Avast's CCleaner Free Windows Application Infected With Malware

Reader Tinfoil writes: Cisco Talos announces that malware cleaning app, CCleaner, has been infected with malware for the past month. Version 5.33 of the CCleaner app offered for download between August 15 and September 12 was modified to include the Floxif malware, according to a report published by Cisco Talos a few minutes ago. Cisco Talos believes that a threat actor might have compromised Avast's supply chain and used its digital certificate to replace the legitimate CCleaner v5.33 app on its website with one that also contained the Floxif trojan. The company said more 2.27 million had downloaded the compromised version of CCleaner.

.. And the malware is

[scsirob]

... AVAST AntiVirus! Who would have guessed that a great tool like CCleaner would be messed up by Avast in no time at all.

Re:CCleaner wasn't malware all along?

[ameline]

Of course I could have easily confused them with some other anti-malware vendor when it comes to their advertising -- many of them seem to be pretty scummy - just skimming the border of drive-by installs, piggybacking on other installs (looking at *you* Adobe) etc.

Never had a problem until

[p51d007]

Avast bought it. Always was a quick easy way to dump the garbage off your computer instead of 2-3 or more programs to do the same thing.

Re:Never had a problem until

I felt the same way when I heard about Avast acquiring CCleaner. I refused to upgrade until I could find some reviews that said Avast hadn't ruined it with bloat like their anti-virus, and damn I'm glad I waited.

Re:Never had a problem until

[Pyrion]

Same. I'm still running 5.28. I expected shenanigans with the new versions, but not to this level.

Why payload is so gimped?

[sinij]

From the linked article: "The malware collected information such as computer name, a list of installed software, a list of running processes, MAC addresses for the first three network interfaces, and unique IDs to identify each computer in part. Researchers noted that the malware only ran on 32-bit systems."

Someone capable of poisoning signed downloads (high complexity) should be able to select functional payload (low complexity). I don't see any alternative explanation to "ran on 32-bit systems" limitation other than incompetence. This doesn't add up.

Re:Why payload is so gimped?

[mea2214]

From the linked article: "The malware collected information such as computer name, a list of installed software, a list of running processes, MAC addresses for the first three network interfaces, and unique IDs to identify each computer in part. Researchers noted that the malware only ran on 32-bit systems." .

This sounds exactly what Windows 10 telemetry does.

Missing Malware Info

Floxif is a malware downloader that gathers information about infected systems and sends it back to its C&C server. The malware also had the ability to download and run other binaries, but at the time of writing, there is no evidence that Floxif downloaded additional second-stage payloads on infected hosts.

The malware collected information such as computer name, a list of installed software, a list of running processes, MAC addresses for the first three network interfaces, and unique IDs to identify each computer in part. Researchers noted that the malware only ran on 32-bit systems. The malware also quit execution if the user was not using an administrator account.

Re:Missing Malware Info

[TWX]

It's almost like it was meant to inspect corporate or government computers where lazy IT admins might not have migrated 64-bit-capable workstations to 64-bit OSes because they've been maintaining a 32-bit OS/image for years, and to then allow that information to be inspected to determine which computers to attempt to infect with other payloads.

Anyone know if the malware is detectable / fixable

As a regular and longtime user/installer of CCleaner, including version 5.33, it's possible that I may be infected. I've not seen any symptoms nor has Malware Bytes/Comodo detected anything, but....

Can any of the current tools check if any of my PCs are/may be infected?

Re:CCleaner wasn't malware all along?

[CaptainDork]

It's not an anti-malware program.

It's an optimizer.

"Malware cleaning app"

[Mr.Intel]

Cisco Talos announces that malware cleaning app...

Except it wasn't a malware cleaning app. Just a cleaning app. Maybe it happened to clean malware that got caught in the recycle bin, but that's about the extent of it. Of course, it ended up being a malware-infected cleaning app. Maybe that's what the OP meant??

Re:CCleaner wasn't malware all along?

