Trojan.PRForm.A

Threat description

Details

CATEGORYMalware
TYPETrojan

Summary

This detection identifies compromised installers for the CCleaner utility program, which have been altered to include a backdoor that silently runs in the background when the affected installer is launched.

Removal

Automatic action

Based on the settings of your F-Secure security product, it will either automatically delete, quarantine or rename the file or application, or ask you for a desired action.

More scanning & removal options

More information on the scanning and removal options available in your F-Secure product can be found in the Help Center.

You may also refer to the Knowledge Base on the F-Secure Community site for more assistance.

Contact Support

F-Secure customers may request support online via the Request support or the Chat forms on our Home - Global site.

Technical Details

Supply chain compromise

On Monday, Sept 18 2017, security researchers reported that some versions of the installer for the popular free computer utility program CCleaner had been altered to include a backdoor, which was silently run when the installer was launched. The specific versions were identified as CCleaner version 5.33.6162 and CCleaner Cloud version 1.07.3191.

The affected installers were available for download from the legitimate CCleaner download servers. According to reports, they had been available since early August 2017. The installers were signed by a valid digital signature from Piriform, the company that created the software.

News reports have noted that the unauthorized insertion must have taken place before the signing during the software development or distribution process, a type of attack also known as a 'supply chain compromise'.

For more information about the incident:

The backdoor's payload

When the compromised installer is run, the bundled backdoor code is launched as well and collects information from the system, including:

  • Computer name
  • List of installed software
  • List of running processes
  • MAC addresses of the first 3 network adapters

The harvested information is encrypted and sent to an external IP address. The backdoor also reportedly has the capability to download an additional payload from this server. At the time of writing, there have been no reports of any secondary payload being observed.

If the first server contacted is unreachable, the backdoor also includes a Domain Name Generator (DGA) that it can use to redirect to another command and control (C&C) server. According to reports, these alternative servers are not under the attackers control.

Detection and mitigation

The affected files are detected by F-Secure security products with the latest database updates as Trojan.PRForm.A and Backdoor.Agent.ABXS. Instructions on how to check if your F-Secure security product is using the latest database update are available in Community: How do I know that I have the latest updates?.

Users are also recommended to update their CCleaner software to version 5.34 or higher. According to news reports, an automated update to the CCleaner Cloud version has addressed the issue for that version.

Submit a Sample

Suspect a file or URL was wrongly detected?
Send it to our Labs for further analysis

Submit a Sample

Scan & clean your PC

F-Secure Online Scanner will scan and clean your PC in just a few minutes for free

More Info