Ccleaner hacked with mal­ware: What you need to know

More than 2 mil­lion users pos­si­bly at risk.

PCWorld (USA) - - News - BY MICHAEL SI­MON

It seems that Ccleaner, one of Pc­world’s rec­om­men­da­tions for the best free soft­ware for new PCS ( go. pc­, might not have been keep­ing your PC so clean af­ter all. In an in-depth probe of the pop­u­lar op­ti­miza­tion and scrub­bing soft­ware, Cisco Ta­los ( go. pc­ has dis­cov­ered a ma­li­cious bit of code in­jected by hackers that could have af­fected more than 2 mil­lion users who down­loaded the most re­cent update.

On Sept. 13, Cisco Ta­los found that the of­fi­cial down­load of the free ver­sions of Ccleaner 5.33 and Ccleaner Cloud 1.07.3191 also con­tained “a ma­li­cious pay­load that fea­tured a Do­main Gen­er­a­tion

Al­go­rithm as well as hard­coded Com­mand and Con­trol func­tion­al­ity.” What that means is that a hacker in­fil­trated Avast Pir­i­form’s of­fi­cial build some­where in the devel­op­ment process build to plant mal­ware de­signed to steal users’ data.

Cisco Ta­los sus­pects that the at­tacker “com­pro­mised a portion of (Ccleaner’s) devel­op­ment or build en­vi­ron­ment and lever­aged that ac­cess to in­sert mal­ware into the Ccleaner build that was re­leased and hosted by the or­ga­ni­za­tion.” As such, cus­tomers’ per­sonal in­for­ma­tion was not at risk.

In a blog post ( go.pc­ by vice pres­i­dent of prod­ucts Paul Yung, he states that the com­pany iden­ti­fied the attack on Sept. 12 and had taken the ap­pro­pri­ate ac­tion even be­fore Cisco Ta­los no­ti­fied them of their dis­cov­ery. Yung says the attack was lim­ited to Ccleaner and Ccleaner Cloud on 32-bit Win­dows sys­tems—for­tu­nately, most mod­ern PCS will likely be run­ning the 64-bit version.

Yung as­sures cus­tomers that the threat has been re­solved and the “rogue server” has been taken down. He also says Pir­i­form has shut down the hackers’ ac­cess to other servers. Ad­di­tion­ally, the com­pany is mov­ing all users to the lat­est version of the soft­ware, which is al­ready avail­able on the com­pany’s web­site (though the re­lease notes ( go.pc­ only men­tion “mi­nor big fixes.”)

On Septem­ber 21, Avast ( go.pc­world. com/s21a) re­vealed that the mal­ware was de­signed to de­liver a sec­ond-stage pay­load to in­fected com­put­ers in spe­cific or­ga­ni­za­tions, and at least 20 ma­chines across eight com­pa­nies con­tacted the com­mand and con­trol server. “Given that the logs were only col­lected for lit­tle over three days, the ac­tual num­ber of com­put­ers that re­ceived the 2nd stage pay­load was likely at least in the or­der of hun­dreds,” Avast says.

Cisco Ta­los ( go.pc­ also stud­ied the mal­ware’s com­mand server and re­ports that it was at­tempt­ing to in­fil­trate

PCS in tech­nol­ogy or­ga­ni­za­tions, in­clud­ing In­tel, Sam­sung, HTC, Vmware, Cisco it­self, and oth­ers. You can see the full list

be­low. Cisco Ta­los sus­pects the at­tack­ers planned to use the mal­ware to con­duct in­dus­trial es­pi­onage.


Per­sonal users can down­load Ccleaner 5.34 ( go.pc­ from Avast’s web­site if they haven’t al­ready done so. Pre­vi­ous re­leases are also still avail­able on the com­pany’s web­site, but the in­fected version has been re­moved from the com­pany’s servers. You’ll also want to per­form an antivirus scan ( go.pc­ on your com­puter. If you’re af­fected, Cisco Ta­los rec­om­mends us­ing a backup ( go.pc­world. com/ruab) to re­store your PC to a state prior to Au­gust 15, 2017, which is when the hacked version was re­leased.

The im­pact on you at home: While per­sonal users within the tar­get area shouldn’t see any im­pact from this at­tempted attack, it’s still a scary no­tion. While Avast got in front of the is­sue and re­solved it with­out in­ci­dent, smaller com­pa­nies might not be able to re­act so quickly. For ex­am­ple, ear­lier this year, it was found that a breach at Ukra­nian soft­ware com­pany Me­doc was re­spon­si­ble for the Notpetya ( go.pc­ ransomware. Ransomware is be­com­ing a trou­bling trend, and if hackers are able to in­fect in­fect update servers they can spread mal­ware to as many ma­chines as pos­si­ble.

Newspapers in English

Newspapers from USA

© PressReader. All rights reserved.