Avast's CCleaner Free Windows Application Infected With Malware (bleepingcomputer.com) 156
Reader Tinfoil writes: Cisco Talos announces that malware cleaning app, CCleaner, has been infected with malware for the past month. Version 5.33 of the CCleaner app offered for download between August 15 and September 12 was modified to include the Floxif malware, according to a report published by Cisco Talos a few minutes ago. Cisco Talos believes that a threat actor might have compromised Avast's supply chain and used its digital certificate to replace the legitimate CCleaner v5.33 app on its website with one that also contained the Floxif trojan. The company said more 2.27 million had downloaded the compromised version of CCleaner.
Re: (Score:2, Insightful)
Of course I could have easily confused them with some other anti-malware vendor when it comes to their advertising -- many of them seem to be pretty scummy - just skimming the border of drive-by installs, piggybacking on other installs (looking at *you* Adobe) etc.
Re:CCleaner wasn't malware all along? (Score:5, Insightful)
IT IS NOT ANTI-MALWARE, IT IS A DUPE FILE REMOVER, CACHE FILE CLEANER, UTILITY TOOL FOR REMOVING STUBBORN UNINSTALLERS THAT BROKE, ETC.
You fucking idiots want to keep saying it's AV because you don't seem to know a god damn thing about it lol. "Oh it's a terrible security model" - On Windows? MORON.
WHINY PETULANT SLASHDOT BITCHES WHO THINK THEY'RE EXPERTS WITHOUT READING A GOD DAMN THING, LOL
Re:CCleaner wasn't malware all along? (Score:4, Informative)
ALSO - only the 32 bit version and cloud versions between 8-15 and 9-12 were infected. 64 bit I have verified is not infected. The trojan is detected by Spyhunter which has a trialware version until you go to remove malware.
Re: (Score:3)
Re:CCleaner wasn't malware all along? (Score:5, Funny)
If your system is compromised in any way, the only sane response is to wipe the disk(s),
Wipe the disks? Are you nuts. I say we take off and nuke the entire site from orbit. It's the only way to be sure!
Re: CCleaner wasn't malware all along? (Score:2)
Wouldn't it be amazing if everyone had as much free time as you?
Re: CCleaner wasn't malware all along? (Score:2)
Completely reinstalling Windows, all the updates and all the software you might be using is a time-consuming process and most people want to do something else with that time.
Re:CCleaner wasn't malware all along? (Score:5, Insightful)
It's not an anti-malware program.
It's an optimizer.
Re: (Score:1, Funny)
It's not an anti-malware program.
It's an optimizer.
If they're trying to optimize Windows, oh man have they got their work cut out for them. Even with all its massive resources and full access to source code, even Microsoft couldn't do that!
Re: (Score:3)
Strangely enough, I've run CCleaner for years, on probably hundreds of different systems, and never had it break something by deleting something it shouldn't.
Most system cleaners/optimizers are crap, but CCleaner is one of the only ones that I actually trust(ed).
Re: (Score:2)
Been using it since Moby Dick was minnow. Never had a problem at home, on other home computers, and a gazillion work computers.
Re: (Score:2)
Re: (Score:2)
It's not an anti-malware program.
It's an optimizer.
Ironically, anti-malware serves the same goal, unless you don't consider an uninfected system as optimally configured...
Re: (Score:2)
No.
Anti-malware guards against, well, malware.
ccleaner does not guard ... if deletes shit like cookies, browsing history, and (optionally) registry entries.
You can download the latest version of ccleaner and test drive it instead of guessing what it does.
Re: (Score:1)
I'm not at all clear on what value they bring to the table.
With CCleaner and similar software you get to choose the Malware you have installed in your machine, in other cases you don't choose.
Re:CCleaner wasn't malware all along? (Score:4, Funny)
Norton should sue for patent infringement.
Re: (Score:3)
Kind of, at least after they were bought by a nefarious corporation intent on monetizing it any way they could.
The original was a really nice application, from an independent developer tired of all the crap on his computer, including the stuff pre-loaded by the vendors. The "C" in CCleaner stands for "crap" - the original name was "Crap Cleaner."
Re: (Score:2)
I suspect you're mixing it up with PC Decrapifier. That's the one to remove all the preinstalled crap from major OEM vendors.
Re: (Score:2)
Re: CCleaner wasn't malware all along? (Score:1)
Re: (Score:2)
At least valid antivirus software doesn't flood your screen with popups.
Er, I mean, it doesn't nag you to do things you don't want to do.
Well, it doesn't fill your hard drive full of gigabytes of junk.
That is, at least it doesn't mess with your internet connection and cause inexplicable outages.
You know what? I give up.
Comment removed (Score:5, Insightful)
Never had a problem until (Score:5, Informative)
Re: (Score:2, Insightful)
I felt the same way when I heard about Avast acquiring CCleaner. I refused to upgrade until I could find some reviews that said Avast hadn't ruined it with bloat like their anti-virus, and damn I'm glad I waited.
Re: (Score:2)
Same. I'm still running 5.28. I expected shenanigans with the new versions, but not to this level.
Coincidence? (Score:4, Interesting)
The version before Avast bought it was version 5.32 on July 2017 [slashdot.org]. Here we see version 5.33 with the Floxif malware after August 2017.
Coincidence? I think not.
Why payload is so gimped? (Score:5, Interesting)
Someone capable of poisoning signed downloads (high complexity) should be able to select functional payload (low complexity). I don't see any alternative explanation to "ran on 32-bit systems" limitation other than incompetence. This doesn't add up.
Re: (Score:1)
because this advertising tool by design not a hacked piece of software. they are just trying to do what windows 10 does.
Re: (Score:2)
From the linked article: "The malware collected information such as computer name, a list of installed software, a list of running processes, MAC addresses for the first three network interfaces, and unique IDs to identify each computer in part. Researchers noted that the malware only ran on 32-bit systems." .
This sounds exactly what Windows 10 telemetry does.
Missing Malware Info (Score:5, Informative)
Floxif is a malware downloader that gathers information about infected systems and sends it back to its C&C server. The malware also had the ability to download and run other binaries, but at the time of writing, there is no evidence that Floxif downloaded additional second-stage payloads on infected hosts.
The malware collected information such as computer name, a list of installed software, a list of running processes, MAC addresses for the first three network interfaces, and unique IDs to identify each computer in part. Researchers noted that the malware only ran on 32-bit systems. The malware also quit execution if the user was not using an administrator account.
Re:Missing Malware Info (Score:5, Interesting)
It's almost like it was meant to inspect corporate or government computers where lazy IT admins might not have migrated 64-bit-capable workstations to 64-bit OSes because they've been maintaining a 32-bit OS/image for years, and to then allow that information to be inspected to determine which computers to attempt to infect with other payloads.
Anyone know if the malware is detectable / fixable (Score:1)
As a regular and longtime user/installer of CCleaner, including version 5.33, it's possible that I may be infected. I've not seen any symptoms nor has Malware Bytes/Comodo detected anything, but....
Can any of the current tools check if any of my PCs are/may be infected?
Re:Anyone know if the malware is detectable / fixa (Score:5, Funny)
Sure. CCleaner version 5.34. Available from downloads.ru today!
Re: (Score:3)
There is a more technical breakdown [talosintelligence.com] of the malware from the folks at Talos that discovered it. According to them ClamAV has a signature to detect the altered installers. Also it looks like Malwarebytes has the signature too [malwarebytes.com] so if that is what you are using get the updated signature files and run a scan.
Otherwise look for outbound traffic attempting to go to 216.126.225.148, that is the hardcoded C2 server the malware uses.
"Malware cleaning app" (Score:5, Insightful)
Cisco Talos announces that malware cleaning app...
Except it wasn't a malware cleaning app. Just a cleaning app. Maybe it happened to clean malware that got caught in the recycle bin, but that's about the extent of it. Of course, it ended up being a malware-infected cleaning app. Maybe that's what the OP meant??
Can it clean it's own malware though? (Score:2)
Re: (Score:2)
Re: (Score:1)
.... whoever wrote the original submission and whoever didn't bother to check facts before posting.
You must be new here.
Damn ... (Score:3)
... First, Web of Trust and now this.
Re: (Score:2)
And others we don't know about. :( "Trust no one." --The X-Files
Longer discussion on the topic (Score:1)
https://news.ycombinator.com/i... [ycombinator.com]
Where's the MD5/SHA1 for the infected files? (Score:2)
Will it be published on IOS? (Score:1)
That's (Score:2)
A vast issue for them
Re: (Score:2)
Ba-zing!
Well duh (Score:1)
Re: (Score:2)
Re: (Score:2)
I mean deleting thumbnail cache? That's idiotic!
Not if you frequently view, obviously for research purposes, pornographic materials that normally reside on an encrypted drive.
Re: (Score:2)
What about stale thumbnail cache? Have you never seen the wrong thumbnails displayed in a file browser window for an image? Additionally, you say that in the sense it deletes thumbnail cache it's "absolutely malware and always has been"? I don't get it.
What program(s) do you use to do what CCleaner does?
Does one need this trash? (Score:1)
Re: (Score:2)
"CC Cleaner" sounds like an imitating (malware-ridden) app.
"CCleaner" is the app TFA is discussing.
Superficial and inacurate (Score:5, Informative)
This post is sorely lacking tons of information and the few that are in it are wrong.
CCleaner is NOT a malware cleaning app. It's a registry and regular file cleaner software.
Furthermore, let's dig into the case:
- This ONLY affects the 32-bit version of CCleaner and CCleaner Cloud, which accounts for some 3% of Piriform users. If you are using 64-bit version, you are probably safe. From Piriform’s website: “This compromise only affected customers with the 32-bit version of the v5.33.6162 of CCleaner and the v1.07.3191 of CCleaner Cloud. No other Piriform or CCleaner products were affected.”;
- From Piriform’s accessment, here’s the actual danger: “The compromise could cause the transmission of non-sensitive data (computer name, IP address, list of installed software, list of active software, list of network adapters) to a 3rd party computer server in the USA. We have no indications that any other data has been sent to the server. Working with US law enforcement, we caused this server to be shut down on the 15th of September before any known harm was done.”
- The investigation is still ongoing, but Piriform is saying that the issue has been solved, that no harm was done, and what seems like it didn’t originate from official CCleaner/Piriform sources. Which is to say, it could be embedded code that was inserted on 3rd party download websites. There is further explanation on Talos' post how it was a sofisticated attack because whoever did it managed to put up a valid cert on the infected version of Ccleaner though, so there should be more information coming out as the investigation proceeds.
If you wanna dig more into the whole thing, here's Piriform's official statement:
https://www.piriform.com/news/... [piriform.com]
And here's Talos security accessment of the case:
http://blog.talosintelligence.... [talosintelligence.com]
One more reason (Score:1)
I am looking forward to my exit in supporting other people's Windows boxen. I cannot *wait* until I can say, with a big fat grin on my face, "Sorry, I don't do Windows support anymore", or better yet, "Sorry, I've literally *never* used Windows 11" (or whatever stupid Windows name they call it by then).
I'm getting goosebumps just thinking about it. Oh, happy days await me. =}
Re: (Score:1)
FFS, creimer, please go watch this video and take its advice to heart.
https://www.youtube.com/watch?... [youtube.com]
"The only applications I use ARE Microsoft Defender and Malware Bytes."
For a "published" "writer", you sure do have problems constructing grammatically correct English sentences.
Re: (Score:1)
For a "published" "writer", you sure do have problems constructing grammatically correct English sentences.
If I wrote perfect sentences, you would have nothing to bitch about on Slashdot.
Re: (Score:1)
https://www.scribd.com/book/193804069/A-Misplaced-Stick-Short-Story
Scribd is still having issues with my ebooks. I have notified Smashwords to push out my catalog again. Thanks for bringing this to my attention.
Re: (Score:1)
" you might to write a Python script"
creimer-like grammar detected. Come on, Chris, if you're going to impersonate ACs, try to put some effort into it.
Do you want some spam-flavored macadamia nuts [amazon.com] with your whine?
Re: (Score:1)
The only applications that I use is Microsoft Defender and Malware Bytes. All the third-party applications for keeping WinXP running weren't needed in Vista/7/8/10.
cdreimer, that sounds like a really boring PC. At least install Excel so you can have some fun typing in numbers and making up formulas.
Not as exciting as cat videos, I know, but something. There'e only so long I can watch Microsoft Defender before the magic starts to wear off.
Re: (Score:1)
There'e only so long I can watch Microsoft Defender before the magic starts to wear off.
Microsoft Defender on my PCs kick off at 3:00AM in the morning. If you're having trouble sleeping that late at night, I suggest taking Nyquil.
Re: (Score:1)
You two should get a room.
I doubt I could put up with the constant wanking. I find such lack of self-control disturbing.
Re: (Score:1)
And of course, YOUR schedule must be the universal schedule.
IIRC, Microsoft Defender runs as an automatic task at 3:00AM. Since that's default setting, I haven't changed it.
Re: (Score:1)
Those of us "in the know" only trust APKs hosts file generator to stay protected from malware.
Cruz/Palin 2020
A hosts file is a single blacklist. A problem with blacklisting is that you have to implicitly trust the creator of the blacklist (unless you're going to tell me you personally verified each individual entry in it?). You have to trust that they didn't miss anything that should have been included in the blacklist, which is hard to confirm. You also have to trust that their reasons for adding an entry are what they claim (remember the politically motivated entries in censorship software like NetNanny?). T