CCleaner installer compromised by malware

Forums › Desktop computing › CCleaner installer compromised by malware

freitasm

BDFL - Memuneh
80646 posts

Uber Geek
+1 received by user: 41030

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#223197 18-Sep-2017 20:32

From Cisco's Talos Intelligence blog:

Talos recently observed a case where the download servers used by software vendor to distribute a legitimate software package were leveraged to deliver malware to unsuspecting victims. For a period of time, the legitimate signed version of CCleaner 5.33 being distributed by Avast also contained a multi-stage malware payload that rode on top of the installation of CCleaner. CCleaner boasted over 2 billion total downloads by November of 2016 with a growth rate of 5 million additional users per week. Given the potential damage that could be caused by a network of infected computers even a tiny fraction of this size we decided to move quickly. On September 13, 2017 Cisco Talos immediately notified Avast of our findings so that they could initiate appropriate response activities. The following sections will discuss the specific details regarding this attack.

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

1 | 2

'That VDSL Cat'
13036 posts

Uber Geek
+1 received by user: 3896

ID Verified

Trusted

Lizard Networks

Subscriber

#1868241 18-Sep-2017 21:06

out of all endpoints for the installer to come from in an infected state, avast?....

#include <std_disclaimer>

Any comments made are personal opinion and do not reflect directly on the position my current or past employers may have.

freitasm

BDFL - Memuneh
80646 posts

Uber Geek
+1 received by user: 41030

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#1868253 18-Sep-2017 21:08

As per blog post, it could be a breach during development, signing or on servers... More to come.

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

JayADee

2233 posts

Uber Geek
+1 received by user: 478

#1868260 18-Sep-2017 21:50

Post here: https://forum.piriform.com/index.php?showtopic=48869

Gives version numbers affected and only 32 bit version.

More in depth inf here: http://www.piriform.com/news/blog/2017/9/18/security-notification-for-ccleaner-v5336162-and-ccleaner-cloud-v1073191-for-32-bit-windows-users

gzt

18679 posts

Uber Geek
+1 received by user: 7809

Lifetime subscriber

#1868268 18-Sep-2017 22:23

Am I the only one who thought ccleaner is weird and unnecessary?

JayADee

2233 posts

Uber Geek
+1 received by user: 478

#1868281 18-Sep-2017 22:39

It has a lot of handy tools all in one place.

plas

456 posts

Ultimate Geek
+1 received by user: 59

#1868345 19-Sep-2017 08:02

gzt: Am I the only one who thought ccleaner is weird and unnecessary?

Nope, I never really saw the need for it.

Apple TV

Stream your favourite shows now on Apple TV (affiliate link).

Coil

6614 posts

Uber Geek
+1 received by user: 2153
Inactive user

#1868349 19-Sep-2017 08:09

plas:

gzt: Am I the only one who thought ccleaner is weird and unnecessary?

Nope, I never really saw the need for it.

It seemed to serve its purpose when it had the red logo in the ol Core 2 Duo days!
That with the likes of Defraggler hahahaha.

xpd

Geek of Coastguard
14115 posts

Uber Geek
+1 received by user: 4574

Retired Mod

ID Verified

Trusted

Lifetime subscriber

#1868402 19-Sep-2017 09:31

I still use CCleaner - do I have to with Win10 ? Probably not, but still do out of habit back in the XP/Win 7 days where crap did build up :)

Did run it on a clients Win 10 install recently tho, found 24GB of files no longer needed (and no, wasnt the recycle bin). After CCLeaner, their system booted hell of a lot faster.

XPD / Gavin

LinkTree

rb99

3505 posts

Uber Geek
+1 received by user: 1830

Lifetime subscriber

#1868415 19-Sep-2017 09:51

Pity the new free version does nothing useful (for me that I can see). Cleaning is now $25US. Think I'll stick with my old version.

“The modern conservative is engaged in one of man's oldest exercises in moral philosophy; that is, the search for a superior moral justification for selfishness.” -John Kenneth Galbraith

rb99

muppet

2642 posts

Uber Geek
+1 received by user: 1660

Trusted

#1868465 19-Sep-2017 11:31

I still use CCleaner.

Sure, Disk Cleanup in Windows 10 does a lot too. But CC has the registry cleaner (how much use is removing old entries though really? Maybe none) but will also clean up a lot of apps. For example it'll compress the Thunderbird and Firefox SQLite database, it'll remove Chrome Cache files, Internet Explorer Cache files etc.

It's also got a drive wiper, duplicate files finder, and can show you all your various startup entries.

All these things can be done with other freeware tools, but CCleaner gives it to you in an all-in-one easy to use Interface.

Anyway, that's why I still use it. But if it was discontinued tomorrow it wouldn't be the end of the world, it doesn't provide anything unique that can't be found in other apps etc.

freitasm

BDFL - Memuneh
80646 posts

Uber Geek
+1 received by user: 41030

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#1868576 19-Sep-2017 13:46

Up to 2.27 million compromised PCs. Way to go, Avast.

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

Dyson

Shop now for Dyson appliances (affiliate link).

MaxLV

656 posts

Ultimate Geek
+1 received by user: 161

#1868759 19-Sep-2017 17:05

freitasm:

From Cisco's Talos Intelligence blog:

Talos recently observed a case where the download servers used by software vendor to distribute a legitimate software package were leveraged to deliver malware to unsuspecting victims. For a period of time, the legitimate signed version of CCleaner 5.33 being distributed by Avast also contained a multi-stage malware payload that rode on top of the installation of CCleaner. CCleaner boasted over 2 billion total downloads by November of 2016 with a growth rate of 5 million additional users per week. Given the potential damage that could be caused by a network of infected computers even a tiny fraction of this size we decided to move quickly. On September 13, 2017 Cisco Talos immediately notified Avast of our findings so that they could initiate appropriate response activities. The following sections will discuss the specific details regarding this attack.

From CCleaner website in their news release:

------

Our new parent company, the security company Avast, determined on the 12th of September that the 32-bit version of our CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 products, which may have been used by up to 3% of our users, had been compromised in a sophisticated manner. Piriform CCleaner v5.33.6162 was released on the 15th of August, and a regularly scheduled update to CCleaner, without compromised code, was released on the 12th of September. CCleaner Cloud v1.07.3191 was released on the 24th of August, and updated with a version without compromised code on September 15.

-----

The technical details can be found in their blog on the website.

freitasm

BDFL - Memuneh
80646 posts

Uber Geek
+1 received by user: 41030

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#1868795 19-Sep-2017 18:01

An awful long time for a compromised version to be available. More than two million computers infected.

It doesn't say good things about it if Avast couldn't see an infected file on their own servers.

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

Hammerer

2480 posts

Uber Geek
+1 received by user: 802

Lifetime subscriber

#1868812 19-Sep-2017 19:01

There are a few examples of Avast exposing their users to serious risks. Examples are:

Avast anti-virus https://www.trustwave.com/Resources/SpiderLabs-Blog/Multiple-Vulnerabilities-in-Avast-Antivirus/

Avantium web browser https://www.tomsguide.com/us/avast-secure-browser-not-secure,news-22214.html

freitasm

BDFL - Memuneh
80646 posts

Uber Geek
+1 received by user: 41030

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#1868817 19-Sep-2017 19:18

Plus the leak of the Avast forums credentials years ago.

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

1 | 2