CCleaner logo

Avast's Threat Intelligence Team published new details today about the CCleaner malware incident that came to light on Monday.

According to Avast, the database where the CCleaner hackers were collecting data from infected hosts ran out of space and was deleted on September 12, meaning information on previous victims is now lost to investigators and the number of computers infected with the second-stage backdoor payloads may be larger than initially believed.

This means there could still be — and there certainly are — more large technology firms that currently have a backdoor on their network.

Short summary of the CCleaner incident

The CCleaner incident came to light on Monday, when it was discovered that two versions of the CCleaner application offered for download between August 15 and September 12 were laced with malware.

This (first-stage) malware would execute on 32-bit platforms only, collect data about the infected PC, and send the gathered details to a remote C&C server.

The server would store this information into a MariaDB (MySQL fork), and would run a series of filters on each infected host to determine if to send a second-stage payload, a very stealthy backdoor trojan.

Based on analysis from Cisco Talos published yesterday, the C&C server looked for computers on the networks of large tech corporations.

Based on a list recovered by researchers, targeted companies included Google, Microsoft, HTC, Samsung, Intel, Sony, VMWare, O2, Vodafone, Linksys, Epson, MSI, Akamai, DLink, Oracle (Dyn), Gauselmann, and Singtel.

The attacker's database recorded information on all computers infected with the first and second-stage malware. There were 700,000 entries for computers infected with the first-stage malware, and only 20 for the second-stage malware.

Authorities seized C&C server, recovered data, logs

When security firms detected the tainted CCleaner executables, they contacted Avast, which with the help of law enforcement, seized the server where user data was being collected.

Cisco Talos published an initial analysis on the data stored in this database yesterday, while Avast published its own today. Compared with the Cisco report, Avast found some new details.

The new information was extracted from the server's logs and shows that the server was set up just days before attackers embedded their malware to the CCleaner binaries.

Despite the server being up for more than a month, Cisco noted that the database contained information on infections that were active between September 12 and September 16, and nothing more.

Avast says that after a deeper analysis of the logs, they find evidence that the server's disk storage had been filled, and attackers had to delete the collected data they recorded up to that point (they most likely downloaded it before deleting it).

To better understand what happened, below is a timeline based on Avast's log analysis.

July 31, 06:32  ⮞  Attackers install server.
August 11, 07:36  ⮞  Attackers initiate data gathering procedures in preparation for August 15 when they poison the CCleaner binary, and later the CCleaner Cloud binary.
September 10 20:59  ⮞  Server runs out of space and stops data collection.
September 12 07:56  ⮞  Attacker wipes database.
September 12 08:02  ⮞  Attacker reinstalls database.
September 16  ⮞  Authorities seize C&C server and adjacent database.

28 days of data lost

What this means is that data for 28 days of infections is now lost. Investigators are now unable to determine if other tech companies have now backdoors on their networks.

This means that any company that has ever deployed CCleaner on its network must now wipe systems clear, just to be sure the second-stage malware is not hidden somewhere on its network.

"It is unfortunate that the server was a low-end machine with limited disk capacity, because if weren’t for this (just 5 days before we took the server down), we would likely have a much clearer picture of exactly who was affected by the attack as the entire database would have been intact from the initial launch date," Avast said today.