resulting two A record IP addresses were then assigned to the DNS con�guration. There was no analysis performed on the selected addresses beyond that they could be combined to create the destination. Update 9/20: Continued research on C2 and payloads can be found here: http://blog.talosintelligence.com/2017/09/ccleaner-c2-concern.html Supply chain attacks are a very effective way to distribute malicious software into target organizations. This is because with supply chain attacks, the attackers are relying on the trust relationship between a manufacturer or supplier and a customer. This trust relationship is then abused to attack organizations and individuals and may be performed for a number of different reasons. The Nyetya worm that was released into the wild earlier in 2017 showed just how potent these types of attacks can be. Frequently, as with Nyetya, the initial infection vector can remain elusive for quite some time. Luckily with tools like AMP the additional visibility can usually help direct attention to the initial vector. CCleanup: A Vast Number of Machines at Risk INTRODUCTION   http://www.talosintelligence.com/ http://www.talosintelligence.com/software http://www.talosintelligence.com/vulnerability_info http://www.talosintelligence.com/reputation http://www.talosintelligence.com/resources http://www.talosintelligence.com/community http://www.talosintelligence.com/about http://www.talosintelligence.com/careers http://blog.talosintelligence.com/ http://www.talosintelligence.com/software http://www.talosintelligence.com/snort http://www.talosintelligence.com/clamav http://www.talosintelligence.com/razorback http://www.talosintelligence.com/daemon http://www.talosintelligence.com/moflow http://www.talosintelligence.com/pesig http://www.talosintelligence.com/immunet http://www.talosintelligence.com/teslacrypt_tool http://www.talosintelligence.com/mbrfilter http://www.talosintelligence.com/first http://www.talosintelligence.com/lockydump http://www.talosintelligence.com/freesentry http://www.talosintelligence.com/flokibot http://www.talosintelligence.com/scanner http://www.talosintelligence.com/smart_scanner http://www.talosintelligence.com/ropmemu http://www.talosintelligence.com/vulnerability_info http://www.talosintelligence.com/vulnerability_reports http://www.talosintelligence.com/ms_advisories http://www.talosintelligence.com/reputation http://www.talosintelligence.com/reputation_center http://www.talosintelligence.com/amp-naming http://www.talosintelligence.com/documents/ip-blacklist http://www.talosintelligence.com/awbo_intro http://www.talosintelligence.com/community https://snort.org/community https://www.clamav.net/contact.html#ml http://www.talosintelligence.com/aspis https://www.spamcop.net/ https://www.blogger.com/profile/10442669663667294759 https://www.linkedin.com/in/rossgibb/ https://twitter.com/securitybeard https://blogs.cisco.com/author/matthewmolyett https://blogs.cisco.com/author/matthewmolyett https://twitter.com/security_craig https://www.piriform.com/news/blog/2017/9/18/security-notification-for-ccleaner-v5336162-and-ccleaner-cloud-v1073191-for-32-bit-windows-users http://blog.morphisec.com/morphisec-discovers-ccleaner-backdoor http://blog.talosintelligence.com/2017/09/ccleaner-c2-concern.html http://blog.talosintelligence.com/2017/07/the-medoc-connection.html http://www.talosintelligence.com/ Software Vulnerability Information Reputation Center Library Support Communities About Careers Blog BACK Snort ClamAV Razorback Daemonlogger Mo�ow PE-Sig Immunet Teslacrypt Decryption Tool MBR Filter FIRST LockyDump FreeSentry Flokibot Tools Synful Knock Scanner Cisco Smart Install Scanner ROPMEMU BACK Vulnerability Reports Microsoft Advisories BACK Email & Web Tra�c Reputation AMP Threat Naming Conventions IP Blacklist Download AWBO Exercises BACK Snort Community ClamAV Community Project Aspis SpamCop Talos recently observed a case where the download servers used by software vendor to distribute a legitimate software package were leveraged to deliver malware to unsuspecting victims. For a period of time, the legitimate signed version of CCleaner 5.33 being distributed by Avast also contained a multi-stage malware payload that rode on top of the installation of CCleaner. CCleaner boasted over 2 billion total downloads by November of 2016 with a growth rate of 5 million additional users per week. Given the potential damage that could be caused by a network of infected computers even a tiny fraction of this size we decided to move quickly. On September 13, 2017 Cisco Talos immediately noti�ed Avast of our �ndings so that they could initiate appropriate response activities. The following sections will discuss the speci�c details regarding this attack. CCleaner is an application that allows users to perform routine maintenance on their systems. It includes functionality such as cleaning of temporary �les, analyzing the system to determine ways in which performance can be optimized and provides a more streamlined way to manage installed applications. Figure 1: Screenshot of CCleaner 5.33 On September 13, 2017 while conducting customer beta testing of our new exploit detection technology, Cisco Talos identi�ed a speci�c executable which was triggering our advanced malware protection systems. Upon closer inspection, the executable in question was the installer for CCleaner v5.33, which was being delivered to endpoints by the legitimate CCleaner download servers. Talos began initial analysis to determine what was causing this technology to �ag TECHNICAL DETAILS   http://www.talosintelligence.com/ http://www.talosintelligence.com/software http://www.talosintelligence.com/vulnerability_info http://www.talosintelligence.com/reputation http://www.talosintelligence.com/resources http://www.talosintelligence.com/community http://www.talosintelligence.com/about http://www.talosintelligence.com/careers http://blog.talosintelligence.com/ http://www.talosintelligence.com/software http://www.talosintelligence.com/snort http://www.talosintelligence.com/clamav http://www.talosintelligence.com/razorback http://www.talosintelligence.com/daemon http://www.talosintelligence.com/moflow http://www.talosintelligence.com/pesig http://www.talosintelligence.com/immunet http://www.talosintelligence.com/teslacrypt_tool http://www.talosintelligence.com/mbrfilter http://www.talosintelligence.com/first http://www.talosintelligence.com/lockydump http://www.talosintelligence.com/freesentry http://www.talosintelligence.com/flokibot http://www.talosintelligence.com/scanner http://www.talosintelligence.com/smart_scanner http://www.talosintelligence.com/ropmemu http://www.talosintelligence.com/vulnerability_info http://www.talosintelligence.com/vulnerability_reports http://www.talosintelligence.com/ms_advisories http://www.talosintelligence.com/reputation http://www.talosintelligence.com/reputation_center http://www.talosintelligence.com/amp-naming http://www.talosintelligence.com/documents/ip-blacklist http://www.talosintelligence.com/awbo_intro http://www.talosintelligence.com/community https://snort.org/community https://www.clamav.net/contact.html#ml http://www.talosintelligence.com/aspis https://www.spamcop.net/ https://blog.avast.com/welcome-piriform-to-avast https://www.piriform.com/about https://2.bp.blogspot.com/-qi4FSpRozUc/Wb8VCqNIdUI/AAAAAAAAAXQ/1TRYybdmkkUbrd428EfrM3d4NSG_DGQ0QCLcBGAs/s1600/image7.png Software Vulnerability Information Reputation Center Library Support Communities About Careers Blog BACK Snort ClamAV Razorback Daemonlogger Mo�ow PE-Sig Immunet Teslacrypt Decryption Tool MBR Filter FIRST LockyDump FreeSentry Flokibot Tools Synful Knock Scanner Cisco Smart Install Scanner ROPMEMU BACK Vulnerability Reports Microsoft Advisories BACK Email & Web Tra�c Reputation AMP Threat Naming Conventions IP Blacklist Download AWBO Exercises BACK Snort Community ClamAV Community Project Aspis SpamCop CCleaner. We identi�ed that even though the downloaded installation executable was signed using a valid digital signature issued to Piriform, CCleaner was not the only application that came with the download. During the installation of CCleaner 5.33, the 32-bit CCleaner binary that was included also contained a malicious payload that featured a Domain Generation Algorithm (DGA) as well as hardcoded Command and Control (C2) functionality. We con�rmed that this malicious version of CCleaner was being hosted directly on CCleaner's download server as recently as September 11, 2017. In reviewing the Version History page on the CCleaner download site, it appears that the affected version (5.33) was released on August 15, 2017. On September 12, 2017 version 5.34 was released. The version containing the malicious payload (5.33) was being distributed between these dates. This version was signed using a valid certi�cate that was issued to Piriform Ltd by Symantec and is valid through 10/10/2018. Piriform was the company that Avast recently acquired and was the original company who developed the CCleaner software application. Figure 2: Digital Signature of CCleaner 5.33 A second sample associated with this threat was discovered. This second sample was also signed using a valid digital certi�cate, however the signing timestamp was approximately 15 http://www.talosintelligence.com/ http://www.talosintelligence.com/software http://www.talosintelligence.com/vulnerability_info http://www.talosintelligence.com/reputation http://www.talosintelligence.com/resources http://www.talosintelligence.com/community http://www.talosintelligence.com/about http://www.talosintelligence.com/careers http://blog.talosintelligence.com/ http://www.talosintelligence.com/software http://www.talosintelligence.com/snort http://www.talosintelligence.com/clamav http://www.talosintelligence.com/razorback http://www.talosintelligence.com/daemon http://www.talosintelligence.com/moflow http://www.talosintelligence.com/pesig http://www.talosintelligence.com/immunet http://www.talosintelligence.com/teslacrypt_tool http://www.talosintelligence.com/mbrfilter http://www.talosintelligence.com/first http://www.talosintelligence.com/lockydump http://www.talosintelligence.com/freesentry http://www.talosintelligence.com/flokibot http://www.talosintelligence.com/scanner http://www.talosintelligence.com/smart_scanner http://www.talosintelligence.com/ropmemu http://www.talosintelligence.com/vulnerability_info http://www.talosintelligence.com/vulnerability_reports http://www.talosintelligence.com/ms_advisories http://www.talosintelligence.com/reputation http://www.talosintelligence.com/reputation_center http://www.talosintelligence.com/amp-naming http://www.talosintelligence.com/documents/ip-blacklist http://www.talosintelligence.com/awbo_intro http://www.talosintelligence.com/community https://snort.org/community https://www.clamav.net/contact.html#ml http://www.talosintelligence.com/aspis https://www.spamcop.net/ https://1.bp.blogspot.com/-PKl5mGK_iak/Wb8VMmXJiPI/AAAAAAAAAXU/3xBl-3byPYI_V0KTeJT3iqr5Pb-tmvG7QCLcBGAs/s1600/image4.png Software Vulnerability Information Reputation Center Library