Malware discovered in CCleaner put millions of users at risk

[midian182]

System-cleaning tool CCleaner is one of the most popular programs of its type in the world. According to Avast, which recently acquired maker Piriform, it boasts over 2 billion worldwide downloads and receives 5 million more each week. But it’s just been reported that up to 2.27 million users were put at risk from a backdoor found in a recent version of the program.

Security firm Cisco Talos warned that version 5.33 of CCleaner, which was downloadable from August 15 to September 11, had been modified to include the Floxif malware. The unaffected version 5.34 was released on September 12, but those who downloaded the tool during the weeks that version 5.33 was available may have unwittingly installed the backdoor.

Update: The exact versions that were infected were the 32-bit version of CCleaner and CCleaner Cloud 1.07.3191. The 64-bit version of CCleaner was not affected.

Floxif can gather information about an infected system and send the data back to a hacker’s server. It can also allow other forms of malware, such as ransomware and keyloggers, to make their way onto a victim's computer.

It’s unclear exactly how the person or persons responsible breached Avast’s systems, but Talos speculates it could have been "an insider with access to either the development or build environments within the organization."

Paul Yung, Piriform’s Vice President of Products, has tried to play down the attack. In a blog post today, he wrote: "The threat has now been resolved in the sense that the rogue server is down, other potential servers are out of the control of the attacker.”

"Users of CCleaner Cloud version 1.07.3191 have received an automatic update. In other words, to the best of our knowledge, we were able to disarm the threat before it was able to do any harm."

The company said it was working with US law enforcement agencies to discover who was behind the incident. “We apologize and are taking extra measures to ensure this does not happen again," it added.

If you haven’t already done so, you might want to download the latest 5.34 version of CCleaner here. There's also a portable version of the app that doesn't have an installer.

Permalink to story.

https://www.techspot.com/news/71018-malware-discovered-ccleaner-puts-millions-users-risk.html

 

[winjer]

The minute I saw that Avast had bought Piriform, I knew that something like this would happen. So I just uninstalled CCleaner.
Seems like I was right....

 

[tomkaten]

I had the compromised version on my system.

Ran MBAM and HerdProtect, system came up clean. Was using the portable version, so maybe that's why my box wasn't compromised ? I guess the hackers altered the installation process to include the malware, not the CCleaner executable, as that would have been much more complicated.

 

[Uncle Al]

Never did trust it even before Avast bought them out .....

 

[MoeJoe]

Avast scooping up Piriform flew under my radar.
That explains why the rest of the Piriform portfolio has also gone to &^%$ relative to updates and functionality.
Recuva is junk ware ...

 

[Kibaruk]

Fudge... and I installed it to give a it a go after one of the Techspot "essentials" post, even when I never believed in it...

 

[p51d007]

I thought I had an older version, but when I tried to launch it, malwarebytes caught it. Uninstalled, it cleaned, scanned, everything clear now.
That's what happens when the big boys buy up the independents some times, things go to crap.

 

[OutlawCecil]

Go to google and type in "ccleaner builds" (without quotes) and always use the portable version. I do because I carry it on USB drive everywhere I go along with all my other useful tools. The portable version seemed unaffected by this malware so it must have required installation or the exe never got infected. It's also nice because there's no monitoring or automation crapware on the portable version.

 

[Julio Franco]

Updated the story with a link to the portable version of CCleaner: https://www.techspot.com/downloads/4347-ccleaner-portable.html

 

[cliffordcooley]

The last version I downloaded was 5.30. I'm still running version 5.25. I don't understand why they are continually updating. I still haven't decided if Avast buying Piriform is good or bad. I'll probably be haunted by that thought for many years to come, as I continue to use their products.

 

[MoeJoe]

Millions?

Really?

 

[Puiu]

It's annoying that someone did that (most likely an inside job from an ***** dev), but it's the best tool you can get for when you want to clean your temp files, cached files, etc.

 

[mingthem]

Your story and others about this issue ignore the statement on Piriform's site that only the 32 bit version of 5.33 was affected. That doesn't make this a good thing, but it severely limits the number of users potentially affected by this problem.

I heartily agree that Piriform's acquisition by Avast is potentially a bad thing for CCleaner, until proven otherwise. They are likely to lay off the core developers of the product to save money, as often happens.

 

[jaydear]

All this hubbub about v5.33 yet you still have a download link for that version on your website!!! WTF?

 

[Julio Franco]

All this hubbub about v5.33 yet you still have a download link for that version on your website!!! WTF?

No, we don't.

 

[mrjgriffin]

So if we get infected by 5.33 will upgrading to 5.34 clean the infection? avast has alot of standalone tools for specific malware and I am wondering why they didn't release a tool for this? I literally just uninstalled avast from my pc 2 days ago too lol....how ironic.

 

[MoeJoe]

From their website ...


Made by a company you trust

Piriform are global leaders in PC optimization software which is so good it's been downloaded in every country worldwide and installed more than 2 billion times.

 

[gspbeetle]

Is this wrong pic used or it also affects he andriod version? I don't even...
It says version 5.33 affected, thats most likely the PC version.

 

[MoeJoe]

Redaction is L o L !

 

[MoeJoe]

Is this wrong pic used or it also affects he andriod version? I don't even...
It says version 5.33 affected, thats most likely the PC version.

Copy pasta from other offending sites. It's not an Android app issue. That photo is sloppy, fake news.

 

[captaincranky]

Not a problem for me. I have version 5.31.6105. I've grown accustomed to patently ignoring update notices, especially those from M$. Ignoring those from Piriform was as easy as falling off a log..

I should probably change my screen name to "SystemUncompromised", but it's just too damned cumbersome.

Copy pasta from other offending sites. It's not an Android app issue. That photo is sloppy, fake news.

The photo is of a slightly earlier version, but it looks like CCleaner to me.

So is it a question of "fake news", or merely a "pompous member" problem?

Is this wrong pic used or it also affects he andriod version? I don't even...
It says version 5.33 affected, thats most likely the PC version.

Is English your 3rd, 4h. or 5th language?

 

[MoeJoe]

Not a problem for me. I have version 5.31.6105. I've grown accustomed to patently ignoring update notices, especially those from M$. Ignoring those from Piriform was as easy as falling off a log..

I should probably change my screen name to "SystemUncompromised", but it's just too damned cumbersome.

Copy pasta from other offending sites. It's not an Android app issue. That photo is sloppy, fake news.

The photo is of a slightly earlier version, but it looks like CCleaner to me.

So is it a question of "fake news", or merely a "pompous member" problem?

Is this wrong pic used or it also affects he andriod version? I don't even...
It says version 5.33 affected, thats most likely the PC version.

Is English your 3rd, 4h. or 5th language?

LMAO.
When you come late to the party ... you see the revised photo. Bravo.
And kudos to TS for the mod.

Originally it was of the Android Android App - like so many of the other so-called news feeds.

 

[captaincranky]

LMAO.
When you come late to the party ... you see the revised photo. Bravo.
And kudos to TS for the mod.

Are you suggesting you would have liked me here sooner?

FWIW, I don't think you'd have had to put up a bunch of nonsense about "fake news", to get them to change it

Originally it was of the Android Android App - like so many of the other so-called news feeds.

So? Copy and paste is the way of the internet "world". I differentially compare everything I read on the web, Bad habit I suppose, but I don't start flaming about what I've found.

Even copy and paste news is valuable in most cases. Not to mention that here at Techspot we have you to look out for it for us.

What I find disturbing, is that you only rarely see responses to the many varied topics in the "Weekend Tech Reading" column. I've seen some pretty darned relevant stuff in there..

Apparently, if staff doesn't grind it up and spoon feed it to you, (as you feel you're entitled), it won't be read.

 

[MoeJoe]

LMAO.
When you come late to the party ... you see the revised photo. Bravo.
And kudos to TS for the mod.

Are you suggesting you would have liked me here sooner?

FWIW, I don't think you'd have had to put up a bunch of nonsense about "fake news", to get them to change it

Originally it was of the Android Android App - like so many of the other so-called news feeds.

So? Copy and paste is the way of the internet "world". I differentially compare everything I read on the web, Bad habit I suppose, but I don't start flaming about what I've found.

Even copy and paste news is valuable in most cases. Not to mention that here at Techspot we have you to look out for it for us.

What I find disturbing, is that you only rarely see responses to the many varied topics in the "Weekend Tech Reading" column. I've seen some pretty darned relevant stuff in there..

Apparently, if staff doesn't grind it up and spoon feed it to you, (as you feel you're entitled), it won't be read.

Not going to have a philosophical back & forth with you Cranky.
Why?
Because you are cranky ... and obviously easily triggered by a simple turn of the 'crank'.
Plus you assume way too much.
Predictably.

And as far as "worth" and "entitlements" are concerned ... L M A O.

 

[captaincranky]

Not going to have a philosophical back & forth with you Cranky.
Why?
Because you are cranky ... and obviously easily triggered by a simple turn of the 'crank'.
Plus you assume way too much.
Predictably.

And as far as "worth" and "entitlements" are concerned ... L M A O.

You're so deep, I'm jealous. Give us a kiss.