Warning: CCleaner is malware-infested

[Skybird]

http://blog.talosintelligence.com/20...s-malware.html

http://www.piriform.com/news/blog/20...-windows-users

My cold-hearted advise if you are affected: system reinstall. A system that got compromised, must still be considered to be compromised after any "cleanings", "repairs", or whatever. The only way to deal with a bug and be certain, is to nuke the whole system from orbit.

Note that Talos (first link) disagrees with Piri (second link) on the ammount of damage done. Talos says it potentially could be an immense number of users, Piri says the threat was tackled before it could do damage. Of cpourse, Piri has its own reputation to protect here, Talos is a neutral third party.

I believe I understood it like this: a completely infested version of CCleaner was spread via a manipulated servers of theirs, and so the malware must have reached millions and millionsn of users, see the link for affected version and date. The malware scanned the infested systems, extracted data and downloaded additional malware, which was probbaöly the intended "warhead" to detonate. But if Piri is right, then this malware never got activated, they switched off the rogue server fast. Which means that affected people have downloaded-for-sure, but non-activated malware on their machines now. Their systems probably got scanned and data was extracted. The additonal downloaded malware, the warhead, is still there.

Well, believing is not knowing. So expect the worst. Nuke it. From orbit.

P.S. Note that the critical version of CCleaner was distributed for almost a full month. Thats damn many systems affected.

[THEBERBSTER]

I have used CCleaner everyday for many years without any problems and also have recommended it many times here on Subsim.
Like any application on your system it is open to attack.
While this may sound alarming those at CCleaner have rectified the problem without any serious incidents having taken place.
I am running the later 6207 version but is quite likely that at some point I also have used the 6162 corrupted version.
While anti virus may give protection it is better to back it up with a specific malware/spyware program installed.

I would suggest installing this free program which was recommended and installed by my computer shop.
It will identify any threats which you can quarintine.
https://www.malwarebytes.com/mwb-download/
Peter

[aanker]

I have used Ccleaner Pro for years too. I noticed that 6207 was released fast on the heels of the previous version.

Thanks for the link Peter, and thanks for the alert Skybird.

[propbeanie]

My gosh. This is getting old, having to search through all of my computers and look for issues with a program that I've trusted and used for years... I did just recently download a newer version of it, but I do not remember which box it was... I know what I'm doing tonight... Thanks Skybird and THEBERBSTER...

[mapuc]

Earlier today I got the information from a computer page on FB-It was said, from my memory-It's only those who have a 32-bit computer system

and they should reinstall Windows.

People asked on 64-bit system and was told that they haven't heard anything about this type of system.

I don't have this CC-cleaner.

Markus

[THEBERBSTER]

Hi Mapuc
I have a 64 bit system and Malwarebytes picked up and quarantined Ccleaner malware when I ran it.
Peter

[STEED]

Looks like my laptop is in the clear.

V5.155513(64bit)

But my desktop has

V5.33.6162(64bit) Same version number that is infected but the artical states (32bit) so have I got it or not?

UPDATE

I have rolled back my system to July 31st and Removed that version of Ccleaner off my desktop.

Malwarebytes Anti rootkit. ALL CLEAR

Malwarebytes custom scan and threat scan. ALL CLEAR

Avast smart scan. ALL CLEAR

Avast rootkits full scan. ALL CLEAR

[aanker]

I don't think you need to worry now. To be safe, update to the latest release.

From: https://www.askwoody.com/

Quote:

CCleaner back door / botnet infection updates

Bottom line: If you installed CCleaner any time after Aug. 15, you need to install the latest version.

Avast bought Piriform (and CCleaner) in July. The malware was inserted into the installer in August. The botnet Command center was taken down in September.

Oy. Don’t use registry cleaners, OK?

Earlier I read if you updated to a later - the most recent version you'd be in the clear.

Furthermore the payload had been neutered before it was released in the bad version. It never phoned home and 'home' for it doesn't exist. We got lucky.

I updated past the infected version last week and users that do will be OK for sure. It is harmless now and from what I read earlier it always was. I hate it when something you trust does something like this though.

[STEED]

^Info seems all over the place, some say the 64bit version is infected while others say its only the 32bit that is infected. Some comments under the articles say there scans detected it and so on. All i can say is i run regular standard scans and monthly deep scans with Malwarebytes and Avast and nothing has come up infected.

[aanker]

I wonder if this warning is for the installer, not Ccleaner itself. For first time users they need to install it which requires an installer.

Maybe for those of us who do updates there is no worry...

I'm pretty cautious too and do regular scans, so far I have been clean.

Now I'm reading that it was in an update, you're right, reports are all over the place.