Support Communities About Careers Blog BACK Snort ClamAV Razorback Daemonlogger Mo�ow PE-Sig Immunet Teslacrypt Decryption Tool MBR Filter FIRST LockyDump FreeSentry Flokibot Tools Synful Knock Scanner Cisco Smart Install Scanner ROPMEMU BACK Vulnerability Reports Microsoft Advisories BACK Email & Web Tra�c Reputation AMP Threat Naming Conventions IP Blacklist Download AWBO Exercises BACK Snort Community ClamAV Community Project Aspis SpamCop g g g g g p pp y minutes after the initial sample was signed. The presence of a valid digital signature on the malicious CCleaner binary may be indicative of a larger issue that resulted in portions of the development or signing process being compromised. Ideally this certi�cate should be revoked and untrusted moving forward. When generating a new cert care must be taken to ensure attackers have no foothold within the environment with which to compromise the new certi�cate. Only the incident response process can provide details regarding the scope of this issue and how to best address it. Interestingly the following compilation artifact was found within the CCleaner binary that Talos analyzed:         S:\workspace\ccleaner\branches\v5.33\bin\CCleaner\Release\CCleaner.pdb Given the presence of this compilation artifact as well as the fact that the binary was digitally signed using a valid certi�cate issued to the software developer, it is likely that an external attacker compromised a portion of their development or build environment and leveraged that access to insert malware into the CCleaner build that was released and hosted by the organization. It is also possible that an insider with access to either the development or build environments within the organization intentionally included the malicious code or could have had an account (or similar) compromised which allowed an attacker to include the code. It is also important to note that while previous versions of the CCleaner installer are currently still available on the download server, the version containing the malicious payloads has been removed and is no longer available. Within the 32-bit CCleaner v5.33 binary included with the legitimate CCleaner v5.33 installer, '__scrt_get_dyn_tls_init_callback' was modi�ed to call to the code at CC_InfectionBase(0x0040102C). This was done to redirect code execution �ow within the CCleaner binary to the malicious code prior to continuing with the normal CCleaner operations. The code that is called is responsible for decrypting data which contains the two stages of the malicious payload, a PIC (Position Independent Code) PE loader as well as a DLL �le that effectively functions as the malware payload. The malware author had tried to reduce the detection of the malicious DLL by ensuring the IMAGE_DOS_HEADER was zeroed out, suggesting this attacker was trying to remain under the radar to normal detection techniques. The binary then creates an executable heap using HeapCreate(HEAP_CREATE_ENABLE_EXECUTE,0,0). Space is then allocated to this new heap which is where the contents of the decrypted data containing the malware is copied. As the data is copied to the heap, the source data is erased. The PE loader is then called and begins its operation. Once the infection process has been initiated, the binary erases the memory regions that previously contained the PE loader and the DLL �le, frees the previously allocated memory, destroys the heap and continues on with normal CCleaner operations. The PE loader utilizes position independent coding practices in order to locate the DLL �le within It th th DLL i t t bl ll th DLLE t P i t t b i MALWARE INSTALLATION AND OPERATION http://www.talosintelligence.com/ http://www.talosintelligence.com/software http://www.talosintelligence.com/vulnerability_info http://www.talosintelligence.com/reputation http://www.talosintelligence.com/resources http://www.talosintelligence.com/community http://www.talosintelligence.com/about http://www.talosintelligence.com/careers http://blog.talosintelligence.com/ http://www.talosintelligence.com/software http://www.talosintelligence.com/snort http://www.talosintelligence.com/clamav http://www.talosintelligence.com/razorback http://www.talosintelligence.com/daemon http://www.talosintelligence.com/moflow http://www.talosintelligence.com/pesig http://www.talosintelligence.com/immunet http://www.talosintelligence.com/teslacrypt_tool http://www.talosintelligence.com/mbrfilter http://www.talosintelligence.com/first http://www.talosintelligence.com/lockydump http://www.talosintelligence.com/freesentry http://www.talosintelligence.com/flokibot http://www.talosintelligence.com/scanner http://www.talosintelligence.com/smart_scanner http://www.talosintelligence.com/ropmemu http://www.talosintelligence.com/vulnerability_info http://www.talosintelligence.com/vulnerability_reports http://www.talosintelligence.com/ms_advisories http://www.talosintelligence.com/reputation http://www.talosintelligence.com/reputation_center http://www.talosintelligence.com/amp-naming http://www.talosintelligence.com/documents/ip-blacklist http://www.talosintelligence.com/awbo_intro http://www.talosintelligence.com/community https://snort.org/community https://www.clamav.net/contact.html#ml http://www.talosintelligence.com/aspis https://www.spamcop.net/ Software Vulnerability Information Reputation Center Library Support Communities About Careers Blog BACK Snort ClamAV Razorback Daemonlogger Mo�ow PE-Sig Immunet Teslacrypt Decryption Tool MBR Filter FIRST LockyDump FreeSentry Flokibot Tools Synful Knock Scanner Cisco Smart Install Scanner ROPMEMU BACK Vulnerability Reports Microsoft Advisories BACK Email & Web Tra�c Reputation AMP Threat Naming Conventions IP Blacklist Download AWBO Exercises BACK Snort Community ClamAV Community Project Aspis SpamCop memory. It then maps the DLL into executable memory, calls the DLLEntryPoint to begin execution of the DLL being loaded and the CCleaner binary continues as normal. Once this occurs the malware begins its full execution, following the process outlined in the following sections. The DLL �le (CBkdr.dll) was modi�ed in an attempt to evade detection and had the IMAGE_DOS_HEADER zeroed out. The DLLEntryPoint creates an execution thread so that control can be returned to the loader. This thread is responsible for calling CCBkdr_GetShellcodeFromC2AndCall. It also sets up a Return Oriented Programming (ROP) chain that is used to deallocate the memory associated with the DLL and exit the thread. This function is responsible for much of the malicious operations that Talos observed while analyzing this malware. First, it records the current system time on the infected system. It then delays for 601 seconds before continuing operations, likely an attempt to evade automated analysis systems that are con�gured to execute samples for a prede�ned period of time or determine whether the malware is being executed in a debugger. In order to implement this delay functionality, the malware calls a function which attempts to ping 224.0.0.0 using a delay_in_seconds timeout set to 601 seconds. It then checks to determine the current system time to see if 600 seconds has elapsed. If that condition is not met, the malware terminates execution while the CCleaner binary continues normal operations. In situations where the malware is unable to execute IcmpCreateFile, it then falls back to using Sleep() to implement the same delay functionality. The malware also compares the current system time to the value stored in the following registry location:         HKLM\SOFTWARE\Piriform\Agomo:TCID If the value stored in TCID is in the future, the malware will also terminate execution. Figure 3: Delay Routine The malware then checks to determine the privileges assigned to the user running on the system. If the current user running the malicious process is not an administrator the malware will terminate execution. CBkrdr.dll CCBkrdr_GetShellcodeFromC2AndCall http://www.talosintelligence.com/ http://www.talosintelligence.com/software http://www.talosintelligence.com/vulnerability_info http://www.talosintelligence.com/reputation http://www.talosintelligence.com/resources http://www.talosintelligence.com/community http://www.talosintelligence.com/about http://www.talosintelligence.com/careers http://blog.talosintelligence.com/ http://www.talosintelligence.com/software http://www.talosintelligence.com/snort http://www.talosintelligence.com/clamav http://www.talosintelligence.com/razorback http://www.talosintelligence.com/daemon http://www.talosintelligence.com/moflow http://www.talosintelligence.com/pesig http://www.talosintelligence.com/immunet http://www.talosintelligence.com/teslacrypt_tool http://www.talosintelligence.com/mbrfilter http://www.talosintelligence.com/first http://www.talosintelligence.com/lockydump http://www.talosintelligence.com/freesentry http://www.talosintelligence.com/flokibot http://www.talosintelligence.com/scanner http://www.talosintelligence.com/smart_scanner http://www.talosintelligence.com/ropmemu http://www.talosintelligence.com/vulnerability_info http://www.talosintelligence.com/vulnerability_reports http://www.talosintelligence.com/ms_advisories http://www.talosintelligence.com/reputation http://www.talosintelligence.com/reputation_center http://www.talosintelligence.com/amp-naming http://www.talosintelligence.com/documents/ip-blacklist http://www.talosintelligence.com/awbo_intro http://www.talosintelligence.com/community https://snort.org/community https://www.clamav.net/contact.html#ml http://www.talosintelligence.com/aspis https://www.spamcop.net/ https://3.bp.blogspot.com/-NtUV0T19ON4/Wb8VnRXXx9I/AAAAAAAAAXY/3D_llp6rB-woZfIHkAPOzadbuMpAmr3twCLcBGAs/s1600/image16.png Software Vulnerability Information Reputation Center Library Support Communities About Careers Blog BACK Snort ClamAV Razorback Daemonlogger Mo�ow PE-Sig Immunet Teslacrypt Decryption Tool MBR Filter FIRST LockyDump FreeSentry Flokibot Tools Synful Knock Scanner Cisco Smart Install Scanner ROPMEMU BACK Vulnerability Reports Microsoft Advisories BACK Email & Web Tra�c Reputation AMP Threat Naming Conventions IP Blacklist Download AWBO Exercises BACK Snort Community ClamAV Community Project Aspis SpamCop Figure 4: Privilege Check If the user executing the malware does have administrative privileges on the infected system, SeDebugPrivilege is enabled for the process. The malware then reads the value of 'InstallID' which is stored in the following registry location:         HKLM\SOFTWARE\Piriform\Agomo:MUID If this value does not exist, the malware creates it using '((rand()*rand() ^ GetTickCount())'. Once the aforementioned activities have been performed, the malware then begins pro�ling the system and gathering system information which is later transmitted to the C2 server. System information is stored in the following data structure: Figure 5: CCBkdr_System_Information Data Structure Once the system information has been collected, it is encrypted and then encoded using modi�ed Base64. The malware then establishes a Command and Control (C2) channel as described in