Updated article for a second time with response from Avast CTO. Technical details about the Floxif malware's mode of operation, infection process, and indicators of compromise are available in a Cisco Talos report here, and a Morphisec report here.Īrticle updated with link to Piriform blog post. "There is no indication or evidence that any additional "malware" has been delivered through the backdoor," Vlcek added. "We believe that these users are safe now as our investigation indicates we were able to disarm the threat before it was able to do any harm." "The affected software (CCleaner v and CCleaner Cloud v) has been installed on 2.27M machines from its inception up until now," Vlcek also added. In an email to Bleeping Computer, Avast CTO Ondrej Vlcek said that updating CCleaner to the most recent recent versions fixes any issues, as "the only malware to remove is the one embedded in the CCleaner binary itself." Updating to recent versions removes malware On September 13, Piriform released CCleaner 5.34 and pushed an update (v) to CCleaner Cloud users that do not contain the malicious code. The company said they found the malware in CCleaner version and CCleaner Cloud version. Piriform acknowledged the incident in a blog post today. It is unclear if this threat actor breached Avast's systems without the company's knowledge, or the malicious code was added by "an insider with access to either the development or build environments within the organization." Clean CCleaner versions releasedĪvast bought Piriform - CCleaner's original developer - in July this year, a month before CCleaner 5.33 was released. While initially, this looked like another case where a user downloaded a fake, malicious CCleaner app, they later discovered that the CCleaner installer was downloaded from the official website and was signed using a valid digital certificate.Ĭisco Talos believes that a threat actor might have compromised Avast's supply chain and used its digital certificate to replace the legitimate CCleaner v5.33 app on its website with one that also contained the Floxif trojan. About the same time, Morphisec reports receiving suspicious logs from several customers who installed the tainted apps, and immediately reached out to Avast.īoth research teams identified a version of CCleaner 5.33 making calls to suspicious domains. Threat actor compromised CCleaner infrastructureĬisco Talos security researchers detected the tainted CCleaner app last week while performing beta testing of a new exploit detection technology. The malware also quit execution if the user was not using an administrator account. ![]() Researchers noted that the malware only ran on 32-bit systems. The malware collected information such as computer name, a list of installed software, a list of running processes, MAC addresses for the first three network interfaces, and unique IDs to identify each computer in part. The malware also had the ability to download and run other binaries, but at the time of writing, there is no evidence that Floxif downloaded additional second-stage payloads on infected hosts. This is especially the case when that latest version of CCleaner has data collection options enabled by default (see the section below).Version 5.33 of the CCleaner app offered for download between August 15 and September 12 was modified to include the Floxif malware, according reports published by MorphiSec and Cisco Talos.įloxif is a malware downloader that gathers information about infected systems and sends it back to its C&C server. It's a bit ironic to claim that going into a user's system without their permission and making changes is a move based on privacy and transparency. "Since the release of v5.46 we have updated some users to this version to meet legal requirements and give users more autonomy and transparency over their privacy settings." ![]() As it turned out, that's exactly what happened.Ī Piriform staff member responded with the following: A user on Piriform's forums noticed that CCleaner had automatically updated on his system without his permission. The latest CCleaner controversy comes from ignoring user preferences about checking for updates. In our opinion, it isn't time to trust CCleaner. This is unfortunately not surprising after Avast purchased CCleaner developer Piriform in July 2017. Why Is CCleaner No Longer Safe?ĬCleaner, once a tidy app with no history of issues, has had several major problems in less than a year. Here's why you can't trust CCleaner anymore, and what to replace it with.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |