Popular software CCleaner infected with backdoor

Discussion in 'Frontpage news' started by Hilbert Hagedoorn, Sep 18, 2017.

  1. Chillin

    Chillin Ancient Guru

    Messages:
    6,814
    Likes Received:
    1
    GPU:
    -
    Is it so hard to source?

    • We recently determined that older versions of our Piriform CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 had been compromised. We estimate that 2.27 million people used the affected software. We resolved this quickly and believe no harm was done to any of our users. This compromise only affected customers with the 32-bit version of the v5.33.6162 of CCleaner and the v1.07.3191 of CCleaner Cloud. No other Piriform or CCleaner products were affected. We encourage all users of the 32-bit version of CCleaner v5.33.6162 to download v5.34 here: download. We apologize and are taking extra measures to ensure this does not happen again.

      Issue Summary: Our new parent company, the security company Avast, determined on the 12th of September that the 32-bit version of our CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 products, which may have been used by up to 3% of our users, had been compromised in a sophisticated manner. Piriform CCleaner v5.33.6162 was released on the 15th of August, and a regularly scheduled update to CCleaner, without compromised code, was released on the 12th of September. CCleaner Cloud v1.07.3191 was released on the 24th of August, and updated with a version without compromised code on September 15. The compromise could cause the transmission of non-sensitive data (computer name, IP address, list of installed software, list of active software, list of network adapters) to a 3rd party computer server in the USA. We have no indications that any other data has been sent to the server. Working with US law enforcement, we caused this server to be shut down on the 15th of September before any known harm was done. It would have been an impediment to the law enforcement agency’s investigation to have gone public with this before the server was disabled and we completed our initial assessment. Between the 12th and the 15th, we took immediate action to make sure that our Piriform CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 users were safe - we worked with download sites to remove CCleaner v5.33.6162, we pushed out a notification to update CCleaner users from v5.33.6162 to v5.34, we automatically updated those where it was possible to do so, and we automatically updated CCleaner Cloud users from v1.07.3191 to 1.07.3214.

      We are continuing to investigate how this compromise happened, who did it, and why. We are working with US law enforcement in their investigation. A more technical description of the issue is on our Piriform blog at: www.piriform.com/news/blog. Again, we sincerely apologize for this and are committed to making sure nothing similar happens again. We encourage any user of the 32-bit version of CCleaner v5.33.6162 to download the latest version of Piriform CCleaner found here: www.piriform.com/ccleaner/download/standard.

     
    Robbo9999 likes this.
  2. Should be periodically checking your network traffic anyways to have an idea of what your baseline is, so that way it is easy to spot funky activity of any kind. A good firewall and a packet sniffer are really all it takes. geez.....people freakin out about it like this doesn't happen twice a week.
     
  3. KissSh0t

    KissSh0t Ancient Guru

    Messages:
    9,739
    Likes Received:
    3,622
    GPU:
    ASUS RX 470 Strix
    Interesting, I've always blocked ccleaner from having access to the internet on having a hunch it would be used to collect data.
     
  4. vbetts

    vbetts Don Vincenzo Staff Member

    Messages:
    15,124
    Likes Received:
    1,700
    GPU:
    GTX 1080 Ti
    Well, this is kind of ironic.
     

  5. SoloCreep

    SoloCreep Master Guru

    Messages:
    685
    Likes Received:
    12
    GPU:
    RTX 2080 TI
    I used this app for years up until 2 years ago when it hosed my Windows Installation. Ran it with default settings and could not reboot back into Windows. I will never use it again. Besides, these cleaners are mostly bs and won't do magic. Browsers and Windows built in cleaner functions are just fine.
     
    pimpineasy likes this.
  6. RedSquirrel

    RedSquirrel Active Member

    Messages:
    81
    Likes Received:
    6
    GPU:
    Intel Iris 6100
    unpleasant, found the infected file, but as I and most people don't run 32bit windows, and that it hadn't been observed to deploy anything, we seem to have dodged a bullet. Last time I got infected was a driver download from Razers website the copperhead mouse, now that was a scorched earth scenario....And so is this, just to be sure /resintalls windows
     
  7. JaxMacFL

    JaxMacFL Ancient Guru

    Messages:
    1,744
    Likes Received:
    1,103
    GPU:
    3090 FTW3 ULTR/HYBR
    If you think your identity was compromised contact Equifax....er, never mind.
     
  8. Thunk_It

    Thunk_It Master Guru

    Messages:
    288
    Likes Received:
    51
    GPU:
    Asus 2080ti Turbo
    Thank you Hilbert for posting this article.
     
  9. tsunami231

    tsunami231 Ancient Guru

    Messages:
    12,114
    Likes Received:
    928
    GPU:
    EVGA 1070Ti Black
    using it to just clean out temp/history/etc stuff wont do that registry cleaner could, but i never seen it to do that defualt setting out of box dont even clean alot the places the temp files go either., using this strictly for that wont kill an install less something was in temp stuff in first place.
     
  10. KissSh0t

    KissSh0t Ancient Guru

    Messages:
    9,739
    Likes Received:
    3,622
    GPU:
    ASUS RX 470 Strix
    Sigh..... now CCleaner is owned by Avast Software, a subsidiary of AVG Technologies...... AVG of course taking over Tuneup Utilities a while back and then murdered it, the carcass now being called PC Tuneup.

    Sigh... just sigh..
     

  11. Neo Cyrus

    Neo Cyrus Ancient Guru

    Messages:
    9,929
    Likes Received:
    721
    GPU:
    Asus TUF 3080 OC
    I have an August version installed and starting it immediately recommends an update. Would that have taken care of it? I just uninstalled it and I'm scanning now.
     
    Last edited: Sep 19, 2017
  12. KissSh0t

    KissSh0t Ancient Guru

    Messages:
    9,739
    Likes Received:
    3,622
    GPU:
    ASUS RX 470 Strix
    It's only the 32bit version affected, current newest version is CCleaner v5.34.
     
  13. Neo Cyrus

    Neo Cyrus Ancient Guru

    Messages:
    9,929
    Likes Received:
    721
    GPU:
    Asus TUF 3080 OC
    Thanks I missed that in the thread. But how do I even know which version I had? The installer on the website doesn't specify. Was it automatic?
     
  14. KissSh0t

    KissSh0t Ancient Guru

    Messages:
    9,739
    Likes Received:
    3,622
    GPU:
    ASUS RX 470 Strix
    You can see the build version from within CCleaner, and you can check the build version by checking the properties of the installer.

    [​IMG]


    [​IMG]

    I'm using an older version now though after learning about who purchased CCleaner.... xD
     
  15. JonasBeckman

    JonasBeckman Ancient Guru

    Messages:
    17,502
    Likes Received:
    2,891
    GPU:
    MSI 6800 "Vanilla"
    I like using it for cleaning out some of the temporary files on occasion but it doesn't really do all that much and the in-built Windows clean up utility can manage most of the larger clean ups already although CCleaner does support a number of third party programs.
    Still it's mostly log files found in a few key folders in addition to some extensions such as .tmp files though it's odd how it could damage a Windows installation but I guess these rapid Windows 10 updates might be part of why until CCleaner fully supports whatever Microsoft changed again, there's the registry cleaning function too which perhaps could cause some issues as well but even that mostly just removes unused minor references and such although there's no real reason to clean out the registry in the first place.
    (Far as I know at least there's no benefits to it and it could be risky if something does go wrong although you are offered to create a backup with the default CCleaner settings before whatever it detected or flagged is deleted.)

    At least it's on a monthly update schedule though it has drawbacks such as being split between a free and a pro version and the program is adware supported too for one week which after that point a light edition is made available as a separate download with said adware stripped out, some of the auto update settings were a bit flaky a few versions back too though it seems the program is working pretty well these days although this is quite a mess up, wonder how it could could have happened?
    (Before reading the article I had assumed the bundled adware had gone really bad for that previous version of CCleaner but it seems it was something in the software itself.)
     

  16. RzrTrek

    RzrTrek Ancient Guru

    Messages:
    2,522
    Likes Received:
    715
    GPU:
    RX 580 ♥ MESA 21.1+
    From now on I will refrain from using CCleaner and only install the most essential programs.
     
  17. Neo Cyrus

    Neo Cyrus Ancient Guru

    Messages:
    9,929
    Likes Received:
    721
    GPU:
    Asus TUF 3080 OC
    Thanks but I mean I had already uninstalled it so I can't check the program itself.
     
  18. AsiJu

    AsiJu Ancient Guru

    Messages:
    7,591
    Likes Received:
    2,461
    GPU:
    MSI 6800XT GamingX
    Of course not but being bloatware readily it's more likely to get something infected along side.
     
  19. TheDeeGee

    TheDeeGee Ancient Guru

    Messages:
    7,353
    Likes Received:
    1,528
    GPU:
    NVIDIA GTX 1070 8GB
    My NOD32 alerted me this morning, and removed it while Windows was still starting programs ^^

    Win32/CCleaner.A - Object: C:\Program Files\CCleaner\CCleaner.exe
    Win32/CCleaner.B - Object: Werkgeheugen = CCleaner.exe

    Strangely enough that's the 64-Bit Program Files folder... even though they said only 32-Bit is affected.

    Also ran a scan with Immunet to be sure, nothing else found, nor anything in the registery named Agomo.
     
    Last edited: Sep 19, 2017
  20. fantaskarsef

    fantaskarsef Ancient Guru

    Messages:
    12,432
    Likes Received:
    4,705
    GPU:
    2080Ti @h2o
    Makes me wonder why my systems run fine without needing to use such a cleaner for years now.
    I am surprised that so many people knowing their stuff are actually using programs like these.
     
    bigfutus likes this.

Share This Page