the following section. While analyzing this malware, Talos identi�ed what appears to be a software bug present in the malicious code related to the C2 function. The sample that Talos analyzed reads a DGA computed IP address located in the following registry location, but currently does nothing with it:         HKLM\SOFTWARE\Piriform\Agomo:NID It is unknown what the purpose of this IP address is at this time, as the malware does not appear to make use of it during subsequent operations. In any event, once the previously mentioned COMMAND AND CONTROL (C2) http://www.talosintelligence.com/ http://www.talosintelligence.com/software http://www.talosintelligence.com/vulnerability_info http://www.talosintelligence.com/reputation http://www.talosintelligence.com/resources http://www.talosintelligence.com/community http://www.talosintelligence.com/about http://www.talosintelligence.com/careers http://blog.talosintelligence.com/ http://www.talosintelligence.com/software http://www.talosintelligence.com/snort http://www.talosintelligence.com/clamav http://www.talosintelligence.com/razorback http://www.talosintelligence.com/daemon http://www.talosintelligence.com/moflow http://www.talosintelligence.com/pesig http://www.talosintelligence.com/immunet http://www.talosintelligence.com/teslacrypt_tool http://www.talosintelligence.com/mbrfilter http://www.talosintelligence.com/first http://www.talosintelligence.com/lockydump http://www.talosintelligence.com/freesentry http://www.talosintelligence.com/flokibot http://www.talosintelligence.com/scanner http://www.talosintelligence.com/smart_scanner http://www.talosintelligence.com/ropmemu http://www.talosintelligence.com/vulnerability_info http://www.talosintelligence.com/vulnerability_reports http://www.talosintelligence.com/ms_advisories http://www.talosintelligence.com/reputation http://www.talosintelligence.com/reputation_center http://www.talosintelligence.com/amp-naming http://www.talosintelligence.com/documents/ip-blacklist http://www.talosintelligence.com/awbo_intro http://www.talosintelligence.com/community https://snort.org/community https://www.clamav.net/contact.html#ml http://www.talosintelligence.com/aspis https://www.spamcop.net/ https://4.bp.blogspot.com/-OPBZOqfA3fs/Wb8VwqgVENI/AAAAAAAAAXc/3s6b1fAtl-chO3ew68RZWF-CPsK6WOF4wCLcBGAs/s1600/image12.png https://2.bp.blogspot.com/-y43n-c5ZXgU/Wb8V6qcpPyI/AAAAAAAAAXg/L6X58e6wvRgmIUIGN-kyGpI49TI2WZWbwCLcBGAs/s1600/image2.png Software Vulnerability Information Reputation Center Library Support Communities About Careers Blog BACK Snort ClamAV Razorback Daemonlogger Mo�ow PE-Sig Immunet Teslacrypt Decryption Tool MBR Filter FIRST LockyDump FreeSentry Flokibot Tools Synful Knock Scanner Cisco Smart Install Scanner ROPMEMU BACK Vulnerability Reports Microsoft Advisories BACK Email & Web Tra�c Reputation AMP Threat Naming Conventions IP Blacklist Download AWBO Exercises BACK Snort Community ClamAV Community Project Aspis SpamCop system information has been collected and prepared for transmission to the C2 server, the malware will then attempt to transmit it using an HTTPS POST request to 216[.]126[.]225[.]148. The HTTPS communications leverage a hardcoded HTTP Host header that is set to speccy[.]piriform[.]com, a legitimate platform which is also created by Piriform for hardware monitoring. This could make dynamic analysis more di�cult as the domain would appear to be legitimate and perhaps even expected depending on the victim infrastructure. The requests also leverage HTTPS but ignore all security errors as the server currently returns a self-signed SSL certi�cate that was issued to the subdomain de�ned in the Host header �eld. In cases where no response is received from the C2 server, the malware then fails back to a Domain Generation Algorithm (DGA) as described in the section 'Domain Generation Algorithm' of this post. Once a C2 server has been identi�ed for use by the malware, it then sends the encoded data containing system pro�le information and stores the C2 IP address in the following registry location:         HKLM\SOFTWARE\Piriform\Agomo:NID The malware then stores the value of the current system time plus two days into the following registry location:        HKLM\SOFTWARE\Piriform\Agomo:TCID Data received from the C2 server is then validated to con�rm that the received data is in the correct format for a CCBkdr_ShellCode_Payload structure. An example is shown below: Figure 6: CCBkdr_ShellCode_Payload Data Structure The malware then con�rms that the value of EncryptedInstallID matches the value that was previously transmitted to the C2 server. It then allocates memory for the �nal shellcode payload. The payload is then decoded using modi�ed Base64 and stored into the newly allocated memory region. It is then decrypted and called with the addresses of LoadLibraryA and GetProcAddress as parameters. Once the payload has been executed, the memory is deallocated and the following registry value is set to the current system time plus seven days:         HKLM\SOFTWARE\Piriform\Agomo:TCID The received buffer is then zeroed out and deallocated. The CCBkdr_ShellCode_Payload structure is also deallocated and the malware then continues with normal CCleaner operations. A diagram describing the high level operation of this malware is below: http://www.talosintelligence.com/ http://www.talosintelligence.com/software http://www.talosintelligence.com/vulnerability_info http://www.talosintelligence.com/reputation http://www.talosintelligence.com/resources http://www.talosintelligence.com/community http://www.talosintelligence.com/about http://www.talosintelligence.com/careers http://blog.talosintelligence.com/ http://www.talosintelligence.com/software http://www.talosintelligence.com/snort http://www.talosintelligence.com/clamav http://www.talosintelligence.com/razorback http://www.talosintelligence.com/daemon http://www.talosintelligence.com/moflow http://www.talosintelligence.com/pesig http://www.talosintelligence.com/immunet http://www.talosintelligence.com/teslacrypt_tool http://www.talosintelligence.com/mbrfilter http://www.talosintelligence.com/first http://www.talosintelligence.com/lockydump http://www.talosintelligence.com/freesentry http://www.talosintelligence.com/flokibot http://www.talosintelligence.com/scanner http://www.talosintelligence.com/smart_scanner http://www.talosintelligence.com/ropmemu http://www.talosintelligence.com/vulnerability_info http://www.talosintelligence.com/vulnerability_reports http://www.talosintelligence.com/ms_advisories http://www.talosintelligence.com/reputation http://www.talosintelligence.com/reputation_center http://www.talosintelligence.com/amp-naming http://www.talosintelligence.com/documents/ip-blacklist http://www.talosintelligence.com/awbo_intro http://www.talosintelligence.com/community https://snort.org/community https://www.clamav.net/contact.html#ml http://www.talosintelligence.com/aspis https://www.spamcop.net/ https://1.bp.blogspot.com/-FW0jNOeiDuQ/Wb8WDE-UZoI/AAAAAAAAAXk/IHxQ_2qBGV0uGiYbpbXqx9qpALUSWjifACLcBGAs/s1600/image9.png https://4.bp.blogspot.com/-X9-_9SiuBP0/Wb8WQexo8ZI/AAAAAAAAAXo/SBbA7V2Z9isGCELtbm_tPtpDB51CES-9wCLcBGAs/s1600/image3.png Software Vulnerability Information Reputation Center Library Support Communities About Careers Blog BACK Snort ClamAV Razorback Daemonlogger Mo�ow PE-Sig Immunet Teslacrypt Decryption Tool MBR Filter FIRST LockyDump FreeSentry Flokibot Tools Synful Knock Scanner Cisco Smart Install Scanner ROPMEMU BACK Vulnerability Reports Microsoft Advisories BACK Email & Web Tra�c Reputation AMP Threat Naming Conventions IP Blacklist Download AWBO Exercises BACK Snort Community ClamAV Community Project Aspis SpamCop Figure 7: Malware Operation Process Flow In situations where the primary C2 server does not return a response to the HTTP POST request described in the previous section, the malware fails back to using a DGA algorithm. The algorithm used by this malware is time-based and can be calculated using the values of year and month. A list of DGA domains is below: Domain Generation Algorithm http://www.talosintelligence.com/ http://www.talosintelligence.com/software http://www.talosintelligence.com/vulnerability_info http://www.talosintelligence.com/reputation http://www.talosintelligence.com/resources http://www.talosintelligence.com/community http://www.talosintelligence.com/about http://www.talosintelligence.com/careers http://blog.talosintelligence.com/ http://www.talosintelligence.com/software http://www.talosintelligence.com/snort http://www.talosintelligence.com/clamav http://www.talosintelligence.com/razorback http://www.talosintelligence.com/daemon http://www.talosintelligence.com/moflow http://www.talosintelligence.com/pesig http://www.talosintelligence.com/immunet http://www.talosintelligence.com/teslacrypt_tool http://www.talosintelligence.com/mbrfilter http://www.talosintelligence.com/first http://www.talosintelligence.com/lockydump http://www.talosintelligence.com/freesentry http://www.talosintelligence.com/flokibot http://www.talosintelligence.com/scanner http://www.talosintelligence.com/smart_scanner http://www.talosintelligence.com/ropmemu http://www.talosintelligence.com/vulnerability_info http://www.talosintelligence.com/vulnerability_reports http://www.talosintelligence.com/ms_advisories http://www.talosintelligence.com/reputation http://www.talosintelligence.com/reputation_center http://www.talosintelligence.com/amp-naming http://www.talosintelligence.com/documents/ip-blacklist http://www.talosintelligence.com/awbo_intro http://www.talosintelligence.com/community https://snort.org/community https://www.clamav.net/contact.html#ml http://www.talosintelligence.com/aspis https://www.spamcop.net/ https://4.bp.blogspot.com/-X9-_9SiuBP0/Wb8WQexo8ZI/AAAAAAAAAXo/SBbA7V2Z9isGCELtbm_tPtpDB51CES-9wCLcBGAs/s1600/image3.png https://4.bp.blogspot.com/-hfERSDyEauM/Wb8f5NIdErI/AAAAAAAAAYo/mSSY_eNn58MhvWzNgcC36R5EpUf07R69wCLcBGAs/s1600/tablefoo.png Software Vulnerability Information Reputation Center Library Support Communities About Careers Blog BACK Snort ClamAV Razorback Daemonlogger Mo�ow PE-Sig Immunet Teslacrypt Decryption Tool MBR Filter FIRST LockyDump FreeSentry Flokibot Tools Synful Knock Scanner Cisco Smart Install Scanner ROPMEMU BACK Vulnerability Reports Microsoft Advisories BACK Email & Web Tra�c Reputation AMP Threat Naming Conventions IP Blacklist Download AWBO Exercises BACK Snort Community ClamAV Community Project Aspis SpamCop Figure 8: 12 Month DGA Genearation The malware will initiate DNS lookups for each domain generated by the DGA algorithm. If the DNS lookup does not result in the return of an IP address, this process will continue. The malware will perform a DNS query of the active DGA domain and expects that two IP addresses will be returned from the name server managing the DGA domain's namespace. The malware will then compute a secondary C2 server by performing a series of bit operations on the returned IP address values and combine them to determine the actual fallback C2 server address to use for subsequent C2 operations. A diagram