cccleaner Downloaded CCleaner lately? Oo, awks... it was stuffed with malware

[Mando]

Antivirus firm Avast has admitted inadvertently distributing a trojanised version of CCleaner, a popular PC tune-up tool, for nearly a month, infecting an estimated 2.27 million users.

 

From Source :- 

"For a period of time, the legitimate signed version of CCleaner 5.33 being distributed by Avast also contained a multi-stage malware payload that rode on top of the installation of CCleaner," researchers explained. "On September 13, 2017, Cisco Talos immediately notified Avast of our findings so that they could initiate appropriate response activities."

CCleaner has been downloaded over 2 billion times, with 5 million additional downloads a week.

Cisco Talos said it came across the malicious downloads while beta-testing a new exploit detection technology. Subsequent analysis revealed that hackers hijacked and hid malware inside versions of Avast's CCleaner application available for download between August 15 and September 12.

Anyone who downloaded the 5.33 version or updated their existing product during this timeframe became infected with a covert backdoor capable of spying on everything they did online.

 

https://www.theregister.co.uk/2017/09/18/tainted_ccleaner_downloads/

 

 

Edited September 18, 2017 by Jim K
Changed title to match source

[exotoxic]

I was told it was Kaspersky that couldn't be trusted.

[Mando]

2 minutes ago, exotoxic said:

I was told it was Kaspersky that couldn't be trusted.

Used to be a big Avast fan, not so much these days (havnt been for 3 or 4 years), despite this i was surprised to read this! 

[muratoner]

i'm guessing this wasn't the case for the portable version?

[+Warwagon MVC]

13 minutes ago, Mando said:

Antivirus firm Avast has admitted inadvertently distributing a trojanised version of CCleaner, a popular PC tune-up tool, for nearly a month, infecting an estimated 2.27 million users.

 

From Source :- 

"For a period of time, the legitimate signed version of CCleaner 5.33 being distributed by Avast also contained a multi-stage malware payload that rode on top of the installation of CCleaner," researchers explained. "On September 13, 2017, Cisco Talos immediately notified Avast of our findings so that they could initiate appropriate response activities."

CCleaner has been downloaded over 2 billion times, with 5 million additional downloads a week.

Cisco Talos said it came across the malicious downloads while beta-testing a new exploit detection technology. Subsequent analysis revealed that hackers hijacked and hid malware inside versions of Avast's CCleaner application available for download between August 15 and September 12.

Anyone who downloaded the 5.33 version or updated their existing product during this timeframe became infected with a covert backdoor capable of spying on everything they did online.

 

https://www.theregister.co.uk/2017/09/18/tainted_ccleaner_downloads/

 

 

Sounds like it was in the program itself if upgrading to a newer version removed it, so the main executable must have been infected. So was it not always spying on you if it's not running in the system tray? That's the first feature I always turn off.

[Mando]

3 minutes ago, muratoner said:

i'm guessing this wasn't the case for the portable version?

if it used 5.33 as the base, then yes good chance of it.

[Mando]

4 minutes ago, warwagon said:

Sounds like it was in the program itself if upgrading to a newer version removed it, so the main executable must have been infected. So was it not always spying on you if it's not running in the system tray?

it was in the installer itself, so if you executed the installer, it grabbed the payload.

 

stage 2 was only possible if the bundled crap detected your were running as an admin. 

 

 

This is more than enough for any Avast products to be wiped off any of my recommendation lists for anything. 

 

How do you "accidentally" inject a payload into your security products.....being a security firm? Sorry doesnt wash!

 

[muratoner]

Just now, Mando said:

if it used 5.33 as the base, then yes good chance of it.

damn, i gotta get an AV now.I thought you need to download "questionable files" to get infected.on the web.Nothing is safe nowadays

[Mando]

2 minutes ago, muratoner said:

damn, i gotta get an AV now.I thought you need to download "questionable files" to get infected.on the web.Nothing is safe nowadays

no, aint been like that in at least 20 years mate. Driveby payloads......rootkits........

 

Webroot Secureanywhere gets my 2 thumbs up everytime.

 

Free....Bitdefender UK or Sophos home.

[aberg]

More on this from Piriform

https://www.piriform.com/news/blog/2017/9/18/security-notification-for-ccleaner-v5336162-and-ccleaner-cloud-v1073191-for-32-bit-windows-users

 

[TPreston]

+1 for blocking this **** and all its clones via Applocker. Took about 4 hours to download and load the certs into a GPO time well spent.

[oldtimefighter]

Why does the headline read like it was Avast that put the malware in it???

 

I will have to check the version have installed on my PC when get home. I should be safe since only run it 2-3 times a year for maintenance and also just did a scan with my standalone AV last week.

 

34 minutes ago, exotoxic said:

I was told it was Kaspersky that couldn't be trusted.

They still can't be...

[muratoner]

just scanned the portable version 5.34 with Avira, it's clean and I'm sure i got the version 5.33 sometime before that.

[Joe User]

3 minutes ago, oldtimefighter said:

Why does the headline read like it was Avast that put the malware in it???

 

I will have to check the version have installed on my PC when get home. I should be safe since only run it 2-3 times a year for maintenance and also just did a scan with my standalone AV last week.

 

They still can't be...

Avast owns Piriform and distributes CCleaner. However, putting "accidentally" in quotes makes for a  clickbait headline that shouldn't be done by anyone wishing to be taken "seriously".

 

[He's Dead Jim]

Cheers for the heads up, I had 5.33 in my downloads folder, but have deleted it now, glad I never installed it, phew...

