Downloaded CCleaner lately? Oo, awks... it was stuffed with malware

Recommended Posts

+Mando    3,355

Antivirus firm Avast has admitted inadvertently distributing a trojanised version of CCleaner, a popular PC tune-up tool, for nearly a month, infecting an estimated 2.27 million users.

 

From Source :- 

"For a period of time, the legitimate signed version of CCleaner 5.33 being distributed by Avast also contained a multi-stage malware payload that rode on top of the installation of CCleaner," researchers explained. "On September 13, 2017, Cisco Talos immediately notified Avast of our findings so that they could initiate appropriate response activities."

CCleaner has been downloaded over 2 billion times, with 5 million additional downloads a week.

Cisco Talos said it came across the malicious downloads while beta-testing a new exploit detection technology. Subsequent analysis revealed that hackers hijacked and hid malware inside versions of Avast's CCleaner application available for download between August 15 and September 12.

Anyone who downloaded the 5.33 version or updated their existing product during this timeframe became infected with a covert backdoor capable of spying on everything they did online.

 

https://www.theregister.co.uk/2017/09/18/tainted_ccleaner_downloads/

 

 

Edited by Jim K
Changed title to match source
  • Like 1

Share this post


Link to post
Share on other sites
+exotoxic    433

I was told it was Kaspersky that couldn't be trusted. ;)

  • Like 1
  • Haha 1

Share this post


Link to post
Share on other sites
+Mando    3,355
2 minutes ago, exotoxic said:

I was told it was Kaspersky that couldn't be trusted. ;)

Used to be a big Avast fan, not so much these days (havnt been for 3 or 4 years), despite this i was surprised to read this! 

Share this post


Link to post
Share on other sites
muratoner    109

i'm guessing this wasn't the case for the portable version?

Share this post


Link to post
Share on other sites
+warwagon    9,672
13 minutes ago, Mando said:

Antivirus firm Avast has admitted inadvertently distributing a trojanised version of CCleaner, a popular PC tune-up tool, for nearly a month, infecting an estimated 2.27 million users.

 

From Source :- 

"For a period of time, the legitimate signed version of CCleaner 5.33 being distributed by Avast also contained a multi-stage malware payload that rode on top of the installation of CCleaner," researchers explained. "On September 13, 2017, Cisco Talos immediately notified Avast of our findings so that they could initiate appropriate response activities."

CCleaner has been downloaded over 2 billion times, with 5 million additional downloads a week.

Cisco Talos said it came across the malicious downloads while beta-testing a new exploit detection technology. Subsequent analysis revealed that hackers hijacked and hid malware inside versions of Avast's CCleaner application available for download between August 15 and September 12.

Anyone who downloaded the 5.33 version or updated their existing product during this timeframe became infected with a covert backdoor capable of spying on everything they did online.

 

https://www.theregister.co.uk/2017/09/18/tainted_ccleaner_downloads/

 

 

Sounds like it was in the program itself if upgrading to a newer version removed it, so the main executable must have been infected. So was it not always spying on you if it's not running in the system tray? That's the first feature I always turn off.

Share this post


Link to post
Share on other sites
+Mando    3,355
3 minutes ago, muratoner said:

i'm guessing this wasn't the case for the portable version?

if it used 5.33 as the base, then yes good chance of it.

Share this post


Link to post
Share on other sites
+Mando    3,355
4 minutes ago, warwagon said:

Sounds like it was in the program itself if upgrading to a newer version removed it, so the main executable must have been infected. So was it not always spying on you if it's not running in the system tray?

it was in the installer itself, so if you executed the installer, it grabbed the payload.

 

stage 2 was only possible if the bundled crap detected your were running as an admin. 

 

ccleaner_poisioned_downloads.thumb.jpg.ef99af62fd5b06cd5d8e6431315ae572.jpg

 

This is more than enough for any Avast products to be wiped off any of my recommendation lists for anything. 

 

How do you "accidentally" inject a payload into your security products.....being a security firm? Sorry doesnt wash!