showing this process is below: Figure 9: C2 Process Diagram Cisco Talos observed during analysis that the DGA domains had not been registered, so we registered and sinkholed them to prevent attackers from being able to use them for malicious purposes. The impact of this attack could be severe given the extremely high number of systems possibly affected. CCleaner claims to have over 2 billion downloads worldwide as of November 2016 and is reportedly adding new users at a rate of 5 million a week. POTENTIAL IMPACT http://www.talosintelligence.com/ http://www.talosintelligence.com/software http://www.talosintelligence.com/vulnerability_info http://www.talosintelligence.com/reputation http://www.talosintelligence.com/resources http://www.talosintelligence.com/community http://www.talosintelligence.com/about http://www.talosintelligence.com/careers http://blog.talosintelligence.com/ http://www.talosintelligence.com/software http://www.talosintelligence.com/snort http://www.talosintelligence.com/clamav http://www.talosintelligence.com/razorback http://www.talosintelligence.com/daemon http://www.talosintelligence.com/moflow http://www.talosintelligence.com/pesig http://www.talosintelligence.com/immunet http://www.talosintelligence.com/teslacrypt_tool http://www.talosintelligence.com/mbrfilter http://www.talosintelligence.com/first http://www.talosintelligence.com/lockydump http://www.talosintelligence.com/freesentry http://www.talosintelligence.com/flokibot http://www.talosintelligence.com/scanner http://www.talosintelligence.com/smart_scanner http://www.talosintelligence.com/ropmemu http://www.talosintelligence.com/vulnerability_info http://www.talosintelligence.com/vulnerability_reports http://www.talosintelligence.com/ms_advisories http://www.talosintelligence.com/reputation http://www.talosintelligence.com/reputation_center http://www.talosintelligence.com/amp-naming http://www.talosintelligence.com/documents/ip-blacklist http://www.talosintelligence.com/awbo_intro http://www.talosintelligence.com/community https://snort.org/community https://www.clamav.net/contact.html#ml http://www.talosintelligence.com/aspis https://www.spamcop.net/ https://4.bp.blogspot.com/-hfERSDyEauM/Wb8f5NIdErI/AAAAAAAAAYo/mSSY_eNn58MhvWzNgcC36R5EpUf07R69wCLcBGAs/s1600/tablefoo.png https://4.bp.blogspot.com/-GOYL8CfAQLo/Wb8WmLtqcEI/AAAAAAAAAXs/Zacg_DmAPh8FL-bHuMTMr1iFDySTicqxwCLcBGAs/s1600/image1.png https://4.bp.blogspot.com/-Oa8jPKSemxc/Wb8WwTSam_I/AAAAAAAAAXw/6tQUSyqyp3Mle7OaA1MPAgmETLdAU1GjgCLcBGAs/s1600/image13.png Software Vulnerability Information Reputation Center Library Support Communities About Careers Blog BACK Snort ClamAV Razorback Daemonlogger Mo�ow PE-Sig Immunet Teslacrypt Decryption Tool MBR Filter FIRST LockyDump FreeSentry Flokibot Tools Synful Knock Scanner Cisco Smart Install Scanner ROPMEMU BACK Vulnerability Reports Microsoft Advisories BACK Email & Web Tra�c Reputation AMP Threat Naming Conventions IP Blacklist Download AWBO Exercises BACK Snort Community ClamAV Community Project Aspis SpamCop Figure 10: CCleaner Consumer Demographics If even a small fraction of those systems were compromised an attacker could use them for any number of malicious purposes. Affected systems need to be restored to a state before August 15, 2017 or reinstalled. Users should also update to the latest available version of CCleaner to avoid infection. At the time of this writing that is version 5.34. It is important to note that according to the CCleaner download page, the free version of CCleaner does not provide automated updates, so this might be a manual process for affected users. In analyzing DNS-based telemetry data related to this attack, Talos identi�ed a signi�cant number of systems making DNS requests attempting to resolve the domains associated with the aforementioned DGA domains. As these domains have never been registered, it is reasonable to conclude that the only conditions in which systems would be attempting to resolve the IP addresses associated with them is if they had been impacted by this malware. While most of the domains associated with this DGA have little to no request tra�c associated with them, the domains related to the months of August and September (which correlates with when this threat was active in the wild) show signi�cantly more activity. Looking at the DNS related activity observed by Cisco Umbrella for the month of July 2017 (prior to CCleaner 5.33 being released) we observed very little in the way of DNS requests to resolve the IP address for DGA domain associated with this malware: Figure 11: DNS Activity for July 2017 DGA Domain As mentioned earlier in this post, the version of CCleaner that included this malware was released on August 15, 2017. The following graph shows a signi�cant increase in the amount of DNS activity associated with the DGA domain used in August 2017: http://www.talosintelligence.com/ http://www.talosintelligence.com/software http://www.talosintelligence.com/vulnerability_info http://www.talosintelligence.com/reputation http://www.talosintelligence.com/resources http://www.talosintelligence.com/community http://www.talosintelligence.com/about http://www.talosintelligence.com/careers http://blog.talosintelligence.com/ http://www.talosintelligence.com/software http://www.talosintelligence.com/snort http://www.talosintelligence.com/clamav http://www.talosintelligence.com/razorback http://www.talosintelligence.com/daemon http://www.talosintelligence.com/moflow http://www.talosintelligence.com/pesig http://www.talosintelligence.com/immunet http://www.talosintelligence.com/teslacrypt_tool http://www.talosintelligence.com/mbrfilter http://www.talosintelligence.com/first http://www.talosintelligence.com/lockydump http://www.talosintelligence.com/freesentry http://www.talosintelligence.com/flokibot http://www.talosintelligence.com/scanner http://www.talosintelligence.com/smart_scanner http://www.talosintelligence.com/ropmemu http://www.talosintelligence.com/vulnerability_info http://www.talosintelligence.com/vulnerability_reports http://www.talosintelligence.com/ms_advisories http://www.talosintelligence.com/reputation http://www.talosintelligence.com/reputation_center http://www.talosintelligence.com/amp-naming http://www.talosintelligence.com/documents/ip-blacklist http://www.talosintelligence.com/awbo_intro http://www.talosintelligence.com/community https://snort.org/community https://www.clamav.net/contact.html#ml http://www.talosintelligence.com/aspis https://www.spamcop.net/ https://4.bp.blogspot.com/-Oa8jPKSemxc/Wb8WwTSam_I/AAAAAAAAAXw/6tQUSyqyp3Mle7OaA1MPAgmETLdAU1GjgCLcBGAs/s1600/image13.png https://www.piriform.com/ccleaner/download https://4.bp.blogspot.com/-iPV6An4Odn8/Wb8W5bzUrAI/AAAAAAAAAX0/spZgSPT3z1gMHTj6-v7Br6HgVG7_udHTACLcBGAs/s1600/image11.png https://1.bp.blogspot.com/-cuZbptOLc5I/Wb8XSc0-0cI/AAAAAAAAAX4/jx96epYurB8-jtF2C1JUFxA8xJcZKqLogCLcBGAs/s1600/image10.png Software Vulnerability Information Reputation Center Library Support Communities About Careers Blog BACK Snort ClamAV Razorback Daemonlogger Mo�ow PE-Sig Immunet Teslacrypt Decryption Tool MBR Filter FIRST LockyDump FreeSentry Flokibot Tools Synful Knock Scanner Cisco Smart Install Scanner ROPMEMU BACK Vulnerability Reports Microsoft Advisories BACK Email & Web Tra�c Reputation AMP Threat Naming Conventions IP Blacklist Download AWBO Exercises BACK Snort Community ClamAV Community Project Aspis SpamCop Figure 12: DNS Activity for August 2017 DGA Domain Likewise, the DGA domain associated with September 2017 re�ects the following activity with regards to attempts to resolve the IP associated with it: Figure 13: DNS Activity for September 2017 DGA Domain Note that in on September 1, 2017 it appears that the DNS activity shifted from the DGA domain previously used in August, to the one used in September, which matches the time-based DGA algorithm described in the "Domain Generation Algorithm" section of this blog post. After reaching out to Avast we noted that the server was taken down and became unavailable to already infected systems. As a result, we saw a signi�cant increase in the amount of requests that were being directed at the failback DGA domains used by the malware. Figure 14: Tra�c Spike Following Server Takedown It is also worth noting that at the time of this post, antivirus detection for this threat remains very low (The detections are at 1/64 at the time of this writing). Figure 14: VirusTotal Detections for CCleaner Binary http://www.talosintelligence.com/ http://www.talosintelligence.com/software http://www.talosintelligence.com/vulnerability_info http://www.talosintelligence.com/reputation http://www.talosintelligence.com/resources http://www.talosintelligence.com/community http://www.talosintelligence.com/about http://www.talosintelligence.com/careers http://blog.talosintelligence.com/ http://www.talosintelligence.com/software http://www.talosintelligence.com/snort http://www.talosintelligence.com/clamav http://www.talosintelligence.com/razorback http://www.talosintelligence.com/daemon http://www.talosintelligence.com/moflow http://www.talosintelligence.com/pesig http://www.talosintelligence.com/immunet http://www.talosintelligence.com/teslacrypt_tool http://www.talosintelligence.com/mbrfilter http://www.talosintelligence.com/first http://www.talosintelligence.com/lockydump http://www.talosintelligence.com/freesentry http://www.talosintelligence.com/flokibot http://www.talosintelligence.com/scanner http://www.talosintelligence.com/smart_scanner http://www.talosintelligence.com/ropmemu http://www.talosintelligence.com/vulnerability_info http://www.talosintelligence.com/vulnerability_reports http://www.talosintelligence.com/ms_advisories http://www.talosintelligence.com/reputation http://www.talosintelligence.com/reputation_center http://www.talosintelligence.com/amp-naming http://www.talosintelligence.com/documents/ip-blacklist http://www.talosintelligence.com/awbo_intro http://www.talosintelligence.com/community https://snort.org/community https://www.clamav.net/contact.html#ml http://www.talosintelligence.com/aspis https://www.spamcop.net/ https://1.bp.blogspot.com/-cuZbptOLc5I/Wb8XSc0-0cI/AAAAAAAAAX4/jx96epYurB8-jtF2C1JUFxA8xJcZKqLogCLcBGAs/s1600/image10.png https://1.bp.blogspot.com/-JUcVoSfdYK0/Wb8XbTdwRpI/AAAAAAAAAX8/BI5s0C2q5AA1-h2W4fE6ZHlHNlKQ5TZ4wCLcBGAs/s1600/image8.png https://1.bp.blogspot.com/-srBvAMCOx64/Wb8duirCgsI/AAAAAAAAAYc/jxE_MINJZREVrK6OYdIVLZDvTmG4y-jsgCLcBGAs/s1600/avast.png https://4.bp.blogspot.com/-25aiFqU3yH8/Wb8XsE_W0SI/AAAAAAAAAYE/4rdc0N4OCf4gdO5l0CrX7QrUM1aPgFNcACLcBGAs/s1600/image6.png Software Vulnerability Information Reputation Center Library Support Communities About Careers Blog BACK Snort ClamAV Razorback Daemonlogger Mo�ow PE-Sig Immunet Teslacrypt Decryption Tool MBR Filter FIRST LockyDump FreeSentry Flokibot Tools Synful Knock Scanner Cisco Smart Install Scanner ROPMEMU BACK Vulnerability Reports Microsoft Advisories BACK Email & Web Tra�c Reputation AMP Threat Naming Conventions IP Blacklist Download AWBO Exercises BACK Snort Community ClamAV Community Project Aspis