[satukoro]

Anyone have an alternative to ccleaner that is lightweight and has a similar run option on the recycle bin?

I'm using 5.28 (and it works well), but I'd like to move away from Avast as a company all together. Ever since it became adware I have been unable to recommend Avast to anyone.

[+Warwagon MVC]

Been reading that it only infects 32bit Windows users and not 64bit users.

Quote

 

Thankfully, it looks like this malware only affected a certain subset of CCleaner users. In particular, it affected:

 

Users running the 32-bit version of the application (not the 64-bit version)

 

Users running version 5.33.6162 of CCleaner or CCleaner Cloud 1.07.3191, released on August 15th, 2017

 

https://www.howtogeek.com/326742/ccleaner-was-hacked-what-you-need-to-know/

[LimeMaster]

I'm glad I never cared about CCleaner.

 

Since everyone is sharing their personal recommendations, I use Windows Defender. It's lightweight and doesn't detect much. What more could you want from an AV?

[xendrome]

How is this not FPN, I know I submitted it and I'm sure others have.

[Brandon H Supervisor]

1 minute ago, xendrome said:

How is this not FPN, I know I submitted it and I'm sure others have.

It looks like John is writing up an article now, his name is on the claim

 

the mistake itself is bad enough but i can't believe it went almost a month unnoticed

[oldtimefighter]

28 minutes ago, warwagon said:

Been reading that it only infects 32bit Windows users and not 64bit users.

https://www.howtogeek.com/326742/ccleaner-was-hacked-what-you-need-to-know/

I missed that myself... Personally, I haven't used 32-bit Windows in like eight years now. The PR is bad for CCleaner but the actual impact will actually be low.

Edited September 18, 2017 by oldtimefighter

[+JKeefer Subscriber²]

If you happen to be running CCleaner, stop reading this immediately and check to see if you are running version 5.33.6162. If you are, download an update immediately. Your performance enhancement software is affected by malware.

 

According to CCleaner maker Piriform, the 32-bit version of the software for Windows was modified by hackers before it was released to the public on August 15. The hack also affected the CCleaner Cloud version 1.07.3191. The company said a new version of CCleaner was released on September 12, the day the hack was discovered, with the Cloud version updated on September 15. Piriform said the "rogue server" was shut down, Cloud users were automatically updated and CCleaner users were "moved to a different version."

 

As for what the hack did exactly, Piriform's VP of Products Paul Yung said "An unauthorized modification of the CCleaner.exe binary resulted in an insertion of a two-stage backdoor capable of running code received from a remote IP address on affected systems. The suspicious code was hidden in the application’s initialization code called CRT (Common Runtime) that is normally inserted during compilation by the compiler."

 

 

If you want the technical details:

 

• The code executed within that thread was heavily obfuscated to make its analysis harder (encrypted strings, indirect API calls, etc.). The suspicious code was performing the following actions:
  • It stored certain information in the Windows registry key HKLM\SOFTWARE\Piriform\Agomo:
  • MUID: randomly generated number identifying a particular system. Possibly also to be used as communication encryption key.
  • TCID: timer value used for checking whether to perform certain actions (communication, etc.)
  • NID: IP address of secondary CnC server
• Besides that, it collected the following information about the local system:
  • Name of the computer
  • List of installed software, including Windows updates
  • List of running processes
  • MAC addresses of first three network adapters
  • Additional information whether the process is running with administrator privileges, whether it is a 64-bit system, etc.
• All of the collected information was encrypted and encoded by base64 with a custom alphabet.
• The encoded information was subsequently submitted to an external IP address 216.126.x.x (this address was hardcoded in the payload, and we have intentionally masked its last two octets here) via a HTTPS POST request. There was also a [fake] reference to “Host: speccy.piriform.com” in communication.
• The code then read a reply from the same IP address, providing it with the functionality to download a second stage payload from the aforementioned IP address. The second stage payload is received as a custom base64-encoded string, further encrypted by the same xor-based encryption algorithm as all the strings in the first stage code. We have not detected an execution of the second stage payload and believe that its activation is highly unlikely.
• In case the IP address becomes unreachable, a backup in the form of DGA (domain name generator) activates and is used to redirect communication to a different location. Fortunately, these generated domains are not under the control of the attacker and do not pose any risk.

 

Apparently Cisco's Talos security division also noticed the attack and alerted Piriform's parent company Avast, which purchased Piriform in July.  Craig Williams, a researcher with Talos, told Reuters that the hack was a sophisticated attack because it was able to go through a trusted supplier in much the same way that June’s Petya ransomware attack used infected accounting software from an established company in the Ukraine.

 

“There is nothing a user could have noticed,” Williams said. The software was using a proper certificate that companies normally trust.

 

 

Piriform suggests that if you are running a version of CCleaner older than version 5.34 that you download a new one immediately.

 

[Steven P. Administrators]

We tripled down on this, front page news, this thread the merged one and John did a report (in here) too

[Mando]

18 hours ago, Joe User said:

Avast owns Piriform and distributes CCleaner. However, putting "accidentally" in quotes makes for a  clickbait headline that shouldn't be done by anyone wishing to be taken "seriously".

 

I didnt put "accidently" in quotes, if it did its from the original source on the reg. This listing has been merged with the sites editorial which im totally fine with.

[Joe User]

10 hours ago, Mando said:

I didnt put "accidently" in quotes, if it did its from the original source on the reg. This listing has been merged with the sites editorial which im totally fine with.

No big deal, I rarely take The Reg seriously anyway.