Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Share Post: Reddit Facebook
Infected CCleaner downloads from official servers
#1
https://blog.malwarebytes.com/security-w...l-servers/       SECURITY WORLD

Infected CCleaner downloads from official servers

Posted: September 18, 2017 by Pieter Arntz
In a supply chain attack that may be unprecedented in the number of downloads, servers hosting CCleaner, a popular tool for cleaning up the PC, has been delivering a version of the said software with malware.

What happened?

Threat actors have managed to change the files that were being delivered by Avast servers hosting CCleaner updates. In case you are wondering why they were on those servers, Avast acquired Piriform, the original publishers of CCleaner, a few months ago.

The incident was discovered and reported by Talos. Piriform is aware of the situation and is acting to prevent further damage. They are also investigating how the files coming from their servers were modified before being released to the public.

compromised version

Possible impact

It is difficult to say at this moment how many users might have been affected, but the numbers could be huge. From the statistics brought out by Piriform, CCleaner has been downloaded 2 billion times in total, 5 million times every week. The modified version, 5.33, is made available from August 15 until September 12 when version 5.34 was released. In a press statement the company estimates that 2.27 million people used the affected software.

The malware

The malware collects the following information about the infected system:

Computer name
A list of installed software, including Windows updates
A list of the currently running processes
The MAC addresses of the first three network adapters
Other system information that is relevant for the malware like admin privileges, whether it is a 64-bit system, etc.
The malware uses a hardcoded C2 server and a domain generating algorithm (DGA) as a backup, to send information about the affected system and fetch the final payload.

blocked IP

What to do if you think you are affected?

First of all, check the version of CCleaner on your system. If you suspect you may have downloaded CCleaner version 5.33.6162 or CCleaner Cloud version 1.07.3191, scan your system for malware.

Detection and Protection

 

CCleaner users that are running older versions or that do not trust the one they are using now are encouraged to update their CCleaner software to version 5.34 or higher. The latest version is available for download here.

Affected versions: CCleaner version 5.33.6162 and CCleaner Cloud version 1.07.3191

Malwarebytes blocks the IP and domains related to this malware. We also remove the malicious installer.

Stay safe!

 

Pieter Arntz

SHARE THIS ARTICLE
Reply
#2
Note: only the 32-bit version was compromised
Reply
#3
only the 32-bit version was compromised yes not 64 bit 
Reply
#4
Has this software been sold recently?
Reply
#5
https://liliputing.com/2017/07/avast-buy...eaner.html
Didn't take it long before it got loaded with garbage!!!!I guess that's why I don't use Avast No Eek
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  Many servers infected with new ransomware dhruv2193 1 1,454 09-08-2019 , 10:24 PM
Last Post: tarekma7
  Researchers Take Down Network of 52,000 Infected Servers Distributing Malware tarekma7 0 1,746 04-15-2018 , 10:49 PM
Last Post: tarekma7
  Doctor Web detects infected games on Google Play with more than 4,500,000 downloads omidomi 0 1,687 01-27-2018 , 03:06 PM
Last Post: omidomi
  Security Notification for CCleaner v5.33.6162/CCleaner Cloud v1.07.3191(32-bit Window tarekma7 0 2,264 09-18-2017 , 02:01 PM
Last Post: tarekma7

Forum Jump:


Users browsing this thread: 1 Guest(s)