I'm not at all clear on what value they bring to the table.

With CCleaner and similar software you get to choose the Malware you have installed in your machine, in other cases you don't choose.

Re:Anyone know if the malware is detectable / fixa

[TWX]

Sure. CCleaner version 5.34. Available from downloads.ru today!

Can it clean it's own malware though?

[JoeyRox]

That would be a cool trick - identifying itself as malware and then deleting it.

Re:Can it clean it's own malware though?

[JoeyRox]

correction: "its own malware".

Re:Can it clean it's own malware though?

[khandom08]

.... whoever wrote the original submission and whoever didn't bother to check facts before posting.

You must be new here.

Damn ...

[CaptainDork]

... First, Web of Trust and now this.

Re:Damn ...

[antdude]

And others we don't know about. :( "Trust no one." --The X-Files

Re:CCleaner wasn't malware all along?

[forkfail]

Norton should sue for patent infringement.

Longer discussion on the topic

https://news.ycombinator.com/i...

Re:These applications still exist?

FFS, creimer, please go watch this video and take its advice to heart.

https://www.youtube.com/watch?...

"The only applications I use ARE Microsoft Defender and Malware Bytes."

For a "published" "writer", you sure do have problems constructing grammatically correct English sentences.

Where's the MD5/SHA1 for the infected files?

[nctritech]

They tell everyone of the infection but don't provide hashes for the infected files and installers. Class act right there. Just get 5.34 which is totally okay, we promise.

Re:These applications still exist?

[cdreimer]

For a "published" "writer", you sure do have problems constructing grammatically correct English sentences.

If I wrote perfect sentences, you would have nothing to bitch about on Slashdot.

Re:These applications still exist?

The only applications that I use is Microsoft Defender and Malware Bytes. All the third-party applications for keeping WinXP running weren't needed in Vista/7/8/10.

cdreimer, that sounds like a really boring PC. At least install Excel so you can have some fun typing in numbers and making up formulas.
Not as exciting as cat videos, I know, but something. There'e only so long I can watch Microsoft Defender before the magic starts to wear off.

Re:These applications still exist?

[cdreimer]

There'e only so long I can watch Microsoft Defender before the magic starts to wear off.

Microsoft Defender on my PCs kick off at 3:00AM in the morning. If you're having trouble sleeping that late at night, I suggest taking Nyquil.

Re:Only LUDDITES use CCleaner

Those of us "in the know" only trust APKs hosts file generator to stay protected from malware.

Cruz/Palin 2020

A hosts file is a single blacklist. A problem with blacklisting is that you have to implicitly trust the creator of the blacklist (unless you're going to tell me you personally verified each individual entry in it?). You have to trust that they didn't miss anything that should have been included in the blacklist, which is hard to confirm. You also have to trust that their reasons for adding an entry are what they claim (remember the politically motivated entries in censorship software like NetNanny?). That's also hard to confirm.

In that particular case you have to decide for yourself whether APK seems like a calm, sane, reasonable, logical person to trust something as important as your security to. It's not like he's offering to write you a check paying for all the costs of any malware that does get through so yes this comes down to trust, and all you have to go on are his Slashdot posts.

The other problem with blacklists is they are always having to play catch-up. Malware sources are dynamic and change constantly. Any blacklist will always be behind this curve, even the best of them. As mentioned, it's a *single* blacklist. Good security is done in layers. That's one thing security experts all agree on. I wouldn't use any solution in isolation no matter how good it is. To insist otherwise is more like religious fervor, not based on research or real world experience.

Re:CCleaner wasn't malware all along?

It's not an anti-malware program.

It's an optimizer.

If they're trying to optimize Windows, oh man have they got their work cut out for them. Even with all its massive resources and full access to source code, even Microsoft couldn't do that!

Re:CCleaner wasn't malware all along?

IT IS NOT ANTI-MALWARE, IT IS A DUPE FILE REMOVER, CACHE FILE CLEANER, UTILITY TOOL FOR REMOVING STUBBORN UNINSTALLERS THAT BROKE, ETC.

You fucking idiots want to keep saying it's AV because you don't seem to know a god damn thing about it lol. "Oh it's a terrible security model" - On Windows? MORON.

WHINY PETULANT SLASHDOT BITCHES WHO THINK THEY'RE EXPERTS WITHOUT READING A GOD DAMN THING, LOL

Re:CCleaner wasn't malware all along?

ALSO - only the 32 bit version and cloud versions between 8-15 and 9-12 were infected. 64 bit I have verified is not infected. The trojan is detected by Spyhunter which has a trialware version until you go to remove malware.

Re:These applications still exist?

[cdreimer]

And of course, YOUR schedule must be the universal schedule.

IIRC, Microsoft Defender runs as an automatic task at 3:00AM. Since that's default setting, I haven't changed it.

Re:These applications still exist?

[cdreimer]

https://www.scribd.com/book/193804069/A-Misplaced-Stick-Short-Story

Scribd is still having issues with my ebooks. I have notified Smashwords to push out my catalog again. Thanks for bringing this to my attention.

Re:CCleaner wasn't malware all along?

[thegarbz]

If your system is compromised in any way, the only sane response is to wipe the disk(s),

Wipe the disks? Are you nuts. I say we take off and nuke the entire site from orbit. It's the only way to be sure!

Re:These applications still exist?

[cdreimer]

You two should get a room.

I doubt I could put up with the constant wanking. I find such lack of self-control disturbing.

Re:CCleaner wasn't malware all along?

[Curunir_wolf]

Kind of, at least after they were bought by a nefarious corporation intent on monetizing it any way they could.

The original was a really nice application, from an independent developer tired of all the crap on his computer, including the stuff pre-loaded by the vendors. The "C" in CCleaner stands for "crap" - the original name was "Crap Cleaner."

Re:CCleaner wasn't malware all along?

[Curunir_wolf]

No, silly, it's a dessert topping AND a floor wax!

Will it be published on IOS?

[Leninix]

With other treat about IOS removing antivirus from IOS store, I wonder if it will published on IOS. Doubleplus Good.

Re: CCleaner wasn't malware all along?

[cyber-vandal]

Wouldn't it be amazing if everyone had as much free time as you?

That's

[cyber-vandal]

A vast issue for them

Re:That's

[TheDarkener]

Ba-zing!

Re:Well duh

[slashmydots]

I checked. Avast bought Piriform like 2 months ago.

Re:Well duh

[sinij]

I mean deleting thumbnail cache? That's idiotic!

Not if you frequently view, obviously for research purposes, pornographic materials that normally reside on an encrypted drive.

Re:CCleaner wasn't malware all along?

[arglebargle_xiv]

I once scanned my computer and found nearly a dozen viruses, which panicked me for awhile. It was OK though, managed to rewrite them a bit so a later scan found zero again.

Superficial and inacurate

[XSportSeeker]

This post is sorely lacking tons of information and the few that are in it are wrong.
CCleaner is NOT a malware cleaning app. It's a registry and regular file cleaner software.
Furthermore, let's dig into the case:

- This ONLY affects the 32-bit version of CCleaner and CCleaner Cloud, which accounts for some 3% of Piriform users. If you are using 64-bit version, you are probably safe. From Piriform’s website: “This compromise only affected customers with the 32-bit version of the v5.33.6162 of CCleaner and the v1.07.3191 of CCleaner Cloud. No other Piriform or CCleaner products were affected.”;

- From Piriform’s accessment, here’s the actual danger: “The compromise could cause the transmission of non-sensitive data (computer name, IP address, list of installed software, list of active software, list of network adapters) to a 3rd party computer server in the USA. We have no indications that any other data has been sent to the server. Working with US law enforcement, we caused this server to be shut down on the 15th of September before any known harm was done.”

