Jump to content

CCleaner Compromised!


Corrine

Recommended Posts

Version 5.33 of the CCleaner app offered for download between August 15 and September 12 was modified to include the Floxif malware, according to a report published by Cisco Talos a few minutes ago.

 

More at CCleaner Compromised to Distribute Malware for Almost a Month. Also see Piriform - Security Notification for CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 for 32-bit Windows users and Cisco's Talos Intelligence Group Blog: CCleanup: A Vast Number of Machines at Risk.

  • Like 2
Link to comment
Share on other sites

Every time I download a new version, ESET flags the installation file for something, usually a PUP.

This stops me from recommending it to newbies who don't already know about it.

  • Like 1
Link to comment
Share on other sites

I must have missed the fact that Avast bought Piriform in July of this year.

 

My biased opinion: if a company that sells an av program can't check to see that the downloads offered on a site it owns are clean, how trustworthy is the av program it offers?

  • Like 4
Link to comment
Share on other sites

My biased opinion: if a company that sells an av program can't check to see that the downloads offered on a site it owns are clean, how trustworthy is the av program it offers?

The hairs on the back of my neck raised too. A mere month after Piriform was acquired by Avast (and new people gained access to the code), this compromise occurred? :ermm:
  • Like 1
Link to comment
Share on other sites

My biased opinion: if a company that sells an av program can't check to see that the downloads offered on a site it owns are clean, how trustworthy is the av program it offers?

The hairs on the back of my neck raised too. A mere month after Piriform was acquired by Avast (and new people gained access to the code), this compromise occurred? :ermm:

only thing i can think of is that this was an inlab test file that got mistakenly posted to wrong place.
Link to comment
Share on other sites

From the updated BC article:

Article updated with link to Piriform blog post. Updated article for a second time with response from Avast CTO. An earlier version of this article referenced a tweet suggesting that other parts of the Avast network might be compromised. Avast investigated the issue and discovered that someone used its VPN service to send ransomware-laced spam.

 

Follow-up article on removal: CCleaner Malware Incident - What You Need to Know and How to Remove.

 

Note: CCleaner 5.34 will NOT remove the Agomo registry key used by the malware.

Link to comment
Share on other sites

IMHO: The easiest way to see if you're infected is to read at the link Corrine posted....

https://www.bleeping...-how-to-remove/

... and then look in your registry to see if you have the Registry key located at HKEY_LOCAL_MACHINE\SOFTWARE\Piriform\Agomo.

 

By the time I saw the post, I had already uninstalled the program, and purged my "Downloads" folder of all the CCleaner installation files. Turns out I have a Piriform key, but in a slightly different location (HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Piriform), and there's no "Agomo".

 

I'm not sure if ESET removed/blocked it, if I never had it, or if uninstalling made it go away.

 

Just about every time I got a new version ESET flagged it for a PUP, and more recently it removed something from memory every time I opened this version.... It's also possible that I had the 64 bit version.

Edited by Pete!
  • Like 1
Link to comment
Share on other sites

V.T. Eric Layton

Hmm... since I don't have network access enabled in my Windows installation, I haven't updated CCleaner for about 6 months. Guess I don't have to worry about this. It's sad that these irresponsible entities continue to allow breaches and such like this to happen. Security doesn't seem to be a priority quite as high as "making a buck" seems to be.

  • Like 1
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...