Hackers hid malware in CCleaner antivirus software

Discussions of applications and operating systems and any problems, tips or suggestions. Win XP, 9x/2k, Linux, NT, photo editing, Virus/Spyware help
Post Reply
User avatar
Executioner
Life Member
Posts: 10133
Joined: Wed Nov 22, 2000 11:34 am
Location: Woodland, CA USA

Hackers hid malware in CCleaner antivirus software

Post by Executioner »

First, I had no idea that CCleaner is an AV software??? I normally don't update my older versions. So when did they become part of AVAST?

https://www.theverge.com/2017/9/18/1632 ... yptr=yahoo
User avatar
FlyingPenguin
Flightless Bird
Posts: 32773
Joined: Wed Nov 22, 2000 11:13 am
Location: Central Florida
Contact:

Re: Hackers hid malware in CCleaner antivirus software

Post by FlyingPenguin »

It's not AV. AVAST bought them, just like Malwarebytes bought Adwcleaner.
"Turns out I’m 'woke.' All along, I thought I was just compassionate, kind, and good at history. "

Image
User avatar
Losbot
Almighty Member
Posts: 4991
Joined: Sun Jul 13, 2014 8:59 am
Location: South Florida

Re: Hackers hid malware in CCleaner antivirus software

Post by Losbot »

LOL
User avatar
FlyingPenguin
Flightless Bird
Posts: 32773
Joined: Wed Nov 22, 2000 11:13 am
Location: Central Florida
Contact:

Re: Hackers hid malware in CCleaner antivirus software

Post by FlyingPenguin »

Some more info:

It was only the 32bit version, and their "cloud" versions that were infected. Also note that it would not have been installed if you were logged in as a limited user (which is why I keep recommending people change to limited user accounts and add a password protected admin account that you never log in with).

You can easily check the registry to see if you are infected. It's a well known piece of Malware so Malwarebytes should detect it as well:
For a period of four weeks -- between August 15th, 2017 and September 12th, 2017 -- The downloadable file delivering the 32-bit version of CCleaner v5.33 was compromised with the "Floxif" malware which infects Windows executable and DLLs, backdooring the machine to install additional malware.

2.27 million CCleaner users inadvertently downloaded the malware during this time.

To check for infection, open the system's Registry Editor and navigate to:
HKEY_LOCAL_MACHINE\SOFTWARE\Piriform\Agomo. Under this key will be two data values named MUID and TCID, which are used by the installed Floxif infection.

The malware executed only if the user was using an admin account. Users of low-privileged accounts who installed CCleaner 5.33 would not have been affected.
http://www.piriform.com/news/release-an ... dows-users

http://blog.talosintelligence.com/2017/ ... e.html?m=1
"Turns out I’m 'woke.' All along, I thought I was just compassionate, kind, and good at history. "

Image
User avatar
wvjohn
Posts: 9238
Joined: Wed Nov 22, 2000 7:09 am
Contact:

Re: Hackers hid malware in CCleaner antivirus software

Post by wvjohn »

It apparently contained a second payload, which was targeted only at big$$ corporations. That in turn triggered a 3rd payload which gotten written only to memory and does who know what. Sound like the weapons grade software used against Iran. Get it enough places and hope someone carries it through the firewall.

https://arstechnica.com/information-tec ... to-40-pcs/
Post Reply