Hackers compromised free CCleaner software

  • 18 September 2017
  • 55 replies
  • 63 views

Userlevel 7
Badge +52
Hackers broke into British company Piriform’s free software for optimizing computer performance last month potentially allowing them to control the devices of more than two million users, the company and independent researchers said on Monday.

The malicious program was slipped into legitimate software called CCleaner, which is downloaded for personal computers and Android phones as often as five million times a week. It cleans up junk programs and advertising cookies to speed up devices.

CCleaner is the main product made by London’s Piriform, which was bought in July by Prague-based Avast, one of the world’s largest computer security vendors. At the time of the acquisition, the company said 130 million people used CCleaner.
Full Article

55 replies

Userlevel 7
Badge +54
Thank you Petr, I have just seen that news. It has been great for years until Avast got hold of it.
Userlevel 7
Badge +54
There are reports on Twitter that other malicious activity from Avast's network is being investigated which includes a Locky Ransomware distrubution campaign.
Userlevel 7
Badge +56
I have the Pro version and didn't see any issues but I see the free version was affected.
 
Daniel
Userlevel 7
I use to use CC Cleaner but not anymore glad I don't.And what makes it worse Avast has there teeth into now.
Userlevel 7
@ wrote:
It has been great for years until Avast got hold of it.
Same here Jeff. Looks like I'll be uninstalling CCleaner on all the Win computers. Looks like a great start for the new owners "Avast".

Userlevel 7
Badge +62
Yes I happened to be working on two laptops this weekend and I installed Ccleaner on the two Friday on these Windows 7's. Looks like I was lucky and got the latest version of 5.34.
 
What a mess Avast has gotten themselves into by taking over Ccleaner!:@
 
Thank you @ for that information!
Fortunately, it only affected 32-bit machines:
"Yung says the attack was limited to CCleaner and CCleaner Cloud on 32-bit Windows systems—fortunately, most modern PCs will likely be running the 64-bit version. "
https://www.pcworld.com/article/3225407/security/ccleaner-downloads-infected-malware.html
 
Appalling that it should happen in the first place 😠, but I suppose that mitigates the damage...somewhat...
From an article I read at Techcrunch it said that the malware was capable of harvesting data - specifically, computer name (which is why ALL of my PCs are named "Owner"), IP address, list of installed software, list of active software, and list of network adapters. Not highly private info but bad, nonetheless.
 
Really a shame. I've used CC for ages.Looks like it's time to uninstall. :(
 
I'm curious if Webroot would've caught this?
 
BD
Userlevel 7
@ wrote:
I'm curious if Webroot would've caught this?
Not opening Ccleaner on my wife's Toshiba laptop I went to uninstall from "Add & Remove Programs". Webroot Hit the Uninstaller and Quarantined it. I uninstalled Ccleaner using another software. Ran a scan with Webroot and it hit on Ccleaner again. My guess I had some remaing files left. Let Webroot do its thing with the remaining files. Did another scan ALL CLEAN. :D


 
 
@ wrote:
@ wrote:
I'm curious if Webroot would've caught this?
Not opening Ccleaner on my wife's Toshiba laptop I went to uninstall from "Add & Remove Programs". Webroot Hit the Uninstaller and Quarantined it. I uninstalled Ccleaner using another software. Ran a scan with Webroot and it hit on Ccleaner again. My guess I had some remaing files left. Let Webroot do its thing with the remaining files. Did another scan ALL CLEAN. :D
Thanks for posting, Dave. Good to know. :D
 
BD
@ wrote:
Fortunately, it only affected 32-bit machines:
"Yung says the attack was limited to CCleaner and CCleaner Cloud on 32-bit Windows systems—fortunately, most modern PCs will likely be running the 64-bit version. "
https://www.pcworld.com/article/3225407/security/ccleaner-downloads-infected-malware.html
 
Appalling that it should happen in the first place 😠, but I suppose that mitigates the damage...somewhat...
Thanks for posting the link to the PCWorld story, Muddy. The articles I had read prior to that didn't mention that this affected only 32bit machines. If this is true, I have nothing to worry about as I don't have any 32bit machines anymore.
 
One quote from that article caught my eye...
"What that means is that a hacker infiltrated Avast Piriform’s official build somewhere in the development process build to plant malware designed to steal users’ data."
 
So this was there for some time before release. No one caught it???
 
I think I will just stick with Webroot's System Optimizer from now on. ;)
 
BD
Userlevel 7
Badge +48
I wanted to provide some context about CCleaner from a Webroot point of view.
Webroot users are protected from the CCleaner malware. We blocked the current variant & will be on the hunt for new threats associated with it.
@ wrote:
I wanted to provide some context about CCleaner from a Webroot point of view.
Webroot users are protected from the CCleaner malware. We blocked the current variant & will be on the hunt for new threats associated with it.
Thank you, Drew. Nice to hear it straight from Webroot as well as from Webroot users, like Dave.
 
