back to article Avast urges devs to secure toolchains after hacked build box led to CCleaner disaster

Avast staffers spoke at the Virus Bulletin International Conference in Madrid, Spain, on Thursday to shed more light on their postmortem of the CCleaner fiasco – and urge developers to protect their software's toolchain and distribution systems from hackers. The widely used utility, which removes unwanted temporary files and …

  1. Anonymous Coward
    Anonymous Coward

    CC Cleaner is an enterprise tool?

    IME, third party optimisation tools like CC Cleaner are STRONGLY disapproved of by enterprise IT teams, and ITSec staff. For home users, tinkerers, might have some use, but the only installation on corporate systems I could see being useful would be for compatibility testing (which shouldn't be internet facing, or loose on the corporate network?).

    I therefore wonder if the 40 infected machines were on unapproved installations by users? Some might need admin privileges for development purposes, but I still wonder why CC Cleaner found its way onto these corporate systems.

    1. The obvious

      Re: CC Cleaner is an enterprise tool?

      I have always found the presence of CCleaner (and the like) a useful flag that the machine has been tampered with by someone who doesn't know what they're doing - and that it needs nuking as a result.

      1. OldSoCalCoder

        Re: CC Cleaner is an enterprise tool?

        Yes, in a business environment where the only thing that should be on the pc is whatever IT put there, CCleaner would suggest a user trying to 'fix' a business pc they might have accidentally infected.

        However, for the home user or a 1 pc business CCleaner is suggested as a final step when trying to recover a pc when nuking is not, or is the last, option. Doesn't happen? Wanna bet? You've never been called to look at a friend's home office pc that's running some ancient accounting software, no idea of where any of the original install software is, unknown/nonexistent/untested backups and the complaint is 'it's acting funny'?

        I used CCleaner on my home pc just last month - it's running Windows 10 and the forced update made it unbootable, I restored from a drive image and wanted a text printout of installed programs. There's a tool in CCleaner that lets you do just that - export a list of installed programs. Which I did, before nuking the drive and reinstalling the os.

    2. Mr Dogshit

      Re: CC Cleaner is an enterprise tool?

      Well we wouldn't have to use tools like this if Microsoft provided the functionality people clearly need and want out of the box.

      1. Anonymous Coward
        Anonymous Coward

        Re: CC Cleaner is an enterprise tool?

        we wouldn't have to use tools like this if Microsoft provided the functionality people clearly need and want out of the box

        IME, anything that claims to "optimise your PC" is pure snake oil, and whatever the shortcomings of Microsoft's products, things like registry cleaners do more harm than good, even when they're not addled with malware. A bit like "battery optimisers" on phones. Installing these products represents a triumph of youthful optimism over sensible caution, or hard earned experience.

        I'm with Mr Obvious (above) that finding this on a machine is usually a sign of somebody who doesn't know what they are doing.

        1. Elmer Phud

          Re: CC Cleaner is an enterprise tool?

          It appears that you and Mr Obvious only think it's used for 'optimisation'.

          I use it to clean up new machines. Try finding McAfee on Windows 'uninstall'.

          Whizz through a simple interface turning off al sorts of things.

          Handy little tool, not 'optimisation'.

          1. Doctor Syntax Silver badge

            Re: CC Cleaner is an enterprise tool?

            "Handy little tool, not 'optimisation'."

            Surely cleaning vendors' bloatware is optimisation.

        2. BillG
          Facepalm

          Re: CC Cleaner is an enterprise tool?

          What Avast can now say is that the hacker gang infiltrated Piriform’s build server in April.

          Sorry, this makes no sense to me.

          Any software, any document, any application that I am intimately involved in creating and/or approving, I would certainly notice a dramatic change in file size. If I am one of 30 CCleaner developers I would be alarmed if my application went from 6MB to 9.5MB, and if I didn't notice somebody else would.

          Occam's Razor: Imagine you work for a company like Avast and you have samples of everyone's malware. You need to infect some machines for whatever purposes. You know it will be eventually discovered, that's inevitable. It would be simple to just take samples of Chinese malware and use it for your own purposes. Do it after it's all approved.

  2. aaaa
    FAIL

    XcodeGhost again, cmon people!

    The Register covered the XCodeGhost fiasco where some high profile app developers were releasing code built using compromised tools:

    https://www.theregister.co.uk/2015/09/23/xcodeghost_ios_app_infection_toll_rises_to_four_thousand/

    I said it then, and I'll repeat: What commercial software company would dare allow a developer machine to create a customer build? Requiring a 'pristine' build environment is software engineering 101.

    You commit your code - the build server checks out the code and performs the build in a clean environment.