SpamCop Figure 14: VirusTotal Detections for CCleaner Binary As part of our response to this threat, Cisco Talos has released comprehensive coverage to protect customers. Details related to this coverage can be found in the "Coverage" section of this post. This is a prime example of the extent that attackers are willing to go through in their attempt to distribute malware to organizations and individuals around the world. By exploiting the trust relationship between software vendors and the users of their software, attackers can bene�t from users' inherent trust in the �les and web servers used to distribute updates. In many organizations data received from commonly software vendors rarely receives the same level of scrutiny as that which is applied to what is perceived as untrusted sources. Attackers have shown that they are willing to leverage this trust to distribute malware while remaining undetected. Cisco Talos continues to monitor all aspects of the threat landscape to quickly identify new and innovative techniques used by attackers to target organizations and individuals around the world. The following ClamAV signatures have been released to detect this threat: 6336251, 6336252. Additional ways our customers can detect and block this threat are listed below. Advanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these threat actors. CWS or WSA web scanning prevents access to malicious websites and detects malware used in these attacks. AMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security d CONCLUSION   COVERAGE http://www.talosintelligence.com/ http://www.talosintelligence.com/software http://www.talosintelligence.com/vulnerability_info http://www.talosintelligence.com/reputation http://www.talosintelligence.com/resources http://www.talosintelligence.com/community http://www.talosintelligence.com/about http://www.talosintelligence.com/careers http://blog.talosintelligence.com/ http://www.talosintelligence.com/software http://www.talosintelligence.com/snort http://www.talosintelligence.com/clamav http://www.talosintelligence.com/razorback http://www.talosintelligence.com/daemon http://www.talosintelligence.com/moflow http://www.talosintelligence.com/pesig http://www.talosintelligence.com/immunet http://www.talosintelligence.com/teslacrypt_tool http://www.talosintelligence.com/mbrfilter http://www.talosintelligence.com/first http://www.talosintelligence.com/lockydump http://www.talosintelligence.com/freesentry http://www.talosintelligence.com/flokibot http://www.talosintelligence.com/scanner http://www.talosintelligence.com/smart_scanner http://www.talosintelligence.com/ropmemu http://www.talosintelligence.com/vulnerability_info http://www.talosintelligence.com/vulnerability_reports http://www.talosintelligence.com/ms_advisories http://www.talosintelligence.com/reputation http://www.talosintelligence.com/reputation_center http://www.talosintelligence.com/amp-naming http://www.talosintelligence.com/documents/ip-blacklist http://www.talosintelligence.com/awbo_intro http://www.talosintelligence.com/community https://snort.org/community https://www.clamav.net/contact.html#ml http://www.talosintelligence.com/aspis https://www.spamcop.net/ https://3.bp.blogspot.com/-3plaErbOKAA/Wb8X1zLI2LI/AAAAAAAAAYI/Cyya4geEugs2MNr6A8mHNw_NHwAkxqMLwCLcBGAs/s1600/image14.png https://www.cisco.com/c/en/us/products/security/advanced-malware-protection https://www.cisco.com/c/en/us/products/security/cloud-web-security/index.html https://www.cisco.com/c/en/us/products/security/web-security-appliance/index.html https://www.cisco.com/c/en/us/products/security/web-security-appliance/index.html https://www.cisco.com/c/en/us/solutions/enterprise-networks/amp-threat-grid/index.html Software Vulnerability Information Reputation Center Library Support Communities About Careers Blog BACK Snort ClamAV Razorback Daemonlogger Mo�ow PE-Sig Immunet Teslacrypt Decryption Tool MBR Filter FIRST LockyDump FreeSentry Flokibot Tools Synful Knock Scanner Cisco Smart Install Scanner ROPMEMU BACK Vulnerability Reports Microsoft Advisories BACK Email & Web Tra�c Reputation AMP Threat Naming Conventions IP Blacklist Download AWBO Exercises BACK Snort Community ClamAV Community Project Aspis SpamCop S H A R E T H I S P O S T products. Umbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network. 6f7840c77f99049d788155c1351e1560b62b8ad18ad0e9adda8218b9f432f0a9 1a4a5123d7b2c534cb3e3168f7032cf9ebf38b9a2a97226d0fdb7933cf6030ff 36b36ee9515e0a60629d2c722b006b33e543dce1c8c2611053e0651a0bfdb2e9 ab6d54340c1a[.]com aba9a949bc1d[.]com ab2da3d400c20[.]com ab3520430c23[.]com ab1c403220c27[.]com ab1abad1d0c2a[.]com ab8cee60c2d[.]com ab1145b758c30[.]com ab890e964c34[.]com ab3d685a0c37[.]com ab70a139cc3a[.]com 216[.]126[.]225[.]148 P O S T E D B Y E D M U N D B R U M A G H I N AT 3 : 5 1 A M INDICATORS OF COMPROMISE (IOCS) File Hashes DGA Domains IP Addresses 25 COMMENTS: BJ SEPTEMBER 18, 2017 AT 5:43 AM I have the 5.34 version of CCleaner installed on my computer and i had probably the 5.33 version before. My computer is still vulnerable or not ? What can I do to ensure my computer is clean ? Reply CRAIG WILLIAMS SEPTEMBER 18, 2017 AT 6:10 AM http://www.talosintelligence.com/ http://www.talosintelligence.com/software http://www.talosintelligence.com/vulnerability_info http://www.talosintelligence.com/reputation http://www.talosintelligence.com/resources http://www.talosintelligence.com/community http://www.talosintelligence.com/about http://www.talosintelligence.com/careers http://blog.talosintelligence.com/ http://www.talosintelligence.com/software http://www.talosintelligence.com/snort http://www.talosintelligence.com/clamav http://www.talosintelligence.com/razorback http://www.talosintelligence.com/daemon http://www.talosintelligence.com/moflow http://www.talosintelligence.com/pesig http://www.talosintelligence.com/immunet http://www.talosintelligence.com/teslacrypt_tool http://www.talosintelligence.com/mbrfilter http://www.talosintelligence.com/first http://www.talosintelligence.com/lockydump http://www.talosintelligence.com/freesentry http://www.talosintelligence.com/flokibot http://www.talosintelligence.com/scanner http://www.talosintelligence.com/smart_scanner http://www.talosintelligence.com/ropmemu http://www.talosintelligence.com/vulnerability_info http://www.talosintelligence.com/vulnerability_reports http://www.talosintelligence.com/ms_advisories http://www.talosintelligence.com/reputation http://www.talosintelligence.com/reputation_center http://www.talosintelligence.com/amp-naming http://www.talosintelligence.com/documents/ip-blacklist http://www.talosintelligence.com/awbo_intro http://www.talosintelligence.com/community https://snort.org/community https://www.clamav.net/contact.html#ml http://www.talosintelligence.com/aspis https://www.spamcop.net/ https://umbrella.cisco.com/ https://www.blogger.com/profile/10442669663667294759 http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html https://www.facebook.com/sharer.php?u=http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html&text=CCleanup:%20A%20Vast%20Number%20of%20Machines%20at%20Risk https://twitter.com/share?url=http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html&text=CCleanup:%20A%20Vast%20Number%20of%20Machines%20at%20Risk http://www.reddit.com/submit?url=http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html&title=CCleanup:%20A%20Vast%20Number%20of%20Machines%20at%20Risk mailto:?body=http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html&subject=CCleanup:%20A%20Vast%20Number%20of%20Machines%20at%20Risk https://www.blogger.com/profile/10283362741917048674 http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html?showComment=1505727796830#c5250580788406370896 javascript:; https://www.blogger.com/profile/01254058066304774724 http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html?showComment=1505729417827#c2819326779846115826 Software Vulnerability Information Reputation Center Library Support Communities About Careers Blog BACK Snort ClamAV Razorback Daemonlogger Mo�ow PE-Sig Immunet Teslacrypt Decryption Tool MBR Filter FIRST LockyDump FreeSentry Flokibot Tools Synful Knock Scanner Cisco Smart Install Scanner ROPMEMU BACK Vulnerability Reports Microsoft Advisories BACK Email & Web Tra�c Reputation AMP Threat Naming Conventions IP Blacklist Download AWBO Exercises BACK Snort Community ClamAV Community Project Aspis SpamCop Replies Reply Replies This isn't a vulnerability. The 5.33 installer had malware included with it during the time window indicated in the blog. If you upgraded from 5.33 which was installed in the above window you should recover from a backup prior to that version. Reply UNKNOWN SEPTEMBER 18, 2017 AT 7:03 AM Thanks for this write up, I really appreciate how you made a pretty complex thing approachable and easy to read. I think a major problem with cyber security articles is they are either too lite or too technical, this article did a great job at striking a balance. As your average data analyst with no feed in dev or security it gave me a great overview. thank you. Reply ZILHAZ RAHMAN SEPTEMBER 18, 2017 AT 11:37 AM share the same opinion. HERMES ROMERO SEPTEMBER 18, 2017 AT 7:49 AM Greta job guys! Reply UNKNOWN SEPTEMBER 18, 2017 AT 9:11 AM Is it possible for antivirus software to "clean the malware out" or is reinstalling the system necessary? Reply CRAIG WILLIAMS SEPTEMBER 18, 2017 AT 9:28 AM That really depends on how the antivirus program works. Generally speaking I would recommend reinstalling but if you don't have backups you could try http://www.talosintelligence.com/ http://www.talosintelligence.com/software http://www.talosintelligence.com/vulnerability_info http://www.talosintelligence.com/reputation http://www.talosintelligence.com/resources http://www.talosintelligence.com/community http://www.talosintelligence.com/about http://www.talosintelligence.com/careers http://blog.talosintelligence.com/ http://www.talosintelligence.com/software http://www.talosintelligence.com/snort http://www.talosintelligence.com/clamav http://www.talosintelligence.com/razorback http://www.talosintelligence.com/daemon http://www.talosintelligence.com/moflow http://www.talosintelligence.com/pesig http://www.talosintelligence.com/immunet http://www.talosintelligence.com/teslacrypt_tool http://www.talosintelligence.com/mbrfilter http://www.talosintelligence.com/first http://www.talosintelligence.com/lockydump http://www.talosintelligence.com/freesentry http://www.talosintelligence.com/flokibot http://www.talosintelligence.com/scanner http://www.talosintelligence.com/smart_scanner http://www.talosintelligence.com/ropmemu http://www.talosintelligence.com/vulnerability_info http://www.talosintelligence.com/vulnerability_reports http://www.talosintelligence.com/ms_advisories http://www.talosintelligence.com/reputation http://www.talosintelligence.com/reputation_center http://www.talosintelligence.com/amp-naming http://www.talosintelligence.com/documents/ip-blacklist http://www.talosintelligence.com/awbo_intro http://www.talosintelligence.com/community