Anyway, nothing detected yet. Probably need to wait until the dust settles before there is a consistent story and the facts are known.
-
From: https://forum.piriform.com/index.php?showtopic=48869

Quote:

We recently determined that older versions of our Piriform CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 had been compromised. We resolved this quickly and believe no harm was done to any of our users. This compromise only affected customers with the 32-bit version of the v5.33.6162 of CCleaner and the v1.07.3191 of CCleaner Cloud. No other Piriform or CCleaner products were affected. We encourage all users of the 32-bit version of CCleaner v5.33.6162 to download v5.34 here: download. We apologize and are taking extra measures to ensure this does not happen again.

Issue Summary: Our new parent company, the security company Avast, determined on the 12th of September that the 32-bit version of our CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 products, which may have been used by up to 3% of our users, had been compromised in a sophisticated manner. Piriform CCleaner v5.33.6162 was released on the 15th of August, and a regularly scheduled update to CCleaner, without compromised code, was released on the 12th of September .....

[Skybird]

Lets be precise here.

Somebody managed to attach a dirty package to of a valid new CCleaner version that was distributed via an official Piri server that got compromised as well by somebody.

This version dropped onto people'S system when they upgraded to the new version of CCleaner in the roughly 4 weeks when this version was distributed without Piri being informed about what went on. 4 weeks translates probably into several million people who downloaded this thing.

The attacking software scanned teh system and extracted data on the system infected, in preparation of turning it into a zombie platform for a botnet out there. This was to be done via additional software that was downloaded by the parasite on top of the CCleaner package.

However, the corrupted servers were taken out before the downloaded "warhead" could be activated. Or so they claim.

Which leaves the remains of the botnet-integrating software on peoples system, just that it has not received the activation commands.

Now if you upgrade to a later version of CCleaner, this new version no longer has this parasytical software attached to it, and replaces the corrupted CCleaner version that was previously installed. BUT: if you had been infected by the verison before, then the additonal malware that was downloaded by that intruder obviously still resides on your system. Just that it is not activated.

That is as if you hold a bomb in your hand with a fuse that gets remote controlled via radio signal. The guy controlling the remote transmitter to detonate it, has been taken out. But if you run into a frequences equal to that of the transmitter, and the receiver on that bomb picks it up, however small the random chance for this event may be - the bomb goes off nevertheless. For it is still there.

The question may be to what degree the detonation of this software still could lead to your computer turned into a zombie that gets abused in a botnet. Only that server has been shut down that has spread the initially infested CCleaner version. The botnet and the guys running it, are still there.

This is my understanding of the status quo, basing on the linked two texts and three additional German website reports.

The media coverage and reports are not fully consistent in the way the tlel the story. Talos and Avast/Piri may be driven by different interests as well.

If you have a workplace machine or productivity machine, you want to play it the safest way possible, and reinstall. If you use your system for entertainment only, you may find it affordable to take some risk. But i stick to it, the rule of reason for software attacks like this is : a system that got once compromised remains to be compromised, no matter what kind fo repairs and cleaning you have done - because you cannot be certain you indeed repaired it and cleaned the mess.

P.S. Some years ago, Malwarebytes had a major drama with an uopdate that went wrong, it prveenbted millions of system from booting and cause dmajor havor, with many mahcine sneeding to be reinstalled. Already back then I had swettings for AV and MBAM tuned so that they did not download each and every update that was released ove rthze day, usually several ones per day, but only once per day. One doe snot really need the latest updates formt he past two hours, if you do not surf highly risky sites. For every update can mean an attack, or, as it was the case in this exmaple, a risk of technical errors due to a fualty update. If there are lets say 8 upodates in a 24 hour interval, and you download only one per day, then you reduce the risk of getting hit by such bad updates by almost 90%.

Don'T be a Beta tester without your consent. Use some healthy reason. Switch from "searching for upgrades every hour" to "search for upgrades once per day".

[MaDef]

Good rule of thumb is to scan all downloads before running them, and never ever allow software to automatically search for and install updates.

[Rhodes]

I read a comment when the news come up of Avast buying CCleaner, saying that now the program would be malware/spyware infested.
I never updated after they were bought.

[Skybird]

Quote:

Originally Posted by MaDef

Good rule of thumb is to scan all downloads before running them, and never ever allow software to automatically search for and install updates.

CCleaner does not download lbrary updates like AV does, it is about installing completely new program versions. And for four weeks no user of the many who downloaded the package, complained, and I doubt that under millions of users nobody scans his downloads. Scanners can fail you. Use them, but do not trust them for your life. Talos found the mess due to some special thing they tried, I understood. And by random chance. They did not look for stuff. They were lucky finders.

[STEED]

Ok, in the cold light of day and more a wake it looks like I had a close shave and missed it only by the fact i use the (64bit) version after reading up again with my mug of coffee. Typical i am slow to download on this one and keep getting these new version updates notices, it takes me weeks or the odd month before i act on it. I normally go to FileHippo and do it myself on this one.