CCleaner Compromised to Distribute Malware for Almost a Month


V_R

¯\_(ツ)_/¯
Moderator
Joined
Jan 31, 2005
Messages
13,460
Reaction score
1,769
Version 5.33 of the CCleaner app offered for download between August 15 and September 12 was modified to include the Floxif malware, according to a report published by Cisco Talos a few minutes ago.

Floxif is a mundane malware downloader that gathers information about infected systems and sends it back to its C&C server. At the time of writing, there is no evidence that Floxif downloaded additional second-stage payloads on infected hosts.

Cisco Talos security researchers detected the tainted CCleaner app last week, on September 13, while performing beta testing of a new exploit detection technology.

Researchers identified a version of CCleaner 5.33 making calls to suspicious domains. While initially, this looked like another case where a user downloaded a fake, malicious CCleaner app, they later discovered that the CCleaner installer was downloaded from the official website and was signed using a valid digital certificate.

Cisco Talos believes that a threat actor might have compromised Avast's supply chain and used its digital certificate to replace the legitimate CCleaner v5.33 app on its website with one that also contained the Floxif trojan.

It is unclear if this threat actor breached Avast's systems without the company's knowledge, or the malicious code was added by "an insider with access to either the development or build environments within the organization."

Avast bought Piriform — CCleaner's original developer — in July this year, a month before CCleaner 5.33 was released. Avast did not respond to a request for comment in time for this article's publication.

On September 13, Avast released CCleaner 5.34 that does not include the malicious Floxif malware.
Read the full story at Bleeping Computer.


Official Statement from Piriform:
We recently determined that older versions of our Piriform CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 had been compromised. We resolved this quickly and believe no harm was done to any of our users. This compromise only affected customers with the 32-bit version of the v5.33.6162 of CCleaner and the v1.07.3191 of CCleaner Cloud. No other Piriform or CCleaner products were affected. We encourage all users of the 32-bit version of CCleaner v5.33.6162 to download v5.34 here: download. We apologize and are taking extra measures to ensure this does not happen again.

Issue Summary: Our new parent company, the security company Avast, determined on the 12th of September that the 32-bit version of our CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 products, which may have been used by up to 3% of our users, had been compromised in a sophisticated manner. Piriform CCleaner v5.33.6162 was released on the 15th of August, and a regularly scheduled update to CCleaner, without compromised code, was released on the 12th of September. CCleaner Cloud v1.07.3191 was released on the 24th of August, and updated with a version without compromised code on September 15. The compromise could cause the transmission of non-sensitive data (computer name, IP address, list of installed software, list of active software, list of network adapters) to a 3rd party computer server in the USA. We have no indications that any other data has been sent to the server. Working with US law enforcement, we caused this server to be shut down on the 15th of September before any known harm was done. It would have been an impediment to the law enforcement agency’s investigation to have gone public with this before the server was disabled and we completed our initial assessment. Between the 12th and the 15th, we took immediate action to make sure that our Piriform CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 users were safe—we worked with download sites to remove CCleaner v5.33.6162, we pushed out a notification to update CCleaner users from v5.33.6162 to v5.34, we automatically updated CCleaner Cloud users from v1.07.3191 to 1.07.3214, and for users using Avast Antivirus, they received an automatic update.

We are continuing to investigate how this compromise happened, who did it, and why. We are working with US law enforcement in their investigation. A more technical description of the issue is on our Piriform blog at: www.piriform.com/news/blog. Again, we sincerely apologize for this and are committed to making sure nothing similar happens again. We encourage any user of the 32-bit version of CCleaner v5.33.6162 to download the latest version of Piriform CCleaner found here: www.piriform.com/ccleaner/download/standard.
http://www.piriform.com/news/releas...eaner-cloud-v1073191-for-32-bit-windows-users
 
Ad

Advertisements

V_R

¯\_(ツ)_/¯
Moderator
Joined
Jan 31, 2005
Messages
13,460
Reaction score
1,769
So, Avast - a security company - bought Piriform in July, and was compromised a month later. GG Avast! :rolleyes:

To be clear, this is the 32bit version only. If you run the 64bit version you're ok. Apparently.
 

nivrip

Yorkshire Cruncher
Joined
Mar 21, 2007
Messages
9,473
Reaction score
1,819
To be clear, this is the 32bit version only. If you run the 64bit version you're ok. Apparently.

Well, that's good to know, unless you run the 32 bit version.

Now I know why there was a sort of panicky message from CCleaner suggesting the newest version be downloaded (v5.34.6207) fairly quickly a few days back. :)
 

Ian

Administrator
Joined
Feb 23, 2002
Messages
19,579
Reaction score
1,303
Thanks for the heads up @V_R

I'm behind updating CCleaner, so I'm not affected - but it's quite concerning that this was injected with malware - as who knows what this could be doing in the background.
 
Ad

Advertisements

Joined
Jul 11, 2010
Messages
5,758
Reaction score
552
Didn't your PC go tits up not so long ago because of something in an e-mail and you had to do a fresh install ?

It was my Email address had been compromised/stolen and was being used by someone else I had to cancel the original address and have another one. I was still using Windows 10 at the time. My Internet provider was unable to trace the stolen address and deleted off their system.
 

nivrip

Yorkshire Cruncher
Joined
Mar 21, 2007
Messages
9,473
Reaction score
1,819
HEADS UP

Following V_R's alert I downloaded the latest version of CCleaner ((v5.34.6207) a few days back.

Just had an urgent message from Kaspersky suggesting an even more up to date version (v5.35.6210) should be downloaded. No mention of whether it's for 32 or 64 bit but I've downloaded it anyway (and got the 64 bit version). :)
 
Ad

Advertisements

Ad

Advertisements


Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top