CCleaner Hacked With Data-Stealing Malware: What to Do Now
CCleaner Hacked With Data-Stealing Malware: What to Do
Now
by HENRY T. CASEY Sep 18, 2017, 5:42 AM
CCleaner, a system-optimization tool with more than 2
billion downloads worldwide, is used by many Windows, Mac and Android users who
want looking to keep their devices running as fast as possible. Unfortunately
for them, it appears that hackers decided to sneak their own code into a recent
build of CCleaner for Windows in an attempt to steal data and possibly infect
users' systems with even more malicious applications.
The attack took place by piggy-backing onto CCleaner by
infiltrating the servers that distribute the software, infecting version 5.33
of the Windows utility and version 1.07 of its cloud-based sister application.
Those servers belonged to Piriform, the London company that created CCleaner.
In July of this year, Piriform was acquired by the Prague-based antivirus maker
Avast.
If you've updated CCleaner since Aug. 15 and you're
running 32-bit Windows, you may be infected. You should roll back to a pre-Aug.
15 snapshot of your system, or run a malware scan. Following either (or both)
of those steps, visit Piriform's site to download and install the latest, clean
version of CCleaner.
A report on this attack from technology company Cisco's
Talos Intelligence blog notes that infected versions of CCleaner were observed
"as recently as September 11," and that they alerted Avast of the
issue on September 13. Before that, though, Piriform already knew something
fishy was going on.
In a blog post from Paul Yung, VP of Products for
Piriform, the exec noted that his company saw suspicious activity from
"unknown IP address receiving data from software found in version
5.33.6162 of CCleaner" on Sept. 12, which led to Piriform taking the
server down. This data transfer from CCleaner appeared to be the malware,
identified as Floxif, phoning home to its command-and-control servers.
The infected version of CCleaner, 5.33 for Windows, was
made available for download on Aug. 15, and its cleaned version, version 5.34,
on Sept. 12. The infected version of CCleaner Cloud was made available on Aug.
24, and a clean version on Sept. 15. The Mac and Android versions of CCleaner
do not appear to have been affected.
An Avast spokeswoman told Reuters that 2.27 million users
had downloaded the infected version of CCleaner, and that 5,000 installations
of CCleaner Cloud had received the tainted update to that software.
If you're on version 5.33 of CCleaner, which states its
version number in its top left corner of its interface, your best bet may be to
roll back your Windows system to a snapshot from before Aug. 15, as your system
may have been compromised since then. At the very least, make sure your own
anti-virus software is up to date.
Those without the option to restore a backup should check
if their CCleaner is 5.33. Yung notes that that Piriform is updating all
versions of its software up to non-malicious versions, but users can download a
new copy here.
While CCleaner is a very popular application, claiming 5
million downloads per week, this infected version would not have hit all of
those users. The free version of CCleaner must be manually updated. However,
CCleaner is also built into some versions of Avast antivirus software, in which
it is automatically updated. CCleaner Cloud is also automatically updated.
Cases such as this, where system-optimization or
anti-virus software is infected by malware, are especially dangerous, as those
programs take deep-level system privileges, and can do more damage than almost
any other software. Even more importantly, the hacked version of CCleaner was
signed with a legitimate copy of Piriform's developer certificate, which
shouldn't have been available to the miscreants involved.
Fortunately, the impact of this affected version of
CCleaner may be mitigated by more than its lack of automatic updates. The
Floxif malware appears to infect only 32-bit Windows systems, and most PCs sold
in the last 5 years run 64-bit Windows.
As to who is behind this attack and how they infected the
official versions of CCleaner, Talos hasn't released anything yet, and Yung
isn't providing any other details.
Comments
Post a Comment