Slashdot Mirror
Avast's CCleaner Free Windows Application Infected With Malware (bleepingcomputer.com)
Reader Tinfoil writes: Cisco Talos announces that malware cleaning app, CCleaner, has been infected with malware for the past month. Version 5.33 of the CCleaner app offered for download between August 15 and September 12 was modified to include the Floxif malware, according to a report published by Cisco Talos a few minutes ago. Cisco Talos believes that a threat actor might have compromised Avast's supply chain and used its digital certificate to replace the legitimate CCleaner v5.33 app on its website with one that also contained the Floxif trojan. The company said more 2.27 million had downloaded the compromised version of CCleaner.
... AVAST AntiVirus! Who would have guessed that a great tool like CCleaner would be messed up by Avast in no time at all.
To Terminate, or not to Terminate, that's the question - SCSIROB
Avast bought it. Always was a quick easy way to dump the garbage off your computer instead of 2-3 or more programs to do the same thing.
From the linked article: "The malware collected information such as computer name, a list of installed software, a list of running processes, MAC addresses for the first three network interfaces, and unique IDs to identify each computer in part. Researchers noted that the malware only ran on 32-bit systems."
Someone capable of poisoning signed downloads (high complexity) should be able to select functional payload (low complexity). I don't see any alternative explanation to "ran on 32-bit systems" limitation other than incompetence. This doesn't add up.
Floxif is a malware downloader that gathers information about infected systems and sends it back to its C&C server. The malware also had the ability to download and run other binaries, but at the time of writing, there is no evidence that Floxif downloaded additional second-stage payloads on infected hosts.
The malware collected information such as computer name, a list of installed software, a list of running processes, MAC addresses for the first three network interfaces, and unique IDs to identify each computer in part. Researchers noted that the malware only ran on 32-bit systems. The malware also quit execution if the user was not using an administrator account.
It's not an anti-malware program.
It's an optimizer.
It little behooves the best of us to comment on the rest of us.
Cisco Talos announces that malware cleaning app...
Except it wasn't a malware cleaning app. Just a cleaning app. Maybe it happened to clean malware that got caught in the recycle bin, but that's about the extent of it. Of course, it ended up being a malware-infected cleaning app. Maybe that's what the OP meant??
ASCII tastes bad dude.
Binary it is then.
Sure. CCleaner version 5.34. Available from downloads.ru today!
Do not look into laser with remaining eye.
... First, Web of Trust and now this.
It little behooves the best of us to comment on the rest of us.
Norton should sue for patent infringement.
Check your premises.
IT IS NOT ANTI-MALWARE, IT IS A DUPE FILE REMOVER, CACHE FILE CLEANER, UTILITY TOOL FOR REMOVING STUBBORN UNINSTALLERS THAT BROKE, ETC.
You fucking idiots want to keep saying it's AV because you don't seem to know a god damn thing about it lol. "Oh it's a terrible security model" - On Windows? MORON.
WHINY PETULANT SLASHDOT BITCHES WHO THINK THEY'RE EXPERTS WITHOUT READING A GOD DAMN THING, LOL
ALSO - only the 32 bit version and cloud versions between 8-15 and 9-12 were infected. 64 bit I have verified is not infected. The trojan is detected by Spyhunter which has a trialware version until you go to remove malware.
If your system is compromised in any way, the only sane response is to wipe the disk(s),
Wipe the disks? Are you nuts. I say we take off and nuke the entire site from orbit. It's the only way to be sure!
Kind of, at least after they were bought by a nefarious corporation intent on monetizing it any way they could.
The original was a really nice application, from an independent developer tired of all the crap on his computer, including the stuff pre-loaded by the vendors. The "C" in CCleaner stands for "crap" - the original name was "Crap Cleaner."
"Somebody has to do something. It's just incredibly pathetic it has to be us."
--- Jerry Garcia
I once scanned my computer and found nearly a dozen viruses, which panicked me for awhile. It was OK though, managed to rewrite them a bit so a later scan found zero again.
This post is sorely lacking tons of information and the few that are in it are wrong.
CCleaner is NOT a malware cleaning app. It's a registry and regular file cleaner software.
Furthermore, let's dig into the case:
- This ONLY affects the 32-bit version of CCleaner and CCleaner Cloud, which accounts for some 3% of Piriform users. If you are using 64-bit version, you are probably safe. From Piriform’s website: “This compromise only affected customers with the 32-bit version of the v5.33.6162 of CCleaner and the v1.07.3191 of CCleaner Cloud. No other Piriform or CCleaner products were affected.”;
- From Piriform’s accessment, here’s the actual danger: “The compromise could cause the transmission of non-sensitive data (computer name, IP address, list of installed software, list of active software, list of network adapters) to a 3rd party computer server in the USA. We have no indications that any other data has been sent to the server. Working with US law enforcement, we caused this server to be shut down on the 15th of September before any known harm was done.”
- The investigation is still ongoing, but Piriform is saying that the issue has been solved, that no harm was done, and what seems like it didn’t originate from official CCleaner/Piriform sources. Which is to say, it could be embedded code that was inserted on 3rd party download websites. There is further explanation on Talos' post how it was a sofisticated attack because whoever did it managed to put up a valid cert on the infected version of Ccleaner though, so there should be more information coming out as the investigation proceeds.
If you wanna dig more into the whole thing, here's Piriform's official statement:
https://www.piriform.com/news/...
And here's Talos security accessment of the case:
http://blog.talosintelligence....
There is a more technical breakdown of the malware from the folks at Talos that discovered it. According to them ClamAV has a signature to detect the altered installers. Also it looks like Malwarebytes has the signature too so if that is what you are using get the updated signature files and run a scan.
Otherwise look for outbound traffic attempting to go to 216.126.225.148, that is the hardcoded C2 server the malware uses.
Of all tyrannies, a tyranny sincerely exercised for the (supposed) good of its victims may be the most oppressive
Strangely enough, I've run CCleaner for years, on probably hundreds of different systems, and never had it break something by deleting something it shouldn't.
Most system cleaners/optimizers are crap, but CCleaner is one of the only ones that I actually trust(ed).
"City hall" in German is "Rathaus" Kinda explains a few things......
The version before Avast bought it was version 5.32 on July 2017. Here we see version 5.33 with the Floxif malware after August 2017.
Coincidence? I think not.