Avast Anti-Virus Infection May Lead to Infection of Millions—or Even Billions—of Computers, Including Yours
“Companies spend millions of dollars on firewalls, encryption, and secure access devices, and it’s money wasted because none of these measures address the weakest link in the security chain.”- Kevin Mitnick [might have seen this coming].
Avast, a security software supposedly protecting us users from hackers and malware, have forsaken us, exposing all of our information and making our systems vulnerable to illegal intervention.
A software package update designed for Windows utility product distributed by Avast has been spreading some malware package which makes affected computers susceptible to being remotely manipulated with what disguises as a legitimate signing certificate, having a lot of users believing the bait.
In simple terms, it’s like CCleaner being installed into your computer to make it even more “dirtier”.
This malware, which proliferated and been distributed by the update server for the Windows cleanup utility named CCleaner, was inserted by an attacker who puts to threat the software’s supply chain of the so-called Piriform, newly-acquired by Avast back in July. According to statistics, more than 2 billion downloads of CCleaner has been recorded internationally, which is why this staggering number can have such heinous malware impact, quite difficult to be rectified.
The negligence of Avast similar to that of Equifax breach and their lax safekeeping measures paved the way to this fiasco.
Recently, software updates are increasingly becoming the interest of malware distributors, providing an ease of access to a virtually unchecked path to infect billions into their web of back-door virus epidemic.
M.E. Doc Software update originating in Ukraine become a puppet, distributing NotPetya ransomware back in July. On the other hand, attacks waged to compromise Facebook, Twitter, and Apple four years ago, popularly termed as “Watering hole” are designed to invade the computers used by software developers. This siege will grant these rogues the access to compilation tools, signing certificates and the ability to control the workflow of software updates.
Cisco Talos Intelligence personnel Edmund Brumaghin, with his colleagues Ross Gibb, Warren Mercer, Matthew Molyett and Craig Williams proclaimed that Talos had detected the malware during beta testing of a new exploit-tracking technology in their blog post.
The malware, disguised as a part of the signed installer for CCleaner v5.3, encompasses codes that phoned home to a command-and-control server as well as domain-generation algorithm intended to scour new C&CC server if the hard-coded IP address of the primary server vanishes.
Some duplicates of the malicious software installer were disseminated to CCleaner subscribers from August 15 to September 12, 2017, with the use of a bonafide certificate issued to Piriform Ltd by Symantec.
As a resolution, Talos registered all of the domains linked with the algorithm, which wasn’t configured beforehand, to “black hole” the malware and proactively restrict it from communications for good.
Once Avast became aware of the malware anomalies they instructed ServerCrate, the culprit to where the hard-coded IP address pointed at, to remove it.
This virus observed first if it was functioning with administrative privileges and halts if it was not.
Such malware went into a time of hibernation if it did not get feedback from a secure HTTP request to the prime C&C server.
According to Talos’ findings, if these successfully communicate with the C&C server, they will commence generating a system profile of an infected computer and post it back to the server. After which, it will retrieve a shellcode from the server to execute locally and erase the code from memory.
An error within the malicious malware code prevented the software from using the IP address created by the domain-generation algorithm—the code never had the feasibility to access the address it formulated.
As speculated, this bug may have simply been an incomplete feature which is intended to be updated later. The malware code for the algorithm would scour for the DNS records of the domains generated by the algorithm based on the date of two IP addresses. Once found, it will then initiate a calculation using the values of the two addresses to configure another IP address