https://snort.org/community https://www.clamav.net/contact.html#ml http://www.talosintelligence.com/aspis https://www.spamcop.net/ javascript:; javascript:; javascript:; javascript:; https://www.blogger.com/profile/16513642040526848352 http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html?showComment=1505732606766#c8599603907542388671 javascript:; https://www.blogger.com/profile/14249245353168699908 http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html?showComment=1505749061435#c2669558517046435137 https://www.blogger.com/profile/03901713721673392178 http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html?showComment=1505735372217#c1378742523653824567 javascript:; https://www.blogger.com/profile/02868396617327220174 http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html?showComment=1505740296046#c2999836521830698036 javascript:; https://www.blogger.com/profile/01254058066304774724 http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html?showComment=1505741292729#c3918092429855130370 Software Vulnerability Information Reputation Center Library Support Communities About Careers Blog BACK Snort ClamAV Razorback Daemonlogger Mo�ow PE-Sig Immunet Teslacrypt Decryption Tool MBR Filter FIRST LockyDump FreeSentry Flokibot Tools Synful Knock Scanner Cisco Smart Install Scanner ROPMEMU BACK Vulnerability Reports Microsoft Advisories BACK Email & Web Tra�c Reputation AMP Threat Naming Conventions IP Blacklist Download AWBO Exercises BACK Snort Community ClamAV Community Project Aspis SpamCop Reply Replies Reply g y p y y scanning and removing infected �les with a tool like immunet - http://www.immunet.com/index N30Ñ ® SEPTEMBER 18, 2017 AT 9:56 AM What about using Cisco's ClamAV itself since it seems like the �rst one to have actually gotten updated with the right signature patterns? CRAIG WILLIAMS SEPTEMBER 18, 2017 AT 10:07 AM Immunet uses ClamAV, both of them are updated by Talos. BTW YT SEPTEMBER 18, 2017 AT 1:06 PM Are Amp and Immunet the same thing? CRAIG WILLIAMS SEPTEMBER 18, 2017 AT 2:12 PM No but they share some detection technologies. Amp is the enterprise tool that has additional features. UNKNOWN SEPTEMBER 18, 2017 AT 9:49 AM Will simply uninstalling remove this as well? Reply CRAIG WILLIAMS SEPTEMBER 18, 2017 AT 9:50 AM Uninstalling the tool will not remove the malware. To remove the malware you should restore from a previous backup that is known to be clean or try a virus removal tool. http://www.talosintelligence.com/ http://www.talosintelligence.com/software http://www.talosintelligence.com/vulnerability_info http://www.talosintelligence.com/reputation http://www.talosintelligence.com/resources http://www.talosintelligence.com/community http://www.talosintelligence.com/about http://www.talosintelligence.com/careers http://blog.talosintelligence.com/ http://www.talosintelligence.com/software http://www.talosintelligence.com/snort http://www.talosintelligence.com/clamav http://www.talosintelligence.com/razorback http://www.talosintelligence.com/daemon http://www.talosintelligence.com/moflow http://www.talosintelligence.com/pesig http://www.talosintelligence.com/immunet http://www.talosintelligence.com/teslacrypt_tool http://www.talosintelligence.com/mbrfilter http://www.talosintelligence.com/first http://www.talosintelligence.com/lockydump http://www.talosintelligence.com/freesentry http://www.talosintelligence.com/flokibot http://www.talosintelligence.com/scanner http://www.talosintelligence.com/smart_scanner http://www.talosintelligence.com/ropmemu http://www.talosintelligence.com/vulnerability_info http://www.talosintelligence.com/vulnerability_reports http://www.talosintelligence.com/ms_advisories http://www.talosintelligence.com/reputation http://www.talosintelligence.com/reputation_center http://www.talosintelligence.com/amp-naming http://www.talosintelligence.com/documents/ip-blacklist http://www.talosintelligence.com/awbo_intro http://www.talosintelligence.com/community https://snort.org/community https://www.clamav.net/contact.html#ml http://www.talosintelligence.com/aspis https://www.spamcop.net/ javascript:; javascript:; javascript:; https://www.blogger.com/profile/12448871780201354004 http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html?showComment=1505742965818#c1842174674863897985 https://www.blogger.com/profile/01254058066304774724 http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html?showComment=1505743647842#c4597195035196710646 https://www.blogger.com/profile/06639715053796086814 http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html?showComment=1505754402958#c2162125647585479482 https://www.blogger.com/profile/01254058066304774724 http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html?showComment=1505758354352#c7553431163166899734 https://www.blogger.com/profile/11729763378194334955 http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html?showComment=1505742546881#c8821780145685442701 javascript:; https://www.blogger.com/profile/01254058066304774724 http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html?showComment=1505742627104#c383256817908583971 Software Vulnerability Information Reputation Center Library Support Communities About Careers Blog BACK Snort ClamAV Razorback Daemonlogger Mo�ow PE-Sig Immunet Teslacrypt Decryption Tool MBR Filter FIRST LockyDump FreeSentry Flokibot Tools Synful Knock Scanner Cisco Smart Install Scanner ROPMEMU BACK Vulnerability Reports Microsoft Advisories BACK Email & Web Tra�c Reputation AMP Threat Naming Conventions IP Blacklist Download AWBO Exercises BACK Snort Community ClamAV Community Project Aspis SpamCop Replies Reply UNKNOWN SEPTEMBER 18, 2017 AT 11:13 AM Really excellent work, well done on the detective work ^_^ Reply DAD98252 SEPTEMBER 18, 2017 AT 11:17 AM That's an impressive amount of reverse engineering that you did in only 5 days. I'm just curious, how did you determine the variable names used in the structures? Did this nasty hacker go through all the trouble of blanking headers and encryption and then not strip debugger information from his object �les?? -John in Greenbank Reply CRAIG WILLIAMS SEPTEMBER 18, 2017 AT 2:20 PM It only took the reversing team 2 days to reverse the malware. There were no symbols of debugger info contained in the binary. Just good old reverse engineering on our end. SOFTNET SEPTEMBER 18, 2017 AT 2:15 PM sure u should not Uninstalling the tool to remove the malware. To remove the malware compeletely u should restore a clean backup Reply ROBERT JOHNSON SEPTEMBER 18, 2017 AT 5:55 PM +1 for pun. Reply TETRAVAAL SEPTEMBER 18 2017 AT 6 01 PM http://www.talosintelligence.com/ http://www.talosintelligence.com/software http://www.talosintelligence.com/vulnerability_info http://www.talosintelligence.com/reputation http://www.talosintelligence.com/resources http://www.talosintelligence.com/community http://www.talosintelligence.com/about http://www.talosintelligence.com/careers http://blog.talosintelligence.com/ http://www.talosintelligence.com/software http://www.talosintelligence.com/snort http://www.talosintelligence.com/clamav http://www.talosintelligence.com/razorback http://www.talosintelligence.com/daemon http://www.talosintelligence.com/moflow http://www.talosintelligence.com/pesig http://www.talosintelligence.com/immunet http://www.talosintelligence.com/teslacrypt_tool http://www.talosintelligence.com/mbrfilter http://www.talosintelligence.com/first http://www.talosintelligence.com/lockydump http://www.talosintelligence.com/freesentry http://www.talosintelligence.com/flokibot http://www.talosintelligence.com/scanner http://www.talosintelligence.com/smart_scanner http://www.talosintelligence.com/ropmemu http://www.talosintelligence.com/vulnerability_info http://www.talosintelligence.com/vulnerability_reports http://www.talosintelligence.com/ms_advisories http://www.talosintelligence.com/reputation http://www.talosintelligence.com/reputation_center http://www.talosintelligence.com/amp-naming http://www.talosintelligence.com/documents/ip-blacklist http://www.talosintelligence.com/awbo_intro http://www.talosintelligence.com/community https://snort.org/community https://www.clamav.net/contact.html#ml http://www.talosintelligence.com/aspis https://www.spamcop.net/ javascript:; javascript:; https://www.blogger.com/profile/02853225868987720085 http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html?showComment=1505747625380#c5657993268389116221 javascript:; https://www.blogger.com/profile/06716132121736487092 http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html?showComment=1505747850585#c3383682485104983376 javascript:; https://www.blogger.com/profile/01254058066304774724 http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html?showComment=1505758808243#c721394305462074309 https://www.blogger.com/profile/10967950529413712494 http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html?showComment=1505758533967#c1349414811665266532 javascript:; https://www.blogger.com/profile/09089166151127386031 http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html?showComment=1505771759345#c908408736107629367 javascript:; https://www.blogger.com/profile/12171861555051153973 http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html?showComment=1505772097401#c8693025993094386238 Software Vulnerability Information Reputation Center Library Support Communities About Careers Blog BACK Snort ClamAV Razorback Daemonlogger Mo�ow PE-Sig Immunet Teslacrypt Decryption Tool MBR Filter FIRST LockyDump FreeSentry Flokibot Tools Synful Knock Scanner Cisco Smart Install Scanner ROPMEMU BACK Vulnerability Reports Microsoft Advisories BACK Email & Web Tra�c Reputation AMP Threat Naming Conventions IP Blacklist Download AWBO Exercises BACK Snort Community ClamAV Community Project Aspis SpamCop Replies Reply TETRAVAAL SEPTEMBER 18, 2017 AT 6:01 PM "A Vast Number of Machines at Risk" and the vendor is AVAST... I see what you did there. :-) Reply YAROSLAV MALOY SEPTEMBER 18, 2017 AT 8:57 PM So only 32-bit version was malicious? 