The group behind the attack remains unknown. He said simply removing the stage-one infection is insufficient given the proof now available that the second stage can survive and remain stealthy. Now that it's known the CCleaner backdoor actively installed a payload that went largely undetected for more than a month, Williams renewed his advice that people who installed the 32-bit version of CCleaner or CCleaner Cloud reformat their hard drives. Combined, the information would allow attackers not only to further infect computers belonging to a small set of targeted organizations, but it would also ensure the later-stage payload is stable and undetectable. Stage one of the malware collected a wide assortment of information from infected computers, including a list of all installed programs, all running processes, the operating-system version, hardware information, whether the user had administrative rights, and the hostname and domain name associated with the system. ![]() It's clear that whoever made this has used it before and is likely going to use it again." Advertisement "This is someone who spent a lot of money with a lot of developers perfecting it. "When you look at this software package, it's very well developed," Williams told Ars. Researchers are in the process of reverse engineering the payload to understand precisely what it does on infected networks. ![]() Craig Williams, a senior technology leader and global outreach manager at Talos, said the code contains a "fileless" third stage that's injected into computer memory without ever being written to disk, a feature that further makes analysis difficult. The complex code is heavily obfuscated and uses anti-debugging and anti-emulation tricks to conceal its inner workings. The second stage appears to use a completely different control network. Again, because the data covers only a small fraction of the time the backdoor was active, both Avast and Talos believe the true number of targets and victims was much bigger. The 20 computers that installed the payload were from eight of those targeted organizations, Avast said, without identifying which ones. Of 700,000 infected PCs, 20 of them, belonging to highly targeted companies, received the second stage, according to an analysis published Wednesday by Cisco Systems' Talos Group.īecause the CCleaner backdoor was active for 31 days, the total number of infected computers is "likely at least in the order of hundreds," researchers from Avast, the antivirus company that acquired CCleaner in July, said in their own analysis published Thursday.įrom September 12 to September 16, the highly advanced second stage was reserved for computers inside 20 companies or Web properties, including Cisco, Microsoft, Gmail, VMware, Akamai, Sony, and Samsung. The new evidence-culled from data left on a command-and-control server during the last four days attackers operated it-shows otherwise.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |