CCleaner Compromised!

[Corrine]

Version 5.33 of the CCleaner app offered for download between August 15 and September 12 was modified to include the Floxif malware, according to a report published by Cisco Talos a few minutes ago.

More at CCleaner Compromised to Distribute Malware for Almost a Month. Also see Piriform - Security Notification for CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 for 32-bit Windows users and Cisco's Talos Intelligence Group Blog: CCleanup: A Vast Number of Machines at Risk.

 

[Digerati]

It is interesting that it apparently only affected the 32-bit versions. Also interesting is this issue occurred just after Piriform was obtained by a major security firm, Avast.

At any rate, I am glad it was detected and a new clean version of CC has been released and can be downloaded from here.

 

[axe0]

To see if you're infected, go to HKEY_LOCAL_MACHINE\SOFTWARE\Piriform\CCleaner in the registry editor.
If it contains a key called "[FONT=&quot]Agomo[/FONT]" you're infected.

Agomo key has the following values

• MUID: randomly generated number identifying a particular system. Possibly also to be used as communication encryption key.
• TCID: timer value used for checking whether to perform certain actions (communication, etc.)
• NID: IP address of secondary CnC server

Piriform - Security Notification for CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 for 32-bit Windows users

 

[Corrine]

From the updated BC article:

Article updated with link to Piriform blog post. Updated article for a second time with response from Avast CTO. An earlier version of this article referenced a tweet suggesting that other parts of the Avast network might be compromised. Avast investigated the issue and discovered that someone used its VPN service to send ransomware-laced spam.

 

[Corrine]

For those interested, here's the report from Avast: Update to the CCleaner 5.33.6162 Security Incident.

 

[Masterchiefxx17]

It is interesting that it apparently only affected the 32-bit versions. Also interesting is this issue occurred just after Piriform was obtained by a major security firm, Avast.

At any rate, I am glad it was detected and a new clean version of CC has been released and can be downloaded from here.

I'd assume this new clean version is safe to use again?

 

[axe0]

Yes, the new version has a new digital signature to make hacking more difficult.

 

[jcgriff2]

Does anyone believe this figure?

About 30% of CCleaner users also run Avast security software

Seems high.

 

[Digerati]

Does anyone believe this figure?

About 30% of CCleaner users also run Avast security software

Seems high.

Yeah, I think that is total fiction or backwards. That is they meant, 30% of Avast users also run CCleaner.

 

[Corrine]

30% of Avast users also run CCleaner.

That makes more sense.

 

[Masterchiefxx17]

Yes, the new version has a new digital signature to make hacking more difficult.

Good to know. A family member of mine loves the tool, but I had them remove it in the recent event.

Now we wait for the news for Avast to announce that other Piriform tools were also hacked. :r1:

 

[jcgriff2]

Very good point.

 

[Digerati]

Well, since Avast made it a point to point out the hack was with CCleaner from before the acquisition (even though Avast issued the cert), I would hope a full audit of all the products was done by both sides. And since I view both Piriform and Avast as reputable and responsible companies, I am sure they did and have implemented procedures to prevent recurrence. Now whether those procedures work or not is another matter.

 

[Node]

I suppose not updating things frequently has actually came in quite handy. :lol: