Avast/CCleaner compromised

zanzjan

killin' all teh werds
Staff member
Moderator
Kind Benefactor
VPX
VPXI
Super Member
Registered
Joined
Feb 5, 2010
Messages
9,728
Reaction score
3,208
Location
home home homityhomehome
"Users of Avast-owned security application CCleaner for Windows have been advised to update their software immediately, after researchers discovered criminal hackers had installed a backdoor in the tool. The tainted application allows for download of further malware, be it ransomware or keyloggers, with fears millions are affected."

Sources:

http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html
https://www.forbes.com/sites/thomas...ner-cybersecurity-app-infected-with-backdoor/
 

nighttimer

No Gods No Masters
Kind Benefactor
Super Member
Registered
Joined
Oct 4, 2006
Messages
11,629
Reaction score
4,103
Location
CBUS
(Some additional information from How To Geek before totally freaking out.)

The attack was described thusly by researchers at Cisco Talos: “the legitimate signed version of CCleaner 5.33. . .also contained a multi-stage malware payload that rode on top of the installation of CCleaner.” CCleaner’s parent company, Piriform (who was recently bought by terrible antivirus company Avast), acknowledged the issue shortly thereafter.

The malware did not actively harm systems, but it did encrypt and collect information that could be used to harm your system in the future. In particular, according to Piriform, it created a unique identifier for the computer and collected:


  • Name of the computer
  • List of installed software, including Windows updates
  • List of running processes
  • MAC addresses of first three network adapters
  • Additional information whether the process is running with administrator privileges, whether it is a 64-bit system, etc.
Thankfully, it looks like this malware only affected a certain subset of CCleaner users. In particular, it affected:



  • Users running the 32-bit version of the application (not the 64-bit version)
  • Users running version 5.33.6162 of CCleaner or CCleaner Cloud 1.07.3191, released on August 15th, 2017

Since many users likely use the 64-bit version of the application, and CCleaner Free does not automatically update, this is good news for a lot of people.

If you are on a 32-bit version of Windows and think you might have downloaded CCleaner during the affected timeframe, here’s how to check what version you have. Open CCleaner and look in the top-left corner of the window—you should see a version number under the program name.

If that version is before version 5.33.6162, then you are not affected, and you should manually download the latest version now. If that version is 5.34 or later, your current version isn’t affected, but if you updated CCleaner in between August 15th and September 12th, and are on a 32-bit system, you may still have been affected
 

EMaree

a demon for tea
Super Member
Registered
Joined
Jul 7, 2009
Messages
4,655
Reaction score
839
Location
Scotland
Website
www.emmamaree.com
Phew -- I checked, and my laziness about updating software means I dodged the dodgy version. LAZINESS PAYS OFF!
 

muse

standing on head, typing one-handed...
Kind Benefactor
Super Member
Registered
Joined
Sep 25, 2010
Messages
9,143
Reaction score
3,021
Location
Ireland
(Some additional information from How To Geek before totally freaking out.)

The attack was described thusly by researchers at Cisco Talos: “the legitimate signed version of CCleaner 5.33. . .also contained a multi-stage malware payload that rode on top of the installation of CCleaner.” CCleaner’s parent company, Piriform (who was recently bought by terrible antivirus company Avast), acknowledged the issue shortly thereafter.

The malware did not actively harm systems, but it did encrypt and collect information that could be used to harm your system in the future. In particular, according to Piriform, it created a unique identifier for the computer and collected:


  • Name of the computer
  • List of installed software, including Windows updates
  • List of running processes
  • MAC addresses of first three network adapters
  • Additional information whether the process is running with administrator privileges, whether it is a 64-bit system, etc.
Thankfully, it looks like this malware only affected a certain subset of CCleaner users. In particular, it affected:



  • Users running the 32-bit version of the application (not the 64-bit version)
  • Users running version 5.33.6162 of CCleaner or CCleaner Cloud 1.07.3191, released on August 15th, 2017

Since many users likely use the 64-bit version of the application, and CCleaner Free does not automatically update, this is good news for a lot of people.

If you are on a 32-bit version of Windows and think you might have downloaded CCleaner during the affected timeframe, here’s how to check what version you have. Open CCleaner and look in the top-left corner of the window—you should see a version number under the program name.

If that version is before version 5.33.6162, then you are not affected, and you should manually download the latest version now. If that version is 5.34 or later, your current version isn’t affected, but if you updated CCleaner in between August 15th and September 12th, and are on a 32-bit system, you may still have been affected


I'm on the 64-bit version, but I had only installed CCleaner at the start of the month - the 5.33.6162 version. I've updated now, but is there anything I need to check out?
 

Luciferical

Sockpuppet
Banned
Joined
Jul 27, 2017
Messages
123
Reaction score
4
Location
USA
There's information out there that suggests (to me) that the malware writers didn't expect this to work. I've read that all the command and control domains were taken over by the researchers that discovered the malware. So even if this thing tries to phone home (as it's called), it'll hear nothing back.

Still... following the instructions already given is the prudent thing to do.
 

Matera the Mad

Bartender, gimme a Linux Mint
Super Member
Registered
Joined
Jan 6, 2008
Messages
13,979
Reaction score
1,533
Location
Wisconsin's (sore) thumb
Website
www.firefromthesky.org
Whatever. I no longer recommend Ccleaner because it is no longer possible to download a portable zip file version. That means you have to fight off bundled adware and crap. BleachBit, folks. BleachBit.
 

AW Admin

Administrator
Super Member
Registered
Joined
Apr 19, 2008
Messages
18,772
Reaction score
6,284
So if we're on 64-bit, we're fine?

Make sure you're updated to the latest version, just in case. But as of now, the indications are that they only went for the 32 bit version.
 

nighttimer

No Gods No Masters
Kind Benefactor
Super Member
Registered
Joined
Oct 4, 2006
Messages
11,629
Reaction score
4,103
Location
CBUS
Whatever. I no longer recommend Ccleaner because it is no longer possible to download a portable zip file version. That means you have to fight off bundled adware and crap. BleachBit, folks. BleachBit.

I don't have a problem with the ads bundled into CCleaner ever since I installed Unchecky and it takes care of that stuff for me.

As far as BleachBit goes, it appears to be a bit more advanced in some of its features than CCleaner, so I'd like to take a closer look at it before installing it.

But BleachBit does come with the much-coveted Hillary Clinton endorsement, so that's a plus! :Clap:
 

Matera the Mad

Bartender, gimme a Linux Mint
Super Member
Registered
Joined
Jan 6, 2008
Messages
13,979
Reaction score
1,533
Location
Wisconsin's (sore) thumb
Website
www.firefromthesky.org
I expect Ccleaner is also likely to become more naggy in the future, and more likely to include some kind of "advanced feature free trial" craptrap like what makes Malwarbytes a PITA if you don't keep a tight rein on it.

BleachBit does a good job in both Windwoes and Linux. A word to the noobs: Be cautious about how far you let it go -- meaning only as far as you can understand. It's a little less baby-safe. Use restore points wisely until you get the hang of it.

I have installed UnChecky in lots of client computers. It's a Good Thing, but I have observed that it is not foolproof.