5.33 64-bit was �ne? Reply JAESON SCHULTZ SEPTEMBER 21, 2017 AT 4:54 PM Correct. Only the 32-bit version of CCleaner was affected SATHYA G SEPTEMBER 19, 2017 AT 2:43 AM I have really enjoyed reading your blog posts. This information is impressive. I am inspired with your post.. I hope you post again soon.your post is very helpful for me. photos very nice. MSBI Training in Chennai Reply PAUL COMTOIS SEPTEMBER 21, 2017 AT 4:48 PM I manage the Antivirus systems for my Employer's business here at Triella in Canada and I have evidence from Webroot that this started much earlier than August. We have a client record of a blocked CCLeaner.exe detection on June 25th �agged as W32.Hacktool.Rpdpatch We were lucky that I did not whitelist the threat as safe becasue at the time Webroot had a problem with mis-categorizing legitimate software as malware. This threat was found on a server and since we regularly used CCleaner on desktops but not servers, I was suspicious of it and contacted Webroot support about it as well. I am going to be posting an article on our website about this shortly. Reply http://www.talosintelligence.com/ http://www.talosintelligence.com/software http://www.talosintelligence.com/vulnerability_info http://www.talosintelligence.com/reputation http://www.talosintelligence.com/resources http://www.talosintelligence.com/community http://www.talosintelligence.com/about http://www.talosintelligence.com/careers http://blog.talosintelligence.com/ http://www.talosintelligence.com/software http://www.talosintelligence.com/snort http://www.talosintelligence.com/clamav http://www.talosintelligence.com/razorback http://www.talosintelligence.com/daemon http://www.talosintelligence.com/moflow http://www.talosintelligence.com/pesig http://www.talosintelligence.com/immunet http://www.talosintelligence.com/teslacrypt_tool http://www.talosintelligence.com/mbrfilter http://www.talosintelligence.com/first http://www.talosintelligence.com/lockydump http://www.talosintelligence.com/freesentry http://www.talosintelligence.com/flokibot http://www.talosintelligence.com/scanner http://www.talosintelligence.com/smart_scanner http://www.talosintelligence.com/ropmemu http://www.talosintelligence.com/vulnerability_info http://www.talosintelligence.com/vulnerability_reports http://www.talosintelligence.com/ms_advisories http://www.talosintelligence.com/reputation http://www.talosintelligence.com/reputation_center http://www.talosintelligence.com/amp-naming http://www.talosintelligence.com/documents/ip-blacklist http://www.talosintelligence.com/awbo_intro http://www.talosintelligence.com/community https://snort.org/community https://www.clamav.net/contact.html#ml http://www.talosintelligence.com/aspis https://www.spamcop.net/ javascript:; javascript:; https://www.blogger.com/profile/12171861555051153973 http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html?showComment=1505772097401#c8693025993094386238 javascript:; https://www.blogger.com/profile/06888073313813899894 http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html?showComment=1505782653931#c1394119824145434464 javascript:; https://www.blogger.com/profile/02331805684861640423 http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html?showComment=1506027280580#c1592236172262973090 https://www.blogger.com/profile/02885733340372210212 http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html?showComment=1505803434813#c3604030898746719030 http://www.thinkittraining.in/microsoft-bi javascript:; https://www.blogger.com/profile/15127497298701607889 http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html?showComment=1506026923086#c2724456599402286610 javascript:; Software Vulnerability Information Reputation Center Library Support Communities About Careers Blog BACK Snort ClamAV Razorback Daemonlogger Mo�ow PE-Sig Immunet Teslacrypt Decryption Tool MBR Filter FIRST LockyDump FreeSentry Flokibot Tools Synful Knock Scanner Cisco Smart Install Scanner ROPMEMU BACK Vulnerability Reports Microsoft Advisories BACK Email & Web Tra�c Reputation AMP Threat Naming Conventions IP Blacklist Download AWBO Exercises BACK Snort Community ClamAV Community Project Aspis SpamCop N E W E R P O S T O L D E R P O S TH O M E S U B S C R I B E T O : P O S T C O M M E N T S ( AT O M ) Replies Reply Sign out   Notify me Enter your comment...   Comment as:  ggyy (Google) Publish   Preview SJON287612 SEPTEMBER 21, 2017 AT 6:29 PM Is the process of installing ccleaner alone enough to execute the malicious payload or would the 32bit executable of ccleaner.exe itself have to be executed post-installation? Reply CRAIG WILLIAMS SEPTEMBER 21, 2017 AT 6:50 PM The installation alone was enough. POST A COMMENT Search Blog S U B S C R I B E T O O U R F E E D Posts http://www.talosintelligence.com/ http://www.talosintelligence.com/software http://www.talosintelligence.com/vulnerability_info http://www.talosintelligence.com/reputation http://www.talosintelligence.com/resources http://www.talosintelligence.com/community http://www.talosintelligence.com/about http://www.talosintelligence.com/careers http://blog.talosintelligence.com/ http://www.talosintelligence.com/software http://www.talosintelligence.com/snort http://www.talosintelligence.com/clamav http://www.talosintelligence.com/razorback http://www.talosintelligence.com/daemon http://www.talosintelligence.com/moflow http://www.talosintelligence.com/pesig http://www.talosintelligence.com/immunet http://www.talosintelligence.com/teslacrypt_tool http://www.talosintelligence.com/mbrfilter http://www.talosintelligence.com/first http://www.talosintelligence.com/lockydump http://www.talosintelligence.com/freesentry http://www.talosintelligence.com/flokibot http://www.talosintelligence.com/scanner http://www.talosintelligence.com/smart_scanner http://www.talosintelligence.com/ropmemu http://www.talosintelligence.com/vulnerability_info http://www.talosintelligence.com/vulnerability_reports http://www.talosintelligence.com/ms_advisories http://www.talosintelligence.com/reputation http://www.talosintelligence.com/reputation_center http://www.talosintelligence.com/amp-naming http://www.talosintelligence.com/documents/ip-blacklist http://www.talosintelligence.com/awbo_intro http://www.talosintelligence.com/community https://snort.org/community https://www.clamav.net/contact.html#ml http://www.talosintelligence.com/aspis https://www.spamcop.net/ http://blog.talosintelligence.com/2017/09/beers-with-talos-ep-13a-vast-ccleanup.html http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html http://blog.talosintelligence.com/ http://blog.talosintelligence.com/feeds/5327798747708577455/comments/default javascript:; javascript:; http://blog.talosintelligence.com/logout?d=https://www.blogger.com/logout-redirect.g?blogID%3D1029833275466591797%26postID%3D5327798747708577455 https://www.blogger.com/profile/04566742194668369959 http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html?showComment=1506032961904#c81473057766023189 javascript:; https://www.blogger.com/profile/01254058066304774724 http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html?showComment=1506034241238#c3619382475683935220 http://blog.talosintelligence.com/feeds/posts/default Software Vulnerability Information Reputation Center Library Support Communities About Careers Blog BACK Snort ClamAV Razorback Daemonlogger Mo�ow PE-Sig Immunet Teslacrypt Decryption Tool MBR Filter FIRST LockyDump FreeSentry Flokibot Tools Synful Knock Scanner Cisco Smart Install Scanner ROPMEMU BACK Vulnerability Reports Microsoft Advisories BACK Email & Web Tra�c Reputation AMP Threat Naming Conventions IP Blacklist Download AWBO Exercises BACK Snort Community ClamAV Community Project Aspis SpamCop Subscribe via Email Comments ▼  2 0 1 7 (149) ►  O C T O B E R (12) ▼  S E P T E M B E R (17) Threat Round Up for Sept 22 - Sept 29 Banking Trojan Attempts To Steal Brazillion$ FIN7 Group Uses JavaScript and Stealer DLL Variant... CCleaner Command and Control Causes Concern Beers with Talos EP 13:A Vast CCleanup, Strutting ... CCleanup: A Vast Number of Machines at Risk Threat Round Up For Sept 8 - Sept 15 Beers with Talos EP12 - IrmaGerd! The Internet Ate... Deep Dive in MarkLogic Exploitation Process via Ar... Vulnerability Spotlight: YAML Parsing Remote Code ... Vulnerability Spotlight: LibOFX Tag Parsing Code E... Microsoft Patch Tuesday - September 2017 Vulnerability Spotlight: TALOS-2017-0430/0431: Mul... Another Apache Struts Vulnerability Under Active E... Vulnerability Spotlight: Content Security Policy b... Graftor - But I Never Asked for This… Threat Round Up for Aug 25 - Sep 1 ►  A U G U S T (16) ►  J U LY (14) ►  J U N E (14) ►  M A Y (19) ►  A P R I L (17) ►  M A R C H (17) ►  F E B R U A R Y (12) ►  J A N U A R Y (11) ►  2 0 1 6 (98) ►  2 0 1 5 (62) ►  2 0 1 4 (67) ►  2 0 1 3 (30) ►  2 0 1 2 (53) ►  2 0 1 1 (23) ►  2 0 1 0 (93) ►  2 0 0 9 (146) ►  2 0 0 8 (37) B L O G A R C H I V E http://www.talosintelligence.com/ http://www.talosintelligence.com/software http://www.talosintelligence.com/vulnerability_info http://www.talosintelligence.com/reputation http://www.talosintelligence.com/resources http://www.talosintelligence.com/community http://www.talosintelligence.com/about http://www.talosintelligence.com/careers http://blog.talosintelligence.com/ http://www.talosintelligence.com/software http://www.talosintelligence.com/snort http://www.talosintelligence.com/clamav http://www.talosintelligence.com/razorback http://www.talosintelligence.com/daemon http://www.talosintelligence.com/moflow http://www.talosintelligence.com/pesig http://www.talosintelligence.com/immunet http://www.talosintelligence.com/teslacrypt_tool http://www.talosintelligence.com/mbrfilter http://www.talosintelligence.com/first http://www.talosintelligence.com/lockydump http://www.talosintelligence.com/freesentry http://www.talosintelligence.com/flokibot http://www.talosintelligence.com/scanner http://www.talosintelligence.com/smart_scanner http://www.talosintelligence.com/ropmemu http://www.talosintelligence.com/vulnerability_info http://www.talosintelligence.com/vulnerability_reports http://www.talosintelligence.com/ms_advisories http://www.talosintelligence.com/reputation http://www.talosintelligence.com/reputation_center http://www.talosintelligence.com/amp-naming http://www.talosintelligence.com/documents/ip-blacklist http://www.talosintelligence.com/awbo_intro http://www.talosintelligence.com/community https://snort.org/community https://www.clamav.net/contact.html#ml http://www.talosintelligence.com/aspis https://www.spamcop.net/ http://www.talosintelligence.com/blog_subscription http://blog.talosintelligence.com/feeds/5327798747708577455/comments/default javascript:void(0) http://blog.talosintelligence.com/2017/ javascript:void(0) http://blog.talosintelligence.com/2017/10/ javascript:void(0) http://blog.talosintelligence.com/2017/09/ http://blog.talosintelligence.com/2017/09/threat-round-up-170922-170929.html http://blog.talosintelligence.com/2017/09/brazilbanking.html http://blog.talosintelligence.com/2017/09/fin7-stealer.html http://blog.talosintelligence.com/2017/09/ccleaner-c2-concern.html http://blog.talosintelligence.com/2017/09/beers-with-talos-ep-13a-vast-ccleanup.html http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html http://blog.talosintelligence.com/2017/09/threat-round-up-0908-0915.html http://blog.talosintelligence.com/2017/09/beers-with-talos-ep12-irmagerd-internet.html http://blog.talosintelligence.com/2017/09/deep-dive-marklogic-exploitation.html http://blog.talosintelligence.com/2017/09/vulnerability-spotlight-yaml-remote.html http://blog.talosintelligence.com/2017/09/vulnerability-spotlight-libofx-tag.html http://blog.talosintelligence.com/2017/09/ms-tuesday.html http://blog.talosintelligence.com/2017/09/vulnerability-spotlight-talos-2017.html http://blog.talosintelligence.com/2017/09/apache-struts-being-exploited.html http://blog.talosintelligence.com/2017/09/vulnerability-spotlight-content.html http://blog.talosintelligence.com/2017/09/graftor-but-i-never-asked-for-this.html http://blog.talosintelligence.com/2017/09/threat-round-up-0825-0901.html