CCleaner Was Compromised for a Month

[monkeymagick]

Nextweb reports that CCleaner 5.33.6162 and CCleaner Cloud version 1.07.3191 were hacked. Between August 15 and September 12 about 2.27 million users downloaded the infected CCleaner version with 5,000 using CCleaner Cloud.

The vulnerability allowed a two-stage backdoor to be inserted when running the CCleaner.exe. The malware was also collecting other information including the name of the computer, list of installed software and running processes, and MAC adresses of the first three network adapters.

Anyone who has downloaded that version should update immediately.

“To the best of our knowledge, the second-stage payload never activated… It was prep for something bigger, but it was stopped before the attacker got the chance.”

 

[THUMPer]

Haha

 

[westrock2000]

That's like getting autism from a flu shot.

 

[Jim Kim]

That is my go to app for cleaning. And bleachbit for a quick nuke.

 

[Armenius]

People still use CCleaner?

 

[thebufenator]

Guys were late today with that news......

 

[kalston]

People still use CCleaner?

Now and then. Faster than windows disk clean up and way better UI (gives a lot more details too).
Haven't updated it for like a year though and I'm running the portable version so not worried about this.

But to be fair most people should definitely not bother with it.

 

[Jim Kim]

But to be fair most people should definitely not bother with it.

Why would you recommend that most people should definitely not use it?

I would never recommend people use the registry cleaner feature, but even that has been fairly innocuous.

I like it better than glary utilities, especially after all the changes they made to glary around 2012-13

 

[Mohonri]

The malware was also collecting other information including the name of the computer, list of installed software and running processes, and MAC adresses of the first three network adapters.

So, were the malware authors copying Microsoft, or did MIcrosoft infect CCleaner?

 

[kalston]

Why would you recommend that most people should definitely not use it?

I like it better than glary utilities, especially after all the changes they made to glary around 2012-13

Because on Windows 10 I have found it to be unnecessary for the average user. They usually end up delete cache/temp files/settings etc. which does not "boost" performance or anything, in fact deleting the cache is likely to have a negative impact. I have seen that a lot.

I use it because myself I have some apps/games which like to do weird things - like creating GBs of IE temp files despite me never using IE or even Edge. Also I can add custom folders to clean up which is very useful to me.

 

[RogueTadhg]

I use it for the drive wiping.

 

[Jim Kim]

People still use CCleaner?

Someone is.
For what it's worth, it has over 2 billion downloads with 5 million installs a week. And it's multilingual

 

[cditty]

I have always viewed that product AS malware. I suppose I am too old school. I've never used it, but it is certainly enlightening to see those numbers.

 

[deton8]

I thought CCleaner was pointless until I encountered the amazing shrinking free space issue and no amount of deleting system restore points and running disk cleanup would fix it.

Just my luck the one time I install this thing it's a vector for malware.

 

[spugm1r3]

I am still on 5.32... I used to love CCleaner, mainly for the registry cleanup, but they have really moved the focus towards the paid version. This may be a good reason to simply part ways.

 

[McDork]

How about the older versions? I have v 5.25.5902.

 

[Q-BZ]

I thought CCleaner was pointless until I encountered the amazing shrinking free space issue and no amount of deleting system restore points and running disk cleanup would fix it.

Same here. I've used it for years.

Damned shame. I really like this program for convenience. I particularly like to use it after I install a program to do the registry clean up.

I've uninstalled it for now and ran a bunch of scans all over my machine. Mercifully clean. I'll be kind of at a loss without this.

 

[Armenius]

I thought CCleaner was pointless until I encountered the amazing shrinking free space issue and no amount of deleting system restore points and running disk cleanup would fix it.

Just my luck the one time I install this thing it's a vector for malware.

If you're on a version prior to W10 I would look up shadow copy. That was where all my space was going. By default it uses up to 20% of your total drive space, so you should set it lower. I think I set mine to a fixed amount of 15GB, since system restore relied on it.

 

[Jim Kim]

Same here. I've used it for years.

Damned shame. I really like this program for convenience. I particularly like to use it after I install a program to do the registry clean up.

I've uninstalled it for now and ran a bunch of scans all over my machine. Mercifully clean. I'll be kind of at a loss without this.

No need to drop the program. You don't drop microsoft windows every month when zero day holes get patched or a windows update borks your system.

 

[Zarathustra[H]]

Those MD5 checksums listed along with downloads that we all keep ignoring?

Maybe, just maybe, we shouldn't

 

[Zarathustra[H]]

No need to drop the program. You don't drop microsoft windows every month when zero day holes get patched or a windows update borks your system.

Exactly. It's horrific that something like this slipped through, but it has been caught and fixed now, and it seems less likely that the same software wouldd be hit twice, as they are probably more vigilant from the experience.

This whole thing does highlight the problem associated with trusted software being compromised and used as an attack vector.

This is apparently particularly common with cellphone apps and browser plugins.

Nefarious actors buy out old previously trusted plugins from the original developers who no oinger have time I to maintain them, and issue an update to include adware, spyware or worse...

 

[D4rkn3ss]

pfft, im using this shit for like a decade

 

[ep0x73]

Strange because last I heard Avast bought them so they should know better?

Second, I just installed the latest version and sure enough MWB flagged the trojan and put it in quarantine like it's supposed to, good deal.

I run it once in awhile, usually when I uninstall something so it cleans up all the files left behind.

