Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security Privacy

Avast's CCleaner Free Windows Application Infected With Malware (bleepingcomputer.com) 156

Reader Tinfoil writes: Cisco Talos announces that malware cleaning app, CCleaner, has been infected with malware for the past month. Version 5.33 of the CCleaner app offered for download between August 15 and September 12 was modified to include the Floxif malware, according to a report published by Cisco Talos a few minutes ago. Cisco Talos believes that a threat actor might have compromised Avast's supply chain and used its digital certificate to replace the legitimate CCleaner v5.33 app on its website with one that also contained the Floxif trojan. The company said more 2.27 million had downloaded the compromised version of CCleaner.
This discussion has been archived. No new comments can be posted.

Avast's CCleaner Free Windows Application Infected With Malware

Comments Filter:
  • Comment removed (Score:5, Insightful)

    by account_deleted ( 4530225 ) on Monday September 18, 2017 @09:06AM (#55218491)
    Comment removed based on user account deletion
  • by p51d007 ( 656414 ) on Monday September 18, 2017 @09:12AM (#55218515)
    Avast bought it. Always was a quick easy way to dump the garbage off your computer instead of 2-3 or more programs to do the same thing.
    • Re: (Score:2, Insightful)

      by Anonymous Coward

      I felt the same way when I heard about Avast acquiring CCleaner. I refused to upgrade until I could find some reviews that said Avast hadn't ruined it with bloat like their anti-virus, and damn I'm glad I waited.

      • by Pyrion ( 525584 )

        Same. I'm still running 5.28. I expected shenanigans with the new versions, but not to this level.

    • Coincidence? (Score:4, Interesting)

      by n329619 ( 4901461 ) on Monday September 18, 2017 @10:49PM (#55223505)

      The version before Avast bought it was version 5.32 on July 2017 [slashdot.org]. Here we see version 5.33 with the Floxif malware after August 2017.

      Coincidence? I think not.

  • by sinij ( 911942 ) on Monday September 18, 2017 @09:14AM (#55218533)
    From the linked article: "The malware collected information such as computer name, a list of installed software, a list of running processes, MAC addresses for the first three network interfaces, and unique IDs to identify each computer in part. Researchers noted that the malware only ran on 32-bit systems."

    Someone capable of poisoning signed downloads (high complexity) should be able to select functional payload (low complexity). I don't see any alternative explanation to "ran on 32-bit systems" limitation other than incompetence. This doesn't add up.
    • by zlives ( 2009072 )

      because this advertising tool by design not a hacked piece of software. they are just trying to do what windows 10 does.

    • by mea2214 ( 935585 )

      From the linked article: "The malware collected information such as computer name, a list of installed software, a list of running processes, MAC addresses for the first three network interfaces, and unique IDs to identify each computer in part. Researchers noted that the malware only ran on 32-bit systems." .

      This sounds exactly what Windows 10 telemetry does.

  • Missing Malware Info (Score:5, Informative)

    by Anonymous Coward on Monday September 18, 2017 @09:17AM (#55218549)

    Floxif is a malware downloader that gathers information about infected systems and sends it back to its C&C server. The malware also had the ability to download and run other binaries, but at the time of writing, there is no evidence that Floxif downloaded additional second-stage payloads on infected hosts.

    The malware collected information such as computer name, a list of installed software, a list of running processes, MAC addresses for the first three network interfaces, and unique IDs to identify each computer in part. Researchers noted that the malware only ran on 32-bit systems. The malware also quit execution if the user was not using an administrator account.

    • by TWX ( 665546 ) on Monday September 18, 2017 @09:28AM (#55218631)

      It's almost like it was meant to inspect corporate or government computers where lazy IT admins might not have migrated 64-bit-capable workstations to 64-bit OSes because they've been maintaining a 32-bit OS/image for years, and to then allow that information to be inspected to determine which computers to attempt to infect with other payloads.

  • As a regular and longtime user/installer of CCleaner, including version 5.33, it's possible that I may be infected. I've not seen any symptoms nor has Malware Bytes/Comodo detected anything, but....

    Can any of the current tools check if any of my PCs are/may be infected?

    • by TWX ( 665546 ) on Monday September 18, 2017 @09:30AM (#55218647)

      Sure. CCleaner version 5.34. Available from downloads.ru today!

    • There is a more technical breakdown [talosintelligence.com] of the malware from the folks at Talos that discovered it. According to them ClamAV has a signature to detect the altered installers. Also it looks like Malwarebytes has the signature too [malwarebytes.com] so if that is what you are using get the updated signature files and run a scan.

      Otherwise look for outbound traffic attempting to go to 216.126.225.148, that is the hardcoded C2 server the malware uses.

  • by Mr.Intel ( 165870 ) <mrintel173NO@SPAMyahoo.com> on Monday September 18, 2017 @09:21AM (#55218569) Homepage Journal

    Cisco Talos announces that malware cleaning app...

    Except it wasn't a malware cleaning app. Just a cleaning app. Maybe it happened to clean malware that got caught in the recycle bin, but that's about the extent of it. Of course, it ended up being a malware-infected cleaning app. Maybe that's what the OP meant??

  • That would be a cool trick - identifying itself as malware and then deleting it.
  • by CaptainDork ( 3678879 ) on Monday September 18, 2017 @09:34AM (#55218667)

    ... First, Web of Trust and now this.

  • by Anonymous Coward
  • They tell everyone of the infection but don't provide hashes for the infected files and installers. Class act right there. Just get 5.34 which is totally okay, we promise.
  • With other treat about IOS removing antivirus from IOS store, I wonder if it will published on IOS. Doubleplus Good.
  • A vast issue for them

  • First of all, I'm fairly certain it's made by Piriform, not Avast. Second, it absolutely, unequivocally makes your computer slower with its default options. I mean deleting thumbnail cache? That's idiotic! So in that sense it absolutely is malware and always has been. But hopefully they get absolutely destroyed in court and get jail time so they shut down. I cannot stand their products.
    • I checked. Avast bought Piriform like 2 months ago.
    • by sinij ( 911942 )

      I mean deleting thumbnail cache? That's idiotic!

      Not if you frequently view, obviously for research purposes, pornographic materials that normally reside on an encrypted drive.

    • What about stale thumbnail cache? Have you never seen the wrong thumbnails displayed in a file browser window for an image? Additionally, you say that in the sense it deletes thumbnail cache it's "absolutely malware and always has been"? I don't get it.

      What program(s) do you use to do what CCleaner does?

  • I installed CC Cleaner in my phone a couple of years ago. It couldn't do anything beyond what one can already do with the tools shipped with Android. And, as a bonus, it would interrupt you whenever it saw fit, and it used lots of CPU and battery to boot. This things has been nothing but malware from day one.
  • by XSportSeeker ( 4641865 ) on Monday September 18, 2017 @03:32PM (#55221601)

    This post is sorely lacking tons of information and the few that are in it are wrong.
    CCleaner is NOT a malware cleaning app. It's a registry and regular file cleaner software.
    Furthermore, let's dig into the case:

    - This ONLY affects the 32-bit version of CCleaner and CCleaner Cloud, which accounts for some 3% of Piriform users. If you are using 64-bit version, you are probably safe. From Piriform’s website: “This compromise only affected customers with the 32-bit version of the v5.33.6162 of CCleaner and the v1.07.3191 of CCleaner Cloud. No other Piriform or CCleaner products were affected.”;

    - From Piriform’s accessment, here’s the actual danger: “The compromise could cause the transmission of non-sensitive data (computer name, IP address, list of installed software, list of active software, list of network adapters) to a 3rd party computer server in the USA. We have no indications that any other data has been sent to the server. Working with US law enforcement, we caused this server to be shut down on the 15th of September before any known harm was done.”

    - The investigation is still ongoing, but Piriform is saying that the issue has been solved, that no harm was done, and what seems like it didn’t originate from official CCleaner/Piriform sources. Which is to say, it could be embedded code that was inserted on 3rd party download websites. There is further explanation on Talos' post how it was a sofisticated attack because whoever did it managed to put up a valid cert on the infected version of Ccleaner though, so there should be more information coming out as the investigation proceeds.

    If you wanna dig more into the whole thing, here's Piriform's official statement:
    https://www.piriform.com/news/... [piriform.com]

    And here's Talos security accessment of the case:
    http://blog.talosintelligence.... [talosintelligence.com]

  • I am looking forward to my exit in supporting other people's Windows boxen. I cannot *wait* until I can say, with a big fat grin on my face, "Sorry, I don't do Windows support anymore", or better yet, "Sorry, I've literally *never* used Windows 11" (or whatever stupid Windows name they call it by then).

    I'm getting goosebumps just thinking about it. Oh, happy days await me. =}

Technology is dominated by those who manage what they do not understand.

Working...