javascript:void(0) http://blog.talosintelligence.com/2017/08/ javascript:void(0) http://blog.talosintelligence.com/2017/07/ javascript:void(0) http://blog.talosintelligence.com/2017/06/ javascript:void(0) http://blog.talosintelligence.com/2017/05/ javascript:void(0) http://blog.talosintelligence.com/2017/04/ javascript:void(0) http://blog.talosintelligence.com/2017/03/ javascript:void(0) http://blog.talosintelligence.com/2017/02/ javascript:void(0) http://blog.talosintelligence.com/2017/01/ javascript:void(0) http://blog.talosintelligence.com/2016/ javascript:void(0) http://blog.talosintelligence.com/2015/ javascript:void(0) http://blog.talosintelligence.com/2014/ javascript:void(0) http://blog.talosintelligence.com/2013/ javascript:void(0) http://blog.talosintelligence.com/2012/ javascript:void(0) http://blog.talosintelligence.com/2011/ javascript:void(0) http://blog.talosintelligence.com/2010/ javascript:void(0) http://blog.talosintelligence.com/2009/ javascript:void(0) http://blog.talosintelligence.com/2008/ Software Vulnerability Information Reputation Center Library Support Communities About Careers Blog BACK Snort ClamAV Razorback Daemonlogger Mo�ow PE-Sig Immunet Teslacrypt Decryption Tool MBR Filter FIRST LockyDump FreeSentry Flokibot Tools Synful Knock Scanner Cisco Smart Install Scanner ROPMEMU BACK Vulnerability Reports Microsoft Advisories BACK Email & Web Tra�c Reputation AMP Threat Naming Conventions IP Blacklist Download AWBO Exercises BACK Snort Community ClamAV Community Project Aspis SpamCop R E C O M M E N D E D B L O G S C I S C O B L O G New Fog Standards Initiative Will Accelerate Digital Transformation S N O R T B L O G Snort Subscriber Rule Set Update for 10/25/2017, BadRabbit C L A M A V ® B L O G ClamAV introduction and survey reminder! http://www.talosintelligence.com/ http://www.talosintelligence.com/software http://www.talosintelligence.com/vulnerability_info http://www.talosintelligence.com/reputation http://www.talosintelligence.com/resources http://www.talosintelligence.com/community http://www.talosintelligence.com/about http://www.talosintelligence.com/careers http://blog.talosintelligence.com/ http://www.talosintelligence.com/software http://www.talosintelligence.com/snort http://www.talosintelligence.com/clamav http://www.talosintelligence.com/razorback http://www.talosintelligence.com/daemon http://www.talosintelligence.com/moflow http://www.talosintelligence.com/pesig http://www.talosintelligence.com/immunet http://www.talosintelligence.com/teslacrypt_tool http://www.talosintelligence.com/mbrfilter http://www.talosintelligence.com/first http://www.talosintelligence.com/lockydump http://www.talosintelligence.com/freesentry http://www.talosintelligence.com/flokibot http://www.talosintelligence.com/scanner http://www.talosintelligence.com/smart_scanner http://www.talosintelligence.com/ropmemu http://www.talosintelligence.com/vulnerability_info http://www.talosintelligence.com/vulnerability_reports http://www.talosintelligence.com/ms_advisories http://www.talosintelligence.com/reputation http://www.talosintelligence.com/reputation_center http://www.talosintelligence.com/amp-naming http://www.talosintelligence.com/documents/ip-blacklist http://www.talosintelligence.com/awbo_intro http://www.talosintelligence.com/community https://snort.org/community https://www.clamav.net/contact.html#ml http://www.talosintelligence.com/aspis https://www.spamcop.net/ https://blogs.cisco.com/ https://blogs.cisco.com/innovation/new-fog-standards-initiative-will-accelerate-digital-transformation http://blog.snort.org/ https://feedproxy.google.com/~r/Snort/~3/2PdpLCmvnyo/snort-subscriber-rule-set-update-for_25.html http://blog.clamav.net/ https://feedproxy.google.com/~r/Clamav/~3/uahB61qXeU4/clamav-introduction-and-survey-reminder.html Software Vulnerability Information Reputation Center Library Support Communities About Careers Blog BACK Snort ClamAV Razorback Daemonlogger Mo�ow PE-Sig Immunet Teslacrypt Decryption Tool MBR Filter FIRST LockyDump FreeSentry Flokibot Tools Synful Knock Scanner Cisco Smart Install Scanner ROPMEMU BACK Vulnerability Reports Microsoft Advisories BACK Email & Web Tra�c Reputation AMP Threat Naming Conventions IP Blacklist Download AWBO Exercises BACK Snort Community ClamAV Community Project Aspis SpamCop http://www.talosintelligence.com/ http://www.talosintelligence.com/software http://www.talosintelligence.com/vulnerability_info http://www.talosintelligence.com/reputation http://www.talosintelligence.com/resources http://www.talosintelligence.com/community http://www.talosintelligence.com/about http://www.talosintelligence.com/careers http://blog.talosintelligence.com/ http://www.talosintelligence.com/software http://www.talosintelligence.com/snort http://www.talosintelligence.com/clamav http://www.talosintelligence.com/razorback http://www.talosintelligence.com/daemon http://www.talosintelligence.com/moflow http://www.talosintelligence.com/pesig http://www.talosintelligence.com/immunet http://www.talosintelligence.com/teslacrypt_tool http://www.talosintelligence.com/mbrfilter http://www.talosintelligence.com/first http://www.talosintelligence.com/lockydump http://www.talosintelligence.com/freesentry http://www.talosintelligence.com/flokibot http://www.talosintelligence.com/scanner http://www.talosintelligence.com/smart_scanner http://www.talosintelligence.com/ropmemu http://www.talosintelligence.com/vulnerability_info http://www.talosintelligence.com/vulnerability_reports http://www.talosintelligence.com/ms_advisories http://www.talosintelligence.com/reputation http://www.talosintelligence.com/reputation_center http://www.talosintelligence.com/amp-naming http://www.talosintelligence.com/documents/ip-blacklist http://www.talosintelligence.com/awbo_intro http://www.talosintelligence.com/community https://snort.org/community https://www.clamav.net/contact.html#ml http://www.talosintelligence.com/aspis https://www.spamcop.net/ Software Vulnerability Information Reputation Center Library Support Communities About Careers Blog BACK Snort ClamAV Razorback Daemonlogger Mo�ow PE-Sig Immunet Teslacrypt Decryption Tool MBR Filter FIRST LockyDump FreeSentry Flokibot Tools Synful Knock Scanner Cisco Smart Install Scanner ROPMEMU BACK Vulnerability Reports Microsoft Advisories BACK Email & Web Tra�c Reputation AMP Threat Naming Conventions IP Blacklist Download AWBO Exercises BACK Snort Community ClamAV Community Project Aspis SpamCop http://www.talosintelligence.com/ http://www.talosintelligence.com/software http://www.talosintelligence.com/vulnerability_info http://www.talosintelligence.com/reputation http://www.talosintelligence.com/resources http://www.talosintelligence.com/community http://www.talosintelligence.com/about http://www.talosintelligence.com/careers http://blog.talosintelligence.com/ http://www.talosintelligence.com/software http://www.talosintelligence.com/snort http://www.talosintelligence.com/clamav http://www.talosintelligence.com/razorback http://www.talosintelligence.com/daemon http://www.talosintelligence.com/moflow http://www.talosintelligence.com/pesig http://www.talosintelligence.com/immunet http://www.talosintelligence.com/teslacrypt_tool http://www.talosintelligence.com/mbrfilter http://www.talosintelligence.com/first http://www.talosintelligence.com/lockydump http://www.talosintelligence.com/freesentry http://www.talosintelligence.com/flokibot http://www.talosintelligence.com/scanner http://www.talosintelligence.com/smart_scanner http://www.talosintelligence.com/ropmemu http://www.talosintelligence.com/vulnerability_info http://www.talosintelligence.com/vulnerability_reports http://www.talosintelligence.com/ms_advisories http://www.talosintelligence.com/reputation http://www.talosintelligence.com/reputation_center http://www.talosintelligence.com/amp-naming http://www.talosintelligence.com/documents/ip-blacklist http://www.talosintelligence.com/awbo_intro http://www.talosintelligence.com/community https://snort.org/community https://www.clamav.net/contact.html#ml http://www.talosintelligence.com/aspis https://www.spamcop.net/ Software Reputation Center Vulnerability Information Library Support Communities Microsoft Advisory Snort Rules IP Blacklist Download AWBO Exercises About Talos Careers Blog CONNECT WITH US Software Vulnerability Information Reputation Center Library Support Communities About Careers Blog BACK Snort ClamAV Razorback Daemonlogger Mo�ow PE-Sig Immunet Teslacrypt Decryption Tool MBR Filter FIRST LockyDump FreeSentry Flokibot Tools Synful Knock Scanner Cisco Smart Install Scanner ROPMEMU BACK Vulnerability Reports Microsoft Advisories BACK Email & Web Tra�c Reputation AMP Threat Naming Conventions IP Blacklist Download AWBO Exercises BACK Snort Community ClamAV Community Project Aspis SpamCop http://talosintelligence.com/software http://talosintelligence.com/reputation http://talosintelligence.com/vulnerability-reports http://talosintelligence.com/resources http://talosintelligence.com/community http://talosintelligence.com/ms_advisories http://talosintelligence.com/documents/ip-blacklist http://talosintelligence.com/awbo_exercises http://talosintelligence.com/about http://talosintelligence.com/careers http://blog.talosintelligence.com/ https://twitter.com/talossecurity https://www.facebook.com/groups/TalosGroupatCisco/ https://www.youtube.com/playlist?list=PLFT-9JpKjRTDn_qtGN238gzycJfaVzMqD https://www.linkedin.com/grp/home?gid=8287731 http://www.talosintelligence.com/ http://www.talosintelligence.com/software http://www.talosintelligence.com/vulnerability_info http://www.talosintelligence.com/reputation http://www.talosintelligence.com/resources http://www.talosintelligence.com/community http://www.talosintelligence.com/about http://www.talosintelligence.com/careers http://blog.talosintelligence.com/ http://www.talosintelligence.com/software http://www.talosintelligence.com/snort http://www.talosintelligence.com/clamav http://www.talosintelligence.com/razorback http://www.talosintelligence.com/daemon http://www.talosintelligence.com/moflow http://www.talosintelligence.com/pesig http://www.talosintelligence.com/immunet http://www.talosintelligence.com/teslacrypt_tool http://www.talosintelligence.com/mbrfilter http://www.talosintelligence.com/first http://www.talosintelligence.com/lockydump http://www.talosintelligence.com/freesentry http://www.talosintelligence.com/flokibot http://www.talosintelligence.com/scanner http://www.talosintelligence.com/smart_scanner http://www.talosintelligence.com/ropmemu http://www.talosintelligence.com/vulnerability_info http://www.talosintelligence.com/vulnerability_reports http://www.talosintelligence.com/ms_advisories http://www.talosintelligence.com/reputation http://www.talosintelligence.com/reputation_center http://www.talosintelligence.com/amp-naming http://www.talosintelligence.com/documents/ip-blacklist http://www.talosintelligence.com/awbo_intro http://www.talosintelligence.com/community https://snort.org/community https://www.clamav.net/contact.html#ml http://www.talosintelligence.com/aspis https://www.spamcop.net/