So I do a search, I have 5.34 and the infected version was 5.33 thus the latest version also appears to have some trojan then?

 

[LurkerLito]

The question though is the hack limited to just CCleaner or also AVAST who bought it? I haven't used CCleaner in a very long time (I actually had it installed v3.17 lol) so I am sure I am not affected, but I still have Avast installed and it is updated regularly. The article seems to indicate a problem during the development chain being compromised so it concerns me that Avast's development chain could be compromised also.

From this article:

The presence of a valid digital signature on the malicious CCleaner binary may be indicative of a larger issue that resulted in portions of the development or signing process being compromised. Ideally this certificate should be revoked and untrusted moving forward. When generating a new cert care must be taken to ensure attackers have no foothold within the environment with which to compromise the new certificate. Only the incident response process can provide details regarding the scope of this issue and how to best address it.

It's probably not the case, but I'd definitely feel better if they did an security audit of the whole AVAST company.

 

[Crimson]

I have always viewed that product AS malware. I suppose I am too old school. I've never used it, but it is certainly enlightening to see those numbers.

What version of DOS are you running? The company has been around for over 10 years and is my go-to when cleaning up systems. I run CC first then other tools on an infected computer so the scanners arent wasting time reporting "cookies". I hate the phrase "I am too old school" when used in IT, its a lame excuse for not keeping up. I hope your not in the field.

<vent>Technology is about moving forward not being stuck in the past like our Network engineer who hates to update anything because hes afraid it might break </vent>. There is a big difference between being cautious and being fearful.

PS I have 20 years in the field from being an cable/network installer, tech to a sys admin.

 

[Master_shake_]

it's still a great program.

people knocking it for one little problem probably the same people who install Origin or worse UPlay.

 

[M76]

People still use CCleaner?

I usually go into a seizure when someone with no IT experience mentions they're using a tool like that. Much like with codec packs back in the day. If you know what you're doing you usually don't need them. If you don't then you can try them, to either accidentally fix your problem, or screw everything up even worse.

 

[cyclone3d]

I use it for the drive wiping.

Yeah, that is the main reason I use it as well. Though the latest version... not the infected one, was detecting external HDDs as SSDs and would only allow a simple 1 pass wipe.

 

[Crimson]

I usually go into a seizure when someone with no IT experience mentions they're using a tool like that. Much like with codec packs back in the day. If you know what you're doing you usually don't need them. If you don't then you can try them, to either accidentally fix your problem, or screw everything up even worse.

No IT experience = seizure / so someone with 20 years in IT with MCSE, A+, DELL,HP certs uses tool would = coma? I like the tool, but its a shame that their code was compromised. A tool is a device to makes your job easier. With your logic, it better to use a rock than a hammer to drive in a nail.

Edit: yes, i am white knighting this.

 

[RealBeast]

You use a hammer when a rock will do that nail driving job perfectly well?

 

[Advil]

Use it every day. It's still the easiest way to knock out all temp files and clean out registry garbage AFTER cleaning up adware/malware/trojans.

Plus, it does kill a lot of temp files. It's amazing even on windows 8 or 10 how many people end up with a temp file disaster from online behavior. Removed 10GB from one machine last week and 40GB from another.

It also will quickly clear out all previous system restore points, which I like to do after cleanup before I make a new one when it's clean.

Why try to do all that manually when you can quickly click down a list of task buttons in one easy program? Just like Tweaking.com. Work smarter not harder.

 

[Z3r0k3wl]

I've been using it for years because I don't want to remove orphaned reg entries manually. Who enjoys that? If you're on WIN10, it also has the option to uninstall those pesky Win Store apps that MS forces on you and cannot be easily uninstalled.

 

[rezerekted]

I use ccleaner and will remain to do so but I also have these cleaners if you want an alternative.

https://singularlabs.com/software/system-ninja/

http://www.bleachbit.org

 

[Spidey329]

I recently used this for the first time in years to try and fix an issue I had. Does uninstalling remove the threat or does it leave a payload behind?

I've been using it for years because I don't want to remove orphaned reg entries manually. Who enjoys that? If you're on WIN10, it also has the option to uninstall those pesky Win Store apps that MS forces on you and cannot be easily uninstalled.

Ha, just wait for what's coming from the insider preview branch. They fixed the being able to uninstall the bloatware bug. They simply reinstall on reboot.

 

[MavericK]

Shame that this happened, won't prevent me from using the tool in the future though. Great program to easily batch-delete temp files and scan for registry junk.

 

[Dreamerbydesign]

I've been using it off and on since it was originally crap cleaner. For anyone who does t know, that was the original name. Until it was bought out, then changed to ccleaner. I've never had an issue with it. I did not download it during this time though.

 

[haste.]

it's still a great program.

people knocking it for one little problem probably the same people who install Origin or worse UPlay.

but Steam is ok....... ... .

 

[Jim Kim]

but Steam is ok....... ... .

I don't have an issue with any of those, I use windows for christs sake.

 

[tetris42]

So, were the malware authors copying Microsoft, or did MIcrosoft infect CCleaner?

That's almost a Zen-level question considering how Windows 10 is spyware. What is the sound of one hand clapping for IT people?

 

[umeng2002]

Damn, that must have been an expensive backdoor for some three letter agency.

Good thing I haven't updated CCleaner in a few months. But it's now uninstalled... and will probably stay that way.