    Publish the list of companies that build on developer PC's far and wide - so we all know to avoid anything they ever produce ever again. Have we learned nothing about software engineering in the past 35 years?

    1. Dan 55 Silver badge

      Re: XcodeGhost again, cmon people!

      There's a difference, Piriform was hacked and their official download was compromised and end users had no reason to suspect, XCodeGhost was an obviously unofficial version which end users (app developers) downloaded knowingly ignoring possible malware issues because it downloaded faster than from Apple's server.

      1. TVU

        Re: XcodeGhost again, cmon people!

        "There's a difference, Piriform was hacked and their official download was compromised and end users had no reason to suspect, XCodeGhost was an obviously unofficial version which end users (app developers) downloaded knowingly ignoring possible malware issues because it downloaded faster than from Apple's server"

        I might be wrong in this but I thought it was only the free version of CCleaner that was compromised and that was the one that was hosted on FileHippo (not any longer though the last time I checked).

    2. Brewster's Angle Grinder Silver badge

      Mount hobby horse. Charge!!!!!!

      "You commit your code - the build server checks out the code and performs the build in a clean environment.",

      *cough* From the article: "...the hacker gang infiltrated Piriform’s build server..." i.e. it was the build server that was compromised. *cough*

      1. aaaa

        Re: Mount hobby horse. Charge!!!!!!

        @Brewster - the detail in the article is very thin - it says 'This was the system used by a lead developer at the 30-person outfit to generate code' which suggests to me that it wasn't what most would consider a 'secure build environment' - more like some environment you log into. I decided to assume the author knew more than what's been written and go with the spirit of the headline 'Avast urges devs to secure toolchains'. Ie: the build system wasn't secure, and I'd argue was barely deserving of the name.

        @everyone - have u not heard of VMware? Teams of 1 can definitely have secure independent build systems.

        1. Charles 9

          Re: Mount hobby horse. Charge!!!!!!

          And have YOU heard of hypervisor attacks, aka Red Pills?

    3. Doctor Syntax Silver badge

      Re: XcodeGhost again, cmon people!

      "Requiring a 'pristine' build environment is software engineering 101."

      Putting 'pristine' in quotes says it all, really. You may think your build environment is pristine but if it's been got at you end up in exactly the situation Piriform found themselves in.

    4. Anonymous Coward
      Anonymous Coward

      Re: XcodeGhost again, cmon people!

      > What commercial software company would dare

      > allow a developer machine to create a customer build?

      I think you might be surprised by quite how small many successful software companies are.

    5. Anonymous Coward
      Anonymous Coward

      Re: XcodeGhost again, cmon people!

      "Publish the list of companies that build on developer PC's far and wide - so we all know to avoid anything they ever produce ever again. Have we learned nothing about software engineering in the past 35 years?"

      Yes, that if we were to practice what you preach, we probably would be left with NOTHING. THAT'S how far this goes. Plus you forget one-man houses who pretty much only have ONE computer. It MUST be BOTH developer AND builder out of necessity.

  3. Anonymous Coward
    Anonymous Coward

    Mycroft Holmes would be so proud...

    "Forensic work by Avast has identified that operations were performed and builds created by the CCleaner hackers during the working day of the Beijing timezone".

    Oooh, "forensic", eh? Well that must be right then.

    Thank goodness that black hats have the goodness always to work 9 to 5.

    1. Adam 1

      Re: Mycroft Holmes would be so proud...

      It is UTC+8, not like it could be Perth or Indonesia or Malaysia or Philippines or some other country working on night shift to make it look like China.

      1. DropBear
        Trollface

        Re: Mycroft Holmes would be so proud...

        Any ambiguity is clearly the fault of the people who ran the server - they should have just included a form with an obligatory "country" field on their "black hat login" page...

        1. Anonymous Coward
          Anonymous Coward

          Re: Mycroft Holmes would be so proud...

          If it is Chinese state sponsored hackers they would likely be working a regular day shift. It wasn't just the time, but also the association with APT17 that led them to suggest this.

          From what I've read, China's state sponsored hackers are full time employees. That's unlike Russia where a lot of their state sponsored hackers are ordinary blackhats who are induced into doing the state's bidding either out of patriotism or to avoid jail.

          1. This post has been deleted by its author

  4. Anonymous Coward
    Anonymous Coward

    TheRegister needs to ask them to confirm that the code from every release from April was checked and not just v5.33.6162

  5. Anonymous Coward
    Anonymous Coward

    Reputation index

    0 1 2 3 4 5 6 7 8 9 10

    Scale:

    0 = being CCleaner

    10 = good but make your own checks

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like