CCleaner Compromised to Gather and Transmit Information About Its Users

[starbuck]

The app was compromised for almost a month

 

 

Piriform, the company that makes the popular CCleaner application, just announced that their application was hijacked and used to gather information about its users and send it to an unknown party.

 

Hackers usually prefer to penetrate insufficiently secured servers and get the data they want in that manner, but that usually means that webmasters and programmers were not doing their job.

Compromising the code for an application to gather information about user’s devices before that app is distributed is on a different level.

 

Piriform hasn’t said anything about how their systems were penetrated or how the executable was modified before launch, but they did reveal everything that’s been going on, and it’s not a pretty sight.

In fact, if you read the short description of the event, it’s even more terrifying.

 

“An unauthorized modification of the CCleaner.exe binary resulted in an insertion of a two-stage backdoor capable of running code received from a remote IP address on affected systems, ” wrote Paul Yung, VP for Products at Piriform.

 

What was the application doing?

 

It turns out that the attack was supposed to take part in two stages, but the attackers never really reached the second stage.

Two versions of CCleaner were affected, 5.33.616 for the 32-bit desktop release, and 1.07.3191 for the Cloud variant.

If we think about it that was probably the intention; to leave the 64-bit version alone since it would have attracted too much attention.

 

As for the information collected by CCleaner and sent to an IP address, that’s not much we can do about that.

Paul Young explained that the name of the computer, the list of installed software along with the Windows updates, the list of running processes, the MAC address of the first three adaptors, and some other information regarding processes running as administrator, were all collected, encrypted and sent away

 

Avast Threat Labs helped with the investigation, but the legalities are still ongoing.

The authorities have been notified, and an update has been released for all users, no matter the platform.

It remains to be seen if anything more will surface in the coming days about the location of the attackers or their actual goal.

 

 

Source:

http://news.softpedia.com/news/ccleaner-compromised-to-gather-and-transmit-information-about-its-users-517750.shtml

[allheart55 Cindy E]

I never trusted CCleaner anyway, although I use a couple of Piriform programs, this isn't one of them.

[starbuck]

Just to add that, Malwarebytes blocks the IP and domains related to this malware.

It also removes the malicious installer.

[plodr]

Here is the story from Avast suggesting that Piriform might have been compromised while they were in the process of buying it.

https://blog.avast.com/update-to-the-ccleaner-5.33.1612-security-incident

 

Note: I use a CCleaner version that is years old and run it spareingly and I don't run Avast.

[Rustys]

Here is the release they stated on the site.

 

http://www.piriform.com/news/blog/2017/9/18/security-notification-for-ccleaner-v5336162-and-ccleaner-cloud-v1073191-for-32-bit-windows-users

 

I have scrapped CCleaner on all my systems.

[starbuck]

The compromised version of CCleaner was released on August 15 and went undetected by any security company for four weeks, underscoring the sophistication of the attack.

In our view, it was a well-prepared operation and the fact that it didn’t cause harm to users is a very good outcome,

So, undetected for 4 weeks.... a sophisticated attack .... but caused no harm to their users???? Mmmm ok if they say so.

[allheart55 Cindy E]

Yeah, I'm not believing that one either.

That's pretty tough to swallow.