CCleaner Hacked - Malware Spread to 2.2 Million Users
Posted by: Timothy Tibbetts on 09/20/2017 04:07 AM [ Comments ]
CCleaner is not going to have a good month announcing that their popular program was infected with a malicious payload that made it possible to download and execute other suspicious software, including ransomware and keyloggers. This affects anyone who downloaded the 32-Bit and Cloud versions. However, we recommend everyone update just in case. Links are at the end of the story.
Update 9-20-17 6:36 A.M: We've tested the infected version and discovered Windows Defender, Malwarebytes, and most antivirus programs detect the malware and remove the registry key.
Update 9-19-17 5:15 P.M: There's a lot of confusion regarding which CCleaner versions were infected. Update to 5.34 and check your registry to be sure you don't have the registry keys that might leave you infected. Here is a step-by-step guide on removing the key easily.
Here is the official summary and apology:
"We would like to apologize for a security incident that we have recently found in CCleaner version 5.33.6162 and CCleaner Cloud version 1.07.3191. A suspicious activity was identified on September 12th, 2017, where we saw an unknown IP address receiving data from software found in version 5.33.6162 of CCleaner, and CCleaner Cloud version 1.07.3191, on 32-bit Windows systems. Based on further analysis, we found that the 5.33.6162 version of CCleaner and the 1.07.3191 version of CCleaner Cloud was illegally modified before it was released to the public, and we started an investigation process. We also immediately contacted law enforcement units and worked with them on resolving the issue. Before delving into the technical details, let me say that the threat has now been resolved in the sense that the rogue server is down, other potential servers are out of the control of the attacker, and we’re moving all existing CCleaner v5.33.6162 users to the latest version. Users of CCleaner Cloud version 1.07.3191 have received an automatic update. In other words, to the best of our knowledge, we were able to disarm the threat before it was able to do any harm.
Technical description
An unauthorized modification of the CCleaner.exe binary resulted in an insertion of a two-stage backdoor capable of running code received from a remote IP address on affected systems.
The malware was also programmed to collect a bunch of user data, including:
Name of the computer
List of installed software, including Windows updates
List of running processes
MAC addresses of first three network adapters
Additional information whether the process is running with administrator privileges, whether it is a 64-bit system, etc.
Talos’ report warns that the malware was found in CCleaner version 5.33, which was actively distributed between August 15 and September 12. What is particularly jarring is that it appears the infected app was signed with a valid certificate Symantec issued to Piriform (recently acquired by Avast)."
Be sure to update your CCleaner immediately with version 5.34.6207 or better yet, get a better drive cleaner and replace it with Wise Disk Cleaner. It would also be a good idea to scan your system with a trusted application like Malwarebytes.
Update 9-20-17 6:36 A.M: We've tested the infected version and discovered Windows Defender, Malwarebytes, and most antivirus programs detect the malware and remove the registry key.
Update 9-19-17 5:15 P.M: There's a lot of confusion regarding which CCleaner versions were infected. Update to 5.34 and check your registry to be sure you don't have the registry keys that might leave you infected. Here is a step-by-step guide on removing the key easily.
"We would like to apologize for a security incident that we have recently found in CCleaner version 5.33.6162 and CCleaner Cloud version 1.07.3191. A suspicious activity was identified on September 12th, 2017, where we saw an unknown IP address receiving data from software found in version 5.33.6162 of CCleaner, and CCleaner Cloud version 1.07.3191, on 32-bit Windows systems. Based on further analysis, we found that the 5.33.6162 version of CCleaner and the 1.07.3191 version of CCleaner Cloud was illegally modified before it was released to the public, and we started an investigation process. We also immediately contacted law enforcement units and worked with them on resolving the issue. Before delving into the technical details, let me say that the threat has now been resolved in the sense that the rogue server is down, other potential servers are out of the control of the attacker, and we’re moving all existing CCleaner v5.33.6162 users to the latest version. Users of CCleaner Cloud version 1.07.3191 have received an automatic update. In other words, to the best of our knowledge, we were able to disarm the threat before it was able to do any harm.
Technical description
An unauthorized modification of the CCleaner.exe binary resulted in an insertion of a two-stage backdoor capable of running code received from a remote IP address on affected systems.
The malware was also programmed to collect a bunch of user data, including:
Name of the computer
List of installed software, including Windows updates
List of running processes
MAC addresses of first three network adapters
Additional information whether the process is running with administrator privileges, whether it is a 64-bit system, etc.
Talos’ report warns that the malware was found in CCleaner version 5.33, which was actively distributed between August 15 and September 12. What is particularly jarring is that it appears the infected app was signed with a valid certificate Symantec issued to Piriform (recently acquired by Avast)."
Be sure to update your CCleaner immediately with version 5.34.6207 or better yet, get a better drive cleaner and replace it with Wise Disk Cleaner. It would also be a good idea to scan your system with a trusted application like Malwarebytes.
Comments