CCleaner hacked with malware: What you need to know

Discussion in 'Interesting/Unrelated' started by Glenn, Sep 18, 2017.

  1. Glenn

    Glenn Administrator Staff Member

    http://www.reuters.com/article/us-s...r-software-avasts-piriform-says-idUSKCN1BT0R9

    Hackers broke into British company Piriform Ltd’s free software that optimizes computer performance last month, potentially allowing them to control the devices of millions of users, the company and independent researchers said on Monday.

    More than 2 million people downloaded tainted versions of Piriform’s program, which then directed the computers to get instructions from servers under the hacker’s control, Piriform said.

    Piriform said it worked with law enforcement and cut off communication to the servers before any malicious commands were detected. This came after security researchers at Cisco Systems Inc (CSCO.O) and Morphisec Ltd alerted Piriform’s parent Avast Software of the hack last week.

    The malicious program was slipped into legitimate software called CCleaner, which cleans up junk programs and advertising cookies to speed up devices.

    CCleaner is the main product made by London’s Piriform, which was bought in July by Prague-based Avast, one of the world’s largest computer security vendors. At the time of the acquisition, the company said 130 million people used CCleaner.

    A version of CCleaner downloaded in August and September included remote administration tools that tried to connect to several unregistered web pages, presumably to download additional unauthorized programs, security researchers at Cisco’s Talos unit said.


    Talos researcher Craig Williams said it was a sophisticated attack because it penetrated an established and trusted supplier in a manner similar to June’s “NotPetya” attack on companies that downloaded infected Ukrainian accounting software.

    “There is nothing a user could have noticed,” Williams said, noting that the optimization software had a proper digital certificate, which means that other computers automatically trust the program.

    In a blog post, Piriform confirmed that two programs released in August were compromised. It advised users of CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 to download new versions. A spokeswoman said that 2.27 million users had downloaded the August version of CCleaner while only 5,000 users had installed the compromised version of CCleaner Cloud.

    Piriform said that Avast, its new parent company, had uncovered the attacks on Sept. 12. A new, uncompromised version of CCleaner was released the same day and a clean version of CCleaner Cloud was released on Sept. 15, it said.

    Only the cloud version could be updated automatically to remove the bad code.

    The nature of the attack code suggests that the hacker won access to a machine used to create CCleaner, Williams said.

    CCleaner does not update automatically, so those who installed the problematic version will need to delete it and install a fresh version, he said.

    He also recommended running an antivirus scan.

    Williams said that Talos detected the issue at an early stage, when the hackers appeared to be collecting information from infected machines, rather than forcing them to install new programs.

    Piriform said in a news release that it had worked with U.S. law enforcement to shut down a server located in the United States to which traffic was set to be directed.

    It said the server was closed down on Sept. 15 “before any known harm was done.”

    Avast said little about the breach, posting nothing on its Twitter account in the 12 hours after the announcement and displaying nothing on its main web page.

    Piriform’s news release and technical blog post did not mention Cisco or its partner Morphisec, instead crediting Avast with discovering the still-unexplained compromise.

    After the controlling web addresses were seized, Cisco saw 200,000 attempts to connect to them.
     
  2. Glenn

    Glenn Administrator Staff Member

    Another good reason to not be bleeding edge with your app updates :p
     
    The Freezer likes this.
  3. Trouba

    Trouba Administrator Staff Member

    If I hadn't, we'd still be one the August version :p
     
  4. The Freezer

    The Freezer Just this guy, you know Staff Member

    Ah, the irony. An unclean version of CCleaner ... a compromised Avast product.

    I'd seen the article yesterday morning on Slashdot and was puzzled at first that it was even the same utility; thought maybe Avast had a malware-cleaner named the same as Piriform's hard-drive cleaner. Not even Wikipedia mentions the acquisition (though it does mention the backdoor in v5.33).
     
  5. Trouba

    Trouba Administrator Staff Member

    I guess they couldn't say "No" to a million+ dollar buyout. Naively I was always under the impression Piriform was like one solitary guy somewhere, I didn't even know they were a London company.
     
  6. Trouba

    Trouba Administrator Staff Member

    Hmm, wonder how Avast fares where it comes to things like this: https://finance.yahoo.com/news/more-tech-giants-bowing-russian-120239550.html

    We now know what I've said for 3 or 4 years, that Kaspersky -- although good -- is not to be trusted due to its ties with the Russian government. Hackers working for Russia went to work for Kaspersky and vice versa. Then again, Microsoft is so evil to allow the US government to have backdoors into Windows. I'd still rather have the US have that ability than Russia... even with the orange monkey at the helm.
     
  7. The Freezer

    The Freezer Just this guy, you know Staff Member

    Yeah, me too. Exactly. Maybe Piriform was solo at first ... ?
     
  8. pacav69

    pacav69 Live long and prosper Staff Member

    here
    [​IMG]

    It seems that CCleaner, one of PCWorld’s recommendations for the best free software for new PCs, might not have been keeping your PC so clean after all. In an in-depth probe of the popular optimization and scrubbing software, Cisco Talos has discovered a malicious bit of code injected by hackers that could have affected more than 2 million users who downloaded the most recent update.
     
  9. Trouba

    Trouba Administrator Staff Member

    http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html

    So it appears only the 32-bit version of CCleaner was affected. So if you're on a 64-bit system and used the regular or slim installer of v5.33, it would have installed the 64-bit version only and so you would not have been affected.

    As far as LastOS.org apps releases go, the portable version of CCleaner (which is always released 1 or 2 weeks before the 'slim' version which is the basis for the ssApp version) was not affected by the hack because I downloaded it the day it was released, whereas they uploaded the hacked version on a later date. So the ppApp of CCleaner was not affected. The only possibility of a hacked version would have been the ssApp version which is based on the "slim" version. But even then that would only be possible if the hacked version was uploaded AFTER the slim version was released (and the slim version was even targeted). However, if you're on 64-bit OS it would not have affected you anyway as the hack only affected the 32-bit version of CCleaner. So there is only the possibility you installed a hacked CCleaner from a ssApp IF it was installed on a 32-bit system. Of course, it can't hurt to run a malware scan or restore your OS from a backup.
     
  10. Glenn

    Glenn Administrator Staff Member

    bphlpt likes this.

Share This Page