Jump to content


CCleaner Compromised!


  • Please log in to reply
10 replies to this topic

#1 OFFLINE   Corrine

Corrine

    The Mystical Rose

  • Forum Admins
  • 4,110 posts

Posted 18 September 2017 - 09:36 AM

Quote

Version 5.33 of the CCleaner app offered for download between August 15 and September 12 was modified to include the Floxif malware, according to a report published by Cisco Talos a few minutes ago.

More at CCleaner Compromised to Distribute Malware for Almost a Month.  Also see Piriform - Security Notification for CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 for 32-bit Windows users and Cisco's Talos Intelligence Group Blog: CCleanup: A Vast Number of Machines at Risk.
Posted Image

Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

#2 OFFLINE   Pete!

Pete!

    Message Mogul

  • Members
  • PipPipPipPipPip
  • 263 posts

Posted 18 September 2017 - 09:50 AM

Every time I download a new version, ESET flags the installation file for something, usually a PUP.
This stops me from recommending it to newbies who don't already know about it.

#3 OFFLINE   zlim

zlim

    It's me, plodr

  • Forum MVP
  • 7,047 posts

Posted 18 September 2017 - 10:10 AM

I must have missed the fact that Avast bought Piriform in July of this year.

My biased opinion: if a company that sells an av program can't check to see that the downloads  offered on a site it owns are clean, how trustworthy is the av program it offers?
Liz
Registered Linux User # 401459
Posted Image

#4 OFFLINE   Digerati

Digerati

    Post Master

  • Members
  • PipPipPipPip
  • 146 posts

Posted 18 September 2017 - 10:50 AM

View Postzlim, on 18 September 2017 - 10:10 AM, said:

My biased opinion: if a company that sells an av program can't check to see that the downloads  offered on a site it owns are clean, how trustworthy is the av program it offers?
The hairs on the back of my neck raised too. A mere month after Piriform was acquired by Avast (and new people gained access to the code), this compromise occurred? :ermm:
Posted Image Bill (AFE7Ret)
Freedom is NOT Free!
Posted Image Windows and Devices for IT, 2007 - 2018

Heat is the bane of all electronics!

____________________________________________

#5 OFFLINE   crp

crp

    Discussion Deity

  • Members
  • PipPipPipPipPipPipPipPipPipPipPipPip
  • 3,050 posts

Posted 18 September 2017 - 11:24 AM

View PostDigerati, on 18 September 2017 - 10:50 AM, said:

View Postzlim, on 18 September 2017 - 10:10 AM, said:

My biased opinion: if a company that sells an av program can't check to see that the downloads  offered on a site it owns are clean, how trustworthy is the av program it offers?
The hairs on the back of my neck raised too. A mere month after Piriform was acquired by Avast (and new people gained access to the code), this compromise occurred? :ermm:
only thing i can think of is that this was an inlab test file that got mistakenly posted to wrong place.
Of all tyrannies, a tyranny sincerely exercised for the good of its victims may be the most oppressive. It would be better to live under robber barons than under omnipotent moral busybodies. The robber baron's cruelty may sometimes sleep, his cupidity may at some point be satiated; but those who torment us for our own good will torment us without end for they do so with the approval of their own conscience. ~C. S. Lewis

#6 OFFLINE   Corrine

Corrine

    The Mystical Rose

  • Forum Admins
  • 4,110 posts

Posted 18 September 2017 - 06:18 PM

From the updated BC article:

Quote

Article updated with link to Piriform blog post. Updated article for a second time with response from Avast CTO. An earlier version of this article referenced a tweet suggesting that other parts of the Avast network might be compromised. Avast investigated the issue and discovered that someone used its VPN service to send ransomware-laced spam.

Follow-up article on removal: CCleaner Malware Incident - What You Need to Know and How to Remove.

Note:  CCleaner 5.34 will NOT remove the Agomo registry key used by the malware.
Posted Image

Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

#7 OFFLINE   abarbarian

abarbarian

    Thread Kahuna

  • Forum MVP
  • 5,396 posts

Posted 19 September 2017 - 07:28 AM

Thanks for the heads up I have just done a fresh install of 7 so I 'll have to check which version of CC I used.

:thumbup:
Install ARCH
You'll never need to install it again
"I did and I'm really happy"

Posted Image~~~~~~~~~~~~~Posted Image

#8 OFFLINE   Pete!

Pete!

    Message Mogul

  • Members
  • PipPipPipPipPip
  • 263 posts

Posted 19 September 2017 - 08:03 AM

IMHO: The easiest way to see if you're infected is to read at the link Corrine posted....
https://www.bleeping...-how-to-remove/
... and then look in your registry to see if you have the Registry key located at HKEY_LOCAL_MACHINE\SOFTWARE\Piriform\Agomo.

By the time I saw the post, I had already uninstalled the program, and purged my "Downloads" folder of all the CCleaner installation files. Turns out I have a Piriform key, but in a slightly different location (HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Piriform), and there's no "Agomo".

I'm not sure if ESET removed/blocked it, if I never had it, or if uninstalling made it go away.

Just about every time I got a new version ESET flagged it for a PUP, and more recently it removed something from memory every time I opened this version.... It's also possible that I had the 64 bit version.

Edited by Pete!, 19 September 2017 - 08:06 AM.


#9 OFFLINE   Corrine

Corrine

    The Mystical Rose

  • Forum Admins
  • 4,110 posts

Posted 19 September 2017 - 09:24 AM

For those interested, here's the report from Avast:  Update to the CCleaner 5.33.6162 Security Incident.
Posted Image

Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

#10 OFFLINE   V.T. Eric Layton

V.T. Eric Layton

    Nocturnal Slacker

  • Forum Admins
  • 21,255 posts

Posted 19 September 2017 - 11:56 AM

Hmm... since I don't have network access enabled in my Windows installation, I haven't updated CCleaner for about 6 months. Guess I don't have to worry about this. It's sad that these irresponsible entities continue to allow breaches and such like this to happen. Security doesn't seem to be a priority quite as high as "making a buck" seems to be.

#11 OFFLINE   ebrke

ebrke

    Board Bigwig

  • Forum MVP
  • 2,721 posts

Posted 21 September 2017 - 04:21 PM

Seems this isn't over yet:
https://www.ghacks.n...oad-discovered/
Registered Linux User 344759




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users