Shulou(Shulou.com)06/01 Report--

How to carry out CCleaner malicious code analysis and early warning, I believe that many inexperienced people are at a loss about this. Therefore, this paper summarizes the causes and solutions of the problem. Through this article, I hope you can solve this problem.

On September 18, 2017, Piriform officially issued a security announcement saying that 32-bit applications in its CCleaner version 5.33.6162 and CCleaner Cloud version 1.07.3191 had been tampered with and implanted with malicious code.

After tracking and analyzing 360CERT, it is confirmed that there is malicious code in the officially described version, and the malicious code has the function of executing arbitrary code, which has a serious impact.

It is reported that CCleaner products have a wide range of users, and it is recommended that users of this product should conduct troubleshooting and upgrade processing as soon as possible.

0x01 event influence surface

1. Influence surface

CCleaner products have a wide range of users and great influence.

According to the current analysis, the malicious code in the affected CCleaner products has the function of executing arbitrary code, and the harm is serious.

2. Affect the version

CCleaner version 5.33.6162

CCleaner Cloud version 1.07.3191

3. DNS request situation

Some technical information of 0x02

According to the official announcement, the malicious code exists in the CCleaner.exe program, and the malicious code will accept and execute the instructions sent by the remote control server (C2), which technically belongs to the second-order backdoor type.

Malicious code triggers execution through TLS (thread local storage / Thread Local Storage) callback processing. TLS is a special type of storage supported by Windows NT, mainly to support the construction of programs.

Malicious code present in the TLS callback precedes the main function to do the following:

1. Use Xor to decrypt and decompress the hard-coded shellcode (10kb size) in the program.

2. Decrypt a DLL (dynamic library) file with the MZ header erased (16 KB)

3. The DLL file is then loaded and executed as a separate thread, and runs in the background for a long time.

Subsequently, the DLL code that is loaded and run is basically highly confusing code (character encryption, indirect API calls, etc.). The main operations are as follows:

An attempt was made to store relevant information in the Windows registry HKLM\ SOFTWARE\ Piriform\ Agomo:

MUID: random string, uncertain if it is used for communication

TCID: timer execution cycle

NID: control server address

Attempt to collect the following local information:

Hostnam

List of installed software, including Windows updates

Process list

MAC address of the first three network cards

Detect whether the process permissions are administrator permissions, 64-bit permissions, etc.

The above information has been encoded by base64.

The encoded information is sent to a fixed remote IP address 216 [.] 126 [.] 225 [.] 148. the communication is transmitted by means of HTTPS POST and fake HOST:speccy.piriform.com.

The malicious code then receives the second-order payload sent back from 216 [.] 126 [.] 225 [.] 148. The second-order payload uses base64 coding and can be decrypted by the Xor algorithm in the first order.

In order to prevent the IP from becoming invalid, the malicious code also shows that DGA (domain name generator) is used to evade tracks. at present, these domain names have been determined to be outside the control of the attacker.

Correlation

DGA generation algorithm

Get local information

String confusion

API indirect call

Collect non-Microsoft installers

Enumerate system active processes

Indicators of Compromise (IOCs)

List of DGA domain names

Date domain name

January 2017 abde911dcc16.com

February 2017 ab6d54340c1a.com

March 2017 aba9a949bc1d.com

April 2017 ab2da3d400c20.com

May 2017 ab3520430c23.com

June 2017 ab1c403220c27.com

July 2017 ab1abad1d0c2a.com

August 2017 ab8cee60c2d.com

September 2017 ab1145b758c30.com

October 2017 ab890e964c34.com

November 2017 ab3d685a0c37.com

December 2017 ab70a139cc3a.com

January 2018 abde911dcc16.com

February 2018 ab99c24c0ba9.com

March 2018 ab2e1b782bad.com

File hash

6f7840c77f99049d788155c1351e1560b62b8ad18ad0e9adda8218b9f432f0a9 1a4a5123d7b2c534cb3e3168f7032cf9ebf38b9a2a97226d0fdb7933cf6030ff 36b36ee9515e0a60629d2c722b006b33e543dce1c8c2611053e0651a0bfdb2e9

IP address

216 [.] 126 [.] 225 [.] 148

0x03 security recommendations

1. It is recommended that users download the latest version and update it as soon as possible.

two。 At present, 360 Security Guard has been updated and can intercept affected files. If you are not sure whether it is affected, you can download 360 Security Guard for security assessment.

After reading the above, have you mastered how to carry out CCleaner malicious code analysis and early warning? If you want to learn more skills or want to know more about it, you are welcome to follow the industry information channel, thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.