Announcements > Site Announcements

CCleaner infected with backdoor trojan

<< < (2/3) > >>

kitz:

--- Quote from: j0hn on September 26, 2017, 12:36:47 PM --- Windows Defender didn't pop up and tell me till 23rd September.


--- End quote ---

It was undetected by most AVs.  From what I can make out, only Morphisec first detected some sort of suspicious activity but even they had no idea at the time what was responsible.  It wasn't until 12th of Sep that Morphisec advised CCleaner.  Despite now being aware and releasing a clean version they still kept this info from the public until the 18th.  It still seemed fairly low key though and although they say they pushed out the new versions to those on their subscription service, there has been no notification to the others.   As I said earlier I had to scout around their site to find any info.   Presumably because it was so low key that no updated virus patterns were released until a few days later.

There is a timeline here released by bleeping computer yesterday.


--- Code: ---July 3 ⮞ Attackers breach Piriform infrastructure.
July 19 ⮞ Avast announces it bought Piriform, company behind CCleaner.
July 31, 06:32  ⮞  Attackers install C&C server.
August 11, 07:36  ⮞  Attackers initiate data gathering procedures in preparation for August 15 when they poison the CCleaner binary, and later the CCleaner Cloud binary.
August 15 ⮞ Piriform, now part of Avast, releases CCleaner 5.33. The CCleaner 5.33.6162 version was infected with (the Floxif) malware.
August 20 and 21 ⮞ Morphisec's security product detects and stops first instances of CCleaner malicious activity, but they did not have insight into what exactly they stopped.
August 24 ⮞ Piriform releases CCleaner Cloud v1.07.3191 that also included the Floxif trojan.
September 10 20:59  ⮞  C&C server runs out of space and stops data collection. Attackers make a backup of the original database.
September 11 ⮞ Morphisec customers share detection logs detailing CCleaner-related malicious activity with the company's engineers.
September 12 07:56  ⮞  Attackers wipe C&C server.
September 12 08:02  ⮞  Attackers reinstall C&C server.
September 12 ⮞ Morphisec notifies Avast and Cisco of the suspicious CCleaner activity. Avast starts its own investigation and also notifies US law enforcement. Cisco also starts its own investigation.
September 14 ⮞ Cisco notifies Avast of its own findings.
September 15  ⮞  Authorities seize C&C server.
September 15 ⮞ Avast releases CCleaner 5.34 and CCleaner Cloud 1.07.3214. These are clean versions.
September 18 ⮞ CCleaner incident becomes public following Cisco, Morphisec, and Avast/Piriform reports.
September ?? ⮞ ServerCrate provides a copy of the backup server to Avast.
--- End code ---

So basically its been sat on millions of systems undetected for god knows how long.   :(

j0hn:
CCleaner checks for an updated version when you run it.
If there's a new version and you click update it sends you to
https://www.piriform.com/ccleaner/download?upgrade
The download link then takes you to filehippo

However if you remove the ?upgrade at the end of the link it downloads direct from piriform
https://www.piriform.com/ccleaner/download

I always make sure I get the latest version direct from piriforms own site. What can you do when it's infected before it's even released though.

It was in the Windows Defender definitions for a few days before my system picked it up. I think it was only my scheduled weekly scan that picked it up.

jelv:
I saw a notification of this on 19th September. I subscribe to http://feeds.feedburner.com/piriform?format=xml

ejs:
I'm very sceptical about the necessity or even usefulness of any cleaning program. I think it makes more sense to configure your web browser to clear its history rather than getting another program to do it, if that's what you want it for. Or use private browsing mode. Beyond that, there's deleting some files which don't really need to be deleted to save a negligible amount of disk space with the claim of making your computer faster.

Chrysalis:
another reason to not auto update software.

leave the risk to others I say :)

Navigation

[0] Message Index

[#] Next page

[*] Previous page