- The investigation is still ongoing, but Piriform is saying that the issue has been solved, that no harm was done, and what seems like it didn’t originate from official CCleaner/Piriform sources. Which is to say, it could be embedded code that was inserted on 3rd party download websites. There is further explanation on Talos' post how it was a sofisticated attack because whoever did it managed to put up a valid cert on the infected version of Ccleaner though, so there should be more information coming out as the investigation proceeds.

If you wanna dig more into the whole thing, here's Piriform's official statement:
https://www.piriform.com/news/...

And here's Talos security accessment of the case:
http://blog.talosintelligence....

Re:Well duh

[TheDarkener]

What about stale thumbnail cache? Have you never seen the wrong thumbnails displayed in a file browser window for an image? Additionally, you say that in the sense it deletes thumbnail cache it's "absolutely malware and always has been"? I don't get it.

What program(s) do you use to do what CCleaner does?

Re:CCleaner wasn't malware all along?

[Quirkz]

At least valid antivirus software doesn't flood your screen with popups.

Er, I mean, it doesn't nag you to do things you don't want to do.

Well, it doesn't fill your hard drive full of gigabytes of junk.

That is, at least it doesn't mess with your internet connection and cause inexplicable outages.

You know what? I give up.

Re:Does one need this trash?

[TheDarkener]

"CC Cleaner" sounds like an imitating (malware-ridden) app.

"CCleaner" is the app TFA is discussing.

Re:Anyone know if the malware is detectable / fixa

[Mr.+Shotgun]

There is a more technical breakdown of the malware from the folks at Talos that discovered it. According to them ClamAV has a signature to detect the altered installers. Also it looks like Malwarebytes has the signature too so if that is what you are using get the updated signature files and run a scan.

Otherwise look for outbound traffic attempting to go to 216.126.225.148, that is the hardcoded C2 server the malware uses.

Re:CCleaner wasn't malware all along?

[cbiltcliffe]

Strangely enough, I've run CCleaner for years, on probably hundreds of different systems, and never had it break something by deleting something it shouldn't.
Most system cleaners/optimizers are crap, but CCleaner is one of the only ones that I actually trust(ed).

Re:CCleaner wasn't malware all along?

[cbiltcliffe]

I suspect you're mixing it up with PC Decrapifier. That's the one to remove all the preinstalled crap from major OEM vendors.

Re: These applications still exist?

[ILoveFatCashews]

" you might to write a Python script"

creimer-like grammar detected. Come on, Chris, if you're going to impersonate ACs, try to put some effort into it.

Do you want some spam-flavored macadamia nuts with your whine?

Re:CCleaner wasn't malware all along?

[CaptainDork]

Been using it since Moby Dick was minnow. Never had a problem at home, on other home computers, and a gazillion work computers.

Coincidence?

[n329619]

The version before Avast bought it was version 5.32 on July 2017. Here we see version 5.33 with the Floxif malware after August 2017.

Coincidence? I think not.

Re:CCleaner wasn't malware all along?

[AllyGreen]

(S)He's not, I've used ccleaner for a long time now, probably coming up on a decade. I think they dropped the name crap cleaner around 2010. It's still decent and useful software just with a terrible marketing strategy. Never seen the need to even look at anything more than their free version though.

Re: CCleaner wasn't malware all along?

[cyber-vandal]

Completely reinstalling Windows, all the updates and all the software you might be using is a time-consuming process and most people want to do something else with that time.

Re:CCleaner wasn't malware all along?

[geekmux]

It's not an anti-malware program.

It's an optimizer.

Ironically, anti-malware serves the same goal, unless you don't consider an uninfected system as optimally configured...

Re:CCleaner wasn't malware all along?

[CaptainDork]

No.

Anti-malware guards against, well, malware.

ccleaner does not guard ... if deletes shit like cookies, browsing history, and (optionally) registry entries.

You can download the latest version of ccleaner and test drive it instead of guessing what it does.