Warning CCleaner Compromised With Malware

CCleaner the evidence elimination tool that I recommend on The Complete Cyber Security Course has been compromised and Malware added to it. The effected Version is 5.33 of the CCleaner app offered for download between August 15 and September 12 2017.

Updating to the most recent versions removes the malware.

For more details check out the links.

​Good Summary Article
https://www.bleepingcomputer.com/news/security/ccleaner-compromised-to-distribute-malware-for-almost-a-month/

Technical Details
http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html

Using the supply chain as an attack vector is a known threat that we need to be aware of. We discuss more on this on my courses when we discuss mitigations such as the zero trust model and in lectures on software trust and back-doors.

CATEGORIES
  • Fred S says:

    Thanks for heads up. I checked which version I currently have installed and am up to date. Wouldn’t have known otherwise. Thanks again.

    Fred S.

  • Arthur says:

    wow. ccleaner is my favorite windows app. avast bought ccleaner? avast forums were compromised a few years back, and my data was leaked to God knows who. looks like avast cant be trusted.

    • Nathan House says:

      Crap isn’t it!

      • Stan says:

        Yes, that’s crap, and for me a reason to refrain from using CCCleaner for a while.

        Who knows, if this pretty sophisticated attack hasn’t let “the bad guys” waaaaaaay deeper into their systems than is currently thought to be the case?

        I’m not taking that risk.

        • Nathan House says:

          We can only go on Cisco analysis that it was relatively benign. We will see much more of this with other apps as it’s a great attack vector for hackers to malware popular apps. Governments will be all over malware patching apps too!

  • jules says:

    Cheers Nathan,

    I didn’t realise they were bought out!!

    Thanks for the info.

  • Michael Flores says:

    One practice that I’ve continued to use when I install a program to disinfect or rejuvenate a computer, is uninstall the program afterwards. This followed my “if it wasn’t there before, don’t keep it on” rule. Usually these programs aren’t needed if routine maintenance is done and if someone wanted to keep a program running on their computer to do automated maintenance but on a schedule, I would always consider a high quality paid program.

    Just show’s that even though something is free, with all good intentions, may not be good…

    Thanks for the update,

    Mike

  • Nick says:

    Just to be sure, I did reinstall a new windows 10 yesterday, because I did’t know about this link then. I do this every half a year or so.

    By the way does anybody know a good ( free ) back up program?

  • Bryan Jones says:

    Symantec flagged and quarantined it, but I thought this was a mistake and released it. Have I just trashed my machine?
    Will updating remove/fix?
    Thanks
    Bryan

  • Malcolm says:

    I have used CCleaner on five machines at work and this evening discovered all five were infected. I used Malwarebytes to quarantine the malware and then once destroyed, removed CCleaner. Ran malwarebytes again, twice, after a reboot.

    So now what? Replace usernames and emails for all users? The walls have been breached, how do I rebuild them?

    • Nathan House says:

      That’s your call based on your level of risk tolerance. I would read more about what the malware does. In theory updating CCleaner removes the malware and thats all thats needed. If you’re really concerned you might rebuild the machines but thats going to take sometime if you don’t have a fast solution.

  • Stephen Swan says:

    Thanks for the heads up.

    To be honest I have never used this app, the amount of system’s I have had to deal with over the years with Malware that so happened to have this installed has put me off ever using it.

    The association of the malware and CCleaner maybe unjust as it’s not always the case, that said I all ways advise to do these things yourself manually (If you know how to).

    Yes I agree these sort of tools will speed the process up, but you reduce the risk by not using them.

    The issue I find with these tools are, once you start taking shortcuts, it becomes addictive and users tend to find other software that do the same or appear to be better. Once they start doing that, they blindly download malware without realising it, just to shave a few minutes of there time.

    P.S. This isn’t a dig at admin’s more so the common user who don’t know what they are doing. That’s why inside threats are such a large issue, as the common user has no respect for the system just there work.

  • Brandon says:

    Just started looking at your blog, I’ve used CCleaner in the past (circa 2005ish) but mostly do my own house cleaning and overwrites as I use VM’s mostly and just wipe them and use a clean snapshot. Now I want to research this, was this implanted prior to their MD or SHA hash? Everyone tells me I live in a crazy overly encrypted and around about routed way online and with my machines but I’m that guy that hashes almost all of my downloads. Do you know if this was hash detectable or did piriform even publish them after compiling. Guess that’s my next stop to see what their download directory has. Thanks for blog I’ll keep up to date with it, maybe start posting it to my google classroom feed since I just moved into teaching Cybersecurity at the high school level. They have no clue about security at all, convenience over security. Sad days…

    • Nathan House says:

      I believe the digital signature of the download was valid but after ccleaner was installed it asked to install/download something else and that was the malware. It was this second download that there was no hash or digital signature for. So they were a little bit more clever than just having a none verifiable download.

  • Alishia says:

    CCleaner is cleanup software and it fell victim to code insertion therefore remove the program immediately and install a scanner to ensure that any malicious software is safely eliminated.

  • >