CCleaner - recent versions - malware impacted

[MBAtarga]

Just saw this over on Rennlist - recent versions of CCleaner are reportedly impacted by hacking to include malware.

I know several Pelican's recommend the use of the product to troubleshoot/remove malware/viruses/etc from user machines.

More details here:
Cisco's Talos Intelligence Group Blog: CCleanup: A Vast Number of Machines at Risk

Summary - Talos recently observed a case where the download servers used by software vendor to distribute a legitimate software package were leveraged to deliver malware to unsuspecting victims. For a period of time, the legitimate signed version of CCleaner 5.33 being distributed by Avast also contained a multi-stage malware payload that rode on top of the installation of CCleaner. CCleaner boasted over 2 billion total downloads by November of 2016 with a growth rate of 5 million additional users per week. Given the potential damage that could be caused by a network of infected computers even a tiny fraction of this size we decided to move quickly. On September 13, 2017 Cisco Talos immediately notified Avast of our findings so that they could initiate appropriate response activities. The following sections will discuss the specific details regarding this attack.

Update 9/18: CCleaner Cloud version 1.07.3191 is also reported to be affected

[Nickshu]

Thanks for posting, I've used the free version of CCleaner on all my computers for years, never had a problem and it's a great program. Hopefully they get this fixed soon.

[red-beard]

My wife's computer keeps getting rootkits. I've eradicated them twice with malwarebytes. If it comes back again, I'm eradicating the disk drive and re-installing the OS.

[Erakad]

My anti-virus identified a trojan associated with CC Cleaner last night and deleted it....hopefully this will end it, but still uninstalling a deleting anything with CC Cleaner now.

[Brando]

Can anyone confirm v 5.34 is clean?

[kach22i]

Quote:

Originally Posted by Brando

Can anyone confirm v 5.34 is clean?

From the link originally provided:

Quote:

In reviewing the Version History page on the CCleaner download site, it appears that the affected version (5.33) was released on August 15, 2017. On September 12, 2017 version 5.34 was released. The version containing the malicious payload (5.33) was being distributed between these dates. This version was signed using a valid certificate that was issued to Piriform Ltd by Symantec and is valid through 10/10/2018. Piriform was the company that Avast recently acquired and was the original company who developed the CCleaner software application.

I'm seeing the 32 Bite version mentioned, not seeing the 64 - yet.

Still reading the article, looking for indication that corrected versions fix the previous flaws.

Cisco's Talos Intelligence Group Blog: CCleanup: A Vast Number of Machines at Risk

Quote:

It is also important to note that while previous versions of the CCleaner installer are currently still available on the download server, the version containing the malicious payloads has been removed and is no longer available.

EDIT:

So I'm looking at my "Downloads" folder and looking right at "ccsetup-5.33" on the (17th?) and the screen refreshes on me, and it vanishes.

Windows Defender then says malicious malware has been removed.

I look in Denfender's history, and "Backdoor:Win32/Floxif" has been removed and or quarantined.

Quote:

If even a small fraction of those systems were compromised an attacker could use them for any number of malicious purposes. Affected systems need to be restored to a state before August 15, 2017 or reinstalled. Users should also update to the latest available version of CCleaner to avoid infection. At the time of this writing that is version 5.34. It is important to note that according to the CCleaner download page, the free version of CCleaner does not provide automated updates, so this might be a manual process for affected users.

Monday, September 18, 2017

Quote:

It is also worth noting that at the time of this post, antivirus detection for this threat remains very low (The detections are at 1/64 at the time of this writing).

Quote:

As part of our response to this threat, Cisco Talos has released comprehensive coverage to protect customers. Details related to this coverage can be found in the "Coverage" section of this post.

Are they trying to sell something here?

[island911]

Thanks for posting.

It's always tough to know the benefit of 'upgrading' software versions when the version you have works fine.
More often than not, 'upgrades' fix a problem/need that your computer does not have.
But sometimes the 'upgrades' fixes a potential security hole. :-\

[kach22i]

Monday, September 18, 2017
Security Notification for CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 for 32-bit Windows users
https://www.piriform.com/news/release-announcements/2017/9/18/security-notification-for-ccleaner-v5336162-and-ccleaner-cloud-v1073191-for-32-bit-windows-users

Quote:

We recently determined that older versions of our Piriform CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 had been compromised. We estimate that 2.27 million people used the affected software. We resolved this quickly and believe no harm was done to any of our users. This compromise only affected customers with the 32-bit version of the v5.33.6162 of CCleaner and the v1.07.3191 of CCleaner Cloud. No other Piriform or CCleaner products were affected.*We encourage all users of the 32-bit version of CCleaner v5.33.6162 to download v5.34 here:*download. We apologize and are taking extra measures to ensure this does not happen again.

Quote:

Issue Summary:*Our new parent company, the security company Avast, determined on the 12th*of September that the 32-bit version of our CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 products, which may have been used by up to 3% of our users, had been compromised in a sophisticated manner.

[kach22i]

Update to the CCleaner 5.33.6162*Security Incident
https://blog.avast.com/update-to-the-ccleaner-5.33.6162-security-incident

Quote:

Some media reports suggest that the affected systems needed to be restored to a pre-August 15th state or reinstalled/rebuilt. We do not believe this is necessary. About 30% of CCleaner users also run Avast security software, which enables us to analyze behavioral, traffic and file/registry data from those machines. Based on the analysis of this data, we believe that the second stage payload never activated, i.e. the only malicious code present on customer machines was the one embedded in the ccleaner.exe binary. Therefore, we consider restoring the affected machines to the pre-August 15 state unnecessary. By similar logic, security companies are not usually advising customers to reformat their machines after a remote code execution vulnerability is identified on their computer.

Quote:

Customers are advised to update to the latest version of CCleaner, which will remove the backdoor code from their systems. As of now, CCleaner 5.33 users are receiving a notification advising them to perform the update.

[Eric Coffey]

v5.35 out now (my v5.34 just prompted a pop-up to update to it for "important changes").

[kach22i]

Quote:

Originally Posted by Eric Coffey

v5.35 out now (my v5.34 just prompted a pop-up to update to it for "important changes").

Yesterday on my 32 Bite computer I used AVG Shredder to remove the old file, lost all of my preferences of course. No big deal as I only go to email on that computer.

I then uploaded the latest CCleaner to that machine and updated the 64 Bite laptop CCleaner as well.

Seems to me they are still chasing this dragon and closing doors on it if there is yet another update.