Warning: CCleaner is malware-infested

[STEED]

^Info seems all over the place, some say the 64bit version is infected while others say its only the 32bit that is infected. Some comments under the articles say there scans detected it and so on. All i can say is i run regular standard scans and monthly deep scans with Malwarebytes and Avast and nothing has come up infected.

[aanker]

I wonder if this warning is for the installer, not Ccleaner itself. For first time users they need to install it which requires an installer.

Maybe for those of us who do updates there is no worry...

I'm pretty cautious too and do regular scans, so far I have been clean.

Now I'm reading that it was in an update, you're right, reports are all over the place.

Anyway, nothing detected yet. Probably need to wait until the dust settles before there is a consistent story and the facts are known.
-
From: https://forum.piriform.com/index.php?showtopic=48869

Quote:

We recently determined that older versions of our Piriform CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 had been compromised. We resolved this quickly and believe no harm was done to any of our users. This compromise only affected customers with the 32-bit version of the v5.33.6162 of CCleaner and the v1.07.3191 of CCleaner Cloud. No other Piriform or CCleaner products were affected. We encourage all users of the 32-bit version of CCleaner v5.33.6162 to download v5.34 here: download. We apologize and are taking extra measures to ensure this does not happen again.

Issue Summary: Our new parent company, the security company Avast, determined on the 12th of September that the 32-bit version of our CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 products, which may have been used by up to 3% of our users, had been compromised in a sophisticated manner. Piriform CCleaner v5.33.6162 was released on the 15th of August, and a regularly scheduled update to CCleaner, without compromised code, was released on the 12th of September .....

[Skybird]

Lets be precise here.

Somebody managed to attach a dirty package to of a valid new CCleaner version that was distributed via an official Piri server that got compromised as well by somebody.

This version dropped onto people'S system when they upgraded to the new version of CCleaner in the roughly 4 weeks when this version was distributed without Piri being informed about what went on. 4 weeks translates probably into several million people who downloaded this thing.

The attacking software scanned teh system and extracted data on the system infected, in preparation of turning it into a zombie platform for a botnet out there. This was to be done via additional software that was downloaded by the parasite on top of the CCleaner package.

However, the corrupted servers were taken out before the downloaded "warhead" could be activated. Or so they claim.

Which leaves the remains of the botnet-integrating software on peoples system, just that it has not received the activation commands.

Now if you upgrade to a later version of CCleaner, this new version no longer has this parasytical software attached to it, and replaces the corrupted CCleaner version that was previously installed. BUT: if you had been infected by the verison before, then the additonal malware that was downloaded by that intruder obviously still resides on your system. Just that it is not activated.

That is as if you hold a bomb in your hand with a fuse that gets remote controlled via radio signal. The guy controlling the remote transmitter to detonate it, has been taken out. But if you run into a frequences equal to that of the transmitter, and the receiver on that bomb picks it up, however small the random chance for this event may be - the bomb goes off nevertheless. For it is still there.

The question may be to what degree the detonation of this software still could lead to your computer turned into a zombie that gets abused in a botnet. Only that server has been shut down that has spread the initially infested CCleaner version. The botnet and the guys running it, are still there.

This is my understanding of the status quo, basing on the linked two texts and three additional German website reports.

The media coverage and reports are not fully consistent in the way the tlel the story. Talos and Avast/Piri may be driven by different interests as well.

If you have a workplace machine or productivity machine, you want to play it the safest way possible, and reinstall. If you use your system for entertainment only, you may find it affordable to take some risk. But i stick to it, the rule of reason for software attacks like this is : a system that got once compromised remains to be compromised, no matter what kind fo repairs and cleaning you have done - because you cannot be certain you indeed repaired it and cleaned the mess.

P.S. Some years ago, Malwarebytes had a major drama with an uopdate that went wrong, it prveenbted millions of system from booting and cause dmajor havor, with many mahcine sneeding to be reinstalled. Already back then I had swettings for AV and MBAM tuned so that they did not download each and every update that was released ove rthze day, usually several ones per day, but only once per day. One doe snot really need the latest updates formt he past two hours, if you do not surf highly risky sites. For every update can mean an attack, or, as it was the case in this exmaple, a risk of technical errors due to a fualty update. If there are lets say 8 upodates in a 24 hour interval, and you download only one per day, then you reduce the risk of getting hit by such bad updates by almost 90%.

Don'T be a Beta tester without your consent. Use some healthy reason. Switch from "searching for upgrades every hour" to "search for upgrades once per day".

[MaDef]

Good rule of thumb is to scan all downloads before running them, and never ever allow software to automatically search for and install updates.

[Rhodes]

I read a comment when the news come up of Avast buying CCleaner, saying that now the program would be malware/spyware infested.
I never updated after they were bought.

[STEED]

Ok, in the cold light of day and more a wake it looks like I had a close shave and missed it only by the fact i use the (64bit) version after reading up again with my mug of coffee. Typical i am slow to download on this one and keep getting these new version updates notices, it takes me weeks or the odd month before i act on it. I normally go to FileHippo and do it myself on this one.

[Skybird]

Quote:

Originally Posted by MaDef

Good rule of thumb is to scan all downloads before running them, and never ever allow software to automatically search for and install updates.

CCleaner does not download lbrary updates like AV does, it is about installing completely new program versions. And for four weeks no user of the many who downloaded the package, complained, and I doubt that under millions of users nobody scans his downloads. Scanners can fail you. Use them, but do not trust them for your life. Talos found the mess due to some special thing they tried, I understood. And by random chance. They did not look for stuff. They were lucky finders.

[STEED]

Quote:

Originally Posted by Skybird

Scanners can fail you. Use them, but do not trust them for your life.

You are right there Sky, last time I got hit with a pain in the arse weather app that installed itself behind my back and was classed as malware was not detected by my scans. Lucky it was low level and after following info on how to remove it it was gone. And that was i would say a good two years ago and since then nothing until this scare.

[propbeanie]

My malwarebytes didn't pick it up, but the Windows Defender did... imagine that... Windows 8.1 Windows Defender, but it only flagged the executible, quarantined it, and flashed a little blue box in the upper right of the computer. If I wouldn't have been sitting here, I wouldn't have seen it... Had to open Defender from Control Panel, and look in the History to see it. It's listed as "malicious", "backdoor", "Remove this software immediately", but didn't bother to "Alarm" me... Strange behavior. C:\Users \ Propbeanie \ CCSetup533.exe

After removal, it is "re-installing" itself, and Windows Defender picks it up again... Not cool at all... It's got "Backdoor.Win32/Floxif" embedded in it, according to Defender. Why ain't my malwarebytes picking it up? It "looks" like it's active, but doesn't act like it...

[HW3]

From PC Pitstop TechTalk

Quote:

Bleeping Computer reported,

“The malware collected information such as computer name, a list of installed software, a list of running processes, media access control (MAC) addresses for the first three network interfaces, and unique IDs to identify each computer in part. Researchers noted that the malware only ran on 32-bit systems. The malware also quit execution if the user was not using an administrator account.”

Quote:

Not only was malware included in the update, but a malicious backdoor was left open leaving the ability for additional malware to execute. However, to date, additional malware has not exploited this vulnerability.

If you are currently running CCleaner, please confirm which version is installed on the device. It is recommended users update the program to the version 5.34 immediately. The malware included in versions 1.07.319 and 5.33 is within the the particular version of the program– therefore, updating to version 5.34 will remove the malware.