BD
Userlevel 7
Badge +48
Not a problem @, I was talking with our Threat team this morning about it and wanted to be sure that everyone in the community were in the know as well. 
Userlevel 7
Badge +54
I have seen nothing else about Locky being involved yet but I will keep my eyes open.
Userlevel 7
Badge +34
Not so sure about only affecting 64 bit machines.
Mine is x64 and I installed Ccleaner v53.33.6162 a week ago.
Webroot scanned my machine on Sunday (yesterday) and found nothing, as usual.
 
After reading about this threat on Wilders, I ran a Webroot scan again today and it found the threat in programfiles/ccleaner and Webroot has now quarantined the threat.
 
So it would seem that the malware has been in place doing its thing undetected until the brouhaha broke out today. Any data that has been sent from affected machines is long gone and it is little comfort knowing that the threat has now been removed.
 
Elsewhere there is advice to restore machines to a date prior to the installation of the malware. However, whilst you would then know for certain that you now had a "clean machine", as mentioned above, any data sent is long gone.
 
Anyway I'm uninstalling ccleaner and moving on.

 

FWIW ~ on my 64bit machine.  I'll always delete languages & 32bit installer.  YMMV
Userlevel 7
Badge +34
@ wrote:
Not so sure about only affecting 64  32 bit machines.
Delayed edit after several hours!
 
 
Also I have now seen it explained why the malicious downloader was identified on my 64 bit machine.  To quote:
 
".... both 32b and 64b binaries are present on the HDD... but the payload doesn't activate on 64-bit.
You can check the existence of the registry key HKLMSOFTWAREPiriformAgomo  -- if it exists, the backdoor activated, otherwise it didn't."
Fortunately the Agomo registry key was not present when I first checked (before the Webroot scan) and so I feel reasonably certain that the backdoor payload was not activated on my system.  This also explains why is was still detected on my 64 bit system.
 
I apologise for posting potentally misleading info. :$
 
Userlevel 3
Badge +2
It's only the 32 BIT freeware version, never got past the stage of sending any info. Most users now use 64 BIT Windows and PRO version not affected. They patched almost immediately.
https://forum.piriform.com/index.php?showtopic=48868
Userlevel 4
Badge +8
I used to be a faithful user of both Avast and Piriform products but thankfully I found Webroot and jumped ship a year ago.  With all the headlines lately of massive data breaches it just goes to show you how bad the consequence can be when corporations display a lack of diligence.  Not sure where the fault lies in this case but it paints both companies in a bad light.  At the end of the day I personally don't care if Avast destroys itself along with Piriform and Avg as my needs are fulfilled by Webroot.
 
Dan
Userlevel 7
Badge +54
19th September 2017  By Mark Wycislik-Wilson
 


 
When news broke yesterday that CCleaner had been hacked and a dangerously modified version had been available to download for a number of weeks, there were understandable concerns from the program's large userbase. And the concern is well-placed -- some 2.27 million machines are thought to have installed the infected software.
 
Avast now has something of a PR nightmare on its hands as it tries to rebuild the trust of its users. To this end, company CEO Vince Steckler and CTO Ond?ej Vl?ek have written an article clarifying what happened with CCleaner, and give some details about how they plan to protect their customers -- as well as "correct[ing] some misleading information that is currently circulating."
 
Full Article.
Userlevel 7
Badge +34
Thanks Jasper - as the article says, it is indeed a PR nightmare for Avast.
 
However it looks like little or no harm was done to  those who had the payload  installed but it remains to be seen if Ccleaner survives. I suspect it will - people have short memories and many who use it but do not follow security matters are probably blissfully unaware of the whole event!
Userlevel 7
Badge +56
@ or @ can I get some info please? When was it first detected by the Webroot Cloud as bad and if possable the MD5 hash? Or from the file submission page as it gives such details? http://snup.webrootcloudav.com/SkyStoreFileUploader/upload.aspx
 
TIA,
 
Daniel 😉
Userlevel 7
Badge +56
@ wrote:
@ or @ can I get some info please? When was it first detected by the Webroot Cloud as bad and if possable the MD5 hash? Or from the file submission page as it gives such details? http://snup.webrootcloudav.com/SkyStoreFileUploader/upload.aspx
 
TIA,
 
Daniel ;)
 
Webroot only detected it yesterday and it's been out for more than a month..... https://www.virustotal.com/en/file/6f7840c77f99049d788155c1351e1560b62b8ad18ad0e9adda8218b9f432f0a9/analysis/
 

Userlevel 7
@ wrote:
@ wrote:
@ or @ can I get some info please? When was it first detected by the Webroot Cloud as bad and if possable the MD5 hash? Or from the file submission page as it gives such details? http://snup.webrootcloudav.com/SkyStoreFileUploader/upload.aspx
 
TIA,
 
Daniel ;)
 
Webroot only detected it yesterday and it's been out for more than a month..... https://www.virustotal.com/en/file/6f7840c77f99049d788155c1351e1560b62b8ad18ad0e9adda8218b9f432f0a9/analysis/
 


Well that's not good news. :@

Reply