Monday, September 18th 2017

Piriform Hacked, CCleaner August Versions (v5.33.6162) Injected, Compromised

In another large-scale attack that's bound to increase users' awareness on their systems' security, news have broken out that Piriform, creators of the popular CCleaner software tool (estimated to be instaled in some 130 million devices), have suffered a hack on their servers that compromised some installer packages of the software. Piriform, which was purchased by popular security software company Avast last July, was hacked last August, and the changes to the installer packages could potentially allow hackers to control the devices of more than two million users, the company and independent researchers said on Monday.
Specifically, hackers embedded remote administration tools on CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191, tools that then tried to connect to several unregistered web pages, looking to download additional unauthorized programs, according to Cisco's Talos security research unit. Users would have noticed nothing wrong on their systems, since the entire malicious string of code was run under CCleaner's authentic digital certificate. The nature of the attack code suggests that the hacker won access to a machine used to create CCleaner, Talos researcher Craig Williams said.

CCleaner does not feature automatic updates, so if you make use of CCleaner, make sure to check your software version, and force an update through the app. Or better yet, make sure to uninstall the app and install the new, corrected version, which currently stands at 5.34.6207.

Piriform said that Avast, its new parent company, had uncovered the attacks on Sept. 12, with a new, uncompromised version of CCleaner being released the same day. A clean version of CCleaner Cloud took a little while longer to be released, seeing the light of day on Sept. 15. Talos' security Craig Williams said that the issue was detected at an early stage, when the hackers appeared to be collecting information from infected machines, rather than forcing them to install new programs.
Source: Reuters
Add your own comment

58 Comments on Piriform Hacked, CCleaner August Versions (v5.33.6162) Injected, Compromised

#51
TheDeeGee
My NOD32 alerted me this morning, and removed it while Windows was still starting programs ^^

Win32/CCleaner.A - Object: C:\Program Files\CCleaner\CCleaner.exe
Win32/CCleaner.B - Object: Werkgeheugen = CCleaner.exe

Strangely enough that's the 64-Bit Program Files folder... even though they said only 32-Bit is affected.

Also ran a scan with Immunet to be sure, nothing else found, nor anything in the registery named Agomo.
Posted on Reply
#52
rtwjunkie
PC Gaming Enthusiast
TheDeeGeeMy NOD32 alerted me this morning, and removed it while Windows was still starting programs ^^

Win32/CCleaner.A - Object: C:\Program Files\CCleaner\CCleaner.exe
Win32/CCleaner.B - Object: Werkgeheugen = CCleaner.exe

Strangely enough that's the 64-Bit Program Files folder... even though they said only 32-Bit is affected.

Also ran a scan with Immunet to be sure, nothing else found, nor anything in the registery named Agomo.
The whole thing installs into the 64 bit Program Files folder. In there you should find both executable.
Posted on Reply
#53
TheDeeGee
rtwjunkieThe whole thing installs into the 64 bit Program Files folder. In there you should find both executable.
Interesting.

That means the Auto Cleanup Feature on Startup uses the 32-Bit Exe...

That's why my NOD32 went off.
Posted on Reply
#55
remixedcat
SteevoI love the new Discover card alerts ad, they should alert everyone that Equifax is a dangerous website and has compromised their future credit due to hiring a music teacher/director for "diversity".
Best reply in here!
Posted on Reply
#56
kn00tcn
MrGenius:kookoo: :kookoo: :kookoo:
that was regarding the multiple replies in this thread insulting the equifax security person having a music background, implying they cannot manage security
Posted on Reply
#57
DeathtoGnomes
kn00tcnthat was regarding the multiple replies in this thread insulting the equifax security person having a music background, implying they cannot manage security
if the shoe fits! :rolleyes:
Posted on Reply
#58
Frick
Fishfaced Nincompoop
Were you using the infected version? Format and reinstall.
The second stage appears to use a completely different control network. The complex code is heavily obfuscated and uses anti-debugging and anti-emulation tricks to conceal its inner workings. Craig Williams, a senior technology leader and global outreach manager at Talos, said the code contains a "fileless" third stage that's injected into computer memory without ever being written to disk, a feature that further makes analysis difficult. Researchers are in the process of reverse engineering the payload to understand precisely what it does on infected networks.

"When you look at this software package, it's very well developed," Williams told Ars. "This is someone who spent a lot of money with a lot of developers perfecting it. It's clear that whoever made this has used it before and is likely going to use it again."

Stage one of the malware collected a wide assortment of information from infected computers, including a list of all installed programs, all running processes, the operating-system version, hardware information, whether the user had administrative rights, and the hostname and domain name associated with the system. Combined, the information would allow attackers not only to further infect computers belonging to a small set of targeted organizations, but it would also ensure the later-stage payload is stable and undetectable.

Now that it's known the CCleaner backdoor actively installed a payload that went undetected for more than a month, Williams renewed his advice that people who installed the 32-bit version of CCleaner 5.33.6162 or CCleaner Cloud 1.07.3191 reformat their hard drives. He said simply removing the stage-one infection is insufficient given the proof now available that the second stage can survive and remain stealthy.
The second stage seems to be targeted at things like Cisco, MS, Gmail, VMWare, Akamai and Samsung, but still. This is getting interesting.
Posted on Reply
Add your own comment
Dec 22nd, 2024 10:05 EST change timezone

New Forum Posts

Popular Reviews

Controversial News Posts