Compromised CCleaner software leaves millions with malware

DNS requests for Floxif DGA domains
Popular software CCleaner infected with backdoor
Author

19 September, 2017

Piriform adds that it's also working with third-party sites to remove the compromised versions of CCleaner, and that all users should update to its latest CCleaner 5.34 version right away. The malware reportedly tried to connect to unregistered websites in order to remotely download even more harmful programs to users' computers.

Hackers managed to hijack a popular PC cleanup tool, CCleaner, meaning that anyone who downloaded or updated it between mid-August to mid-September also downloaded malware without realising it.

According to Piriform's blog post, its programs released in August were compromised and users of CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 are advised to download new versions. This is similar to June's NotPetya attack hidden in infected Ukrainian accounting software. The threat has now been resolved in the sense that the rogue server is down, other potential servers are out of the control of the attacker. Automatic updates should have already been triggered on your systems for both the 32-bit and cloud version of the software but checking your version number today will make sure you are fully up to date.

An Avast spokesperson told iTWire that about 2.27 million people downloaded the affected version of CCleaner.

It might be sensible to roll-back your computer to a backup created before you installed that poisoned version of CCleaner.

The affected version of CCleaner.

The 32-bit version of CCleaner was available to end users between 15 August until 12 September while the CCleaner Cloud version was accessible between 24 August until 15 September.

'Rustiness' cost England against Windies, says Morgan
Hales's exit was the start of a slump that saw England lose three wickets for four runs as 64 for one soon became 68 for four. Brathwaite didn't not feature in the preceding Test series , which England claimed 2-1 after winning the 3rd Test at Lord's.


Nintendo: avoid paying inflated SNES Classic prices
The incredibly rare NES Mini is officially back in production with more consoles set to ship in 2018, Nintendo has announced . Nintendo won't make the same mistake with the SNES Classic Mini that it did with the NES version.


Steve Bannon: Economic nationalism is the only way forward
While speaking to CBS's Charlie Rose , he stated , "They're not going to help you unless they're put on notice". But past attempts by populist conservatives to run as Trump proxies have met with mixed results.


Piriform was acquired by software security vendor Avast in July 2017 and in a statement Piriform thanked Avast Threat Labs for analyzing the attack. No malicious software has been found in CCleaner 5.34, which was released on September 13.

The company's press team said that, if infected, hackers could use the exploit to steal sensitive data and/or credentials which could be used for internet banking or other online activities.

The Talos team believes it may have more to do with an attacker compromising Avast's development and signing process for the CCleaner application and recommended that this certificate be immediately revoked and untrusted going forward.

Piriform's VP of products has gone into some technical detail regarding the hack here, writing that: "An unauthorized modification of the CCleaner.exe binary resulted in an insertion of a two-stage backdoor capable of running code received from a remote IP address on affected systems".

The attackers were using version 5.33 of CCleaner to spread a multi-stage malware payload. Piriform said it's working with United States law enforcement to determine who was responsible for the bug.

CCleaner is the software to clean up the system and optimize its performance.


More news