 

  • Thanks 1

Share this post


Link to post
Share on other sites
muratoner    109
Just now, Mando said:

if it used 5.33 as the base, then yes good chance of it.

damn, i gotta get an AV now.I thought you need to download "questionable files" to get infected.on the web.Nothing is safe nowadays

Share this post


Link to post
Share on other sites
+Mando    3,355
2 minutes ago, muratoner said:

damn, i gotta get an AV now.I thought you need to download "questionable files" to get infected.on the web.Nothing is safe nowadays

no, aint been like that in at least 20 years mate. Driveby payloads......rootkits........

 

Webroot Secureanywhere gets my 2 thumbs up everytime.

 

Free....Bitdefender UK or Sophos home.

  • Like 3

Share this post


Link to post
Share on other sites
TPreston    5,384

+1 for blocking this **** and all its clones via Applocker. Took about 4 hours to download and load the certs into a GPO time well spent.

  • Like 1

Share this post


Link to post
Share on other sites
oldtimefighter    2,502

Why does the headline read like it was Avast that put the malware in it???

 

I will have to check the version have installed on my PC when get home. I should be safe since only run it 2-3 times a year for maintenance and also just did a scan with my standalone AV last week.

 

34 minutes ago, exotoxic said:

I was told it was Kaspersky that couldn't be trusted. ;)

They still can't be...

Share this post


Link to post
Share on other sites
muratoner    109

just scanned the portable version 5.34 with Avira, it's clean and I'm sure i got the version 5.33 sometime before that.

Share this post


Link to post
Share on other sites
Joe User    355
3 minutes ago, oldtimefighter said:

Why does the headline read like it was Avast that put the malware in it???

 

I will have to check the version have installed on my PC when get home. I should be safe since only run it 2-3 times a year for maintenance and also just did a scan with my standalone AV last week.

 

They still can't be...

Avast owns Piriform and distributes CCleaner. However, putting "accidentally" in quotes makes for a  clickbait headline that shouldn't be done by anyone wishing to be taken "seriously".

 

Share this post


Link to post
Share on other sites
He's Dead Jim    1,951

Cheers for the heads up, I had 5.33 in my downloads folder, but have deleted it now, glad I never installed it, phew... :)

Share this post


Link to post
Share on other sites
satukoro    686

Anyone have an alternative to ccleaner that is lightweight and has a similar run option on the recycle bin?

I'm using 5.28 (and it works well), but I'd like to move away from Avast as a company all together. Ever since it became adware I have been unable to recommend Avast to anyone.

Share this post


Link to post
Share on other sites
+warwagon    9,672

Been reading that it only infects 32bit Windows users and not 64bit users.

Quote

 

Thankfully, it looks like this malware only affected a certain subset of CCleaner users. In particular, it affected:

 

Users running the 32-bit version of the application (not the 64-bit version)

 

Users running version 5.33.6162 of CCleaner or CCleaner Cloud 1.07.3191, released on August 15th, 2017

 

https://www.howtogeek.com/326742/ccleaner-was-hacked-what-you-need-to-know/

  • Like 1
  • Haha 1

Share this post


Link to post
Share on other sites
+LimeMaster    14,659

I'm glad I never cared about CCleaner.

 

Since everyone is sharing their personal recommendations, I use Windows Defender. It's lightweight and doesn't detect much. What more could you want from an AV? :p

Share this post


Link to post
Share on other sites
xendrome    4,377

How is this not FPN, I know I submitted it and I'm sure others have.

Share this post


Link to post
Share on other sites
Brandon H    1,451
1 minute ago, xendrome said:

How is this not FPN, I know I submitted it and I'm sure others have.

It looks like John is writing up an article now, his name is on the claim

 

the mistake itself is bad enough but i can't believe it went almost a month unnoticed :o

Share this post


Link to post
Share on other sites
oldtimefighter    2,502
28 minutes ago, warwagon said:

Been reading that it only infects 32bit Windows users and not 64bit users.

https://www.howtogeek.com/326742/ccleaner-was-hacked-what-you-need-to-know/

I missed that myself... Personally, I haven't used 32-bit Windows in like eight years now. The PR is bad for CCleaner but the actual impact will actually be low.

Edited by oldtimefighter

Share this post


Link to post
Share on other sites
JKeefer    13

If you happen to be running CCleaner, stop reading this immediately and check to see if you are running version 5.33.6162. If you are, download an update immediately. Your performance enhancement software is affected by malware.

 

According to CCleaner maker Piriform, the 32-bit version of the software for Windows was modified by hackers before it was released to the public on August 15. The hack also affected the CCleaner Cloud version 1.07.3191. The company said a new version of CCleaner was released on September 12, the day the hack was discovered, with the Cloud version updated on September 15. Piriform said the "rogue server" was shut down, Cloud users were automatically updated and CCleaner users were "moved to a different version."

 

As for what the hack did exactly, Piriform's VP of Products Paul Yung said "An unauthorized modification of the CCleaner.exe binary resulted in an insertion of a two-stage backdoor capable of running code received from a remote IP address on affected systems. The suspicious code was hidden in the application’s initialization code called CRT (Common Runtime) that is normally inserted during compilation by the compiler."

 

Blog_image_code_2_1.jpg

 

If you want the technical details:

 

  • The code executed within that thread was heavily obfuscated to make its analysis harder (encrypted strings, indirect API calls, etc.). The suspicious code was performing the following actions:
    • It stored certain information in the Windows registry key HKLM\SOFTWARE\Piriform\Agomo:
    • MUID: randomly generated number identifying a particular system. Possibly also to be used as communication encryption key.
    • TCID: timer value used for checking whether to perform certain actions (communication, etc.)
    • NID: IP address of secondary CnC server
  • Besides that, it collected the following information about the local system:
    • Name of the computer
    • List of installed software, including Windows updates
    • List of running processes
    • MAC addresses of first three network adapters
    • Additional information whether the process is running with administrator privileges, whether it is a 64-bit system, etc.
  • All of the collected information was encrypted and encoded by base64 with a custom alphabet.
  • The encoded information was subsequently submitted to an external IP address 216.126.x.x (this address was hardcoded in the payload, and we have intentionally masked its last two octets here) via a HTTPS POST request. There was also a [fake] reference to “Host: speccy.piriform.com” in communication.
  • The code then read a reply from the same IP address, providing it with the functionality to download a second stage payload from the aforementioned IP address. The second stage payload is received as a custom base64-encoded string, further encrypted by the same xor-based encryption algorithm as all the strings in the first stage code. We have not detected an execution of the second stage payload and believe that its activation is highly unlikely.
  • In case the IP address becomes unreachable, a backup in the form of DGA (domain name generator) activates and is used to redirect communication to a different location. Fortunately, these generated domains are not under the control of the attacker and do not pose any risk.

 

Apparently Cisco's Talos security division also noticed the attack and alerted Piriform's parent company Avast, which purchased Piriform in July.  Craig Williams, a researcher with Talos, told Reuters that the hack was a sophisticated attack because it was able to go through a trusted supplier in much the same way that June’s Petya ransomware attack used infected accounting software from an established company in the Ukraine.

 

“There is nothing a user could have noticed,” Williams said. The software was using a proper certificate that companies normally trust.

 

ccleaner-malware-flow-chart.jpg

 

Piriform suggests that if you are running a version of CCleaner older than version 5.34 that you download a new one immediately.

 

  • Like 1

Share this post


Link to post
Share on other sites
Steven P.    8,667

We tripled down on this, front page news, this thread the merged one and John did a report (in here) too :p

  • Like 2
  • Thanks 1

Share this post


Link to post
Share on other sites
+Mando    3,355
18 hours ago, Joe User said:

Avast owns Piriform and distributes CCleaner. However, putting "accidentally" in quotes makes for a  clickbait headline that shouldn't be done by anyone wishing to be taken "seriously".

 

I didnt put "accidently" in quotes, if it did its from the original source on the reg. This listing has been merged with the sites editorial :) which im totally fine with.

Share this post


Link to post
Share on other sites
Joe User    355
10 hours ago, Mando said:

I didnt put "accidently" in quotes, if it did its from the original source on the reg. This listing has been merged with the sites editorial :) which im totally fine with.

No big deal, I rarely take The Reg seriously anyway. :)

 

 

 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


  • Recently Browsing   0 members

    No registered users viewing this page.