If you installed the free version of CCleaner after Aug. 15, a couple of nasty programs came along for the ride. Talos Intelligence, a division of Cisco, just published a damning account of malware that it found hiding in the installer for CCleaner 5.33, the version that was released on Aug. 15 and which, according to Talos, was still the primary download on the official CCleaner page on Sept. 11.
After notifying Piriform, CCleaner was, ahem, cleaned up and version 5.34 appeared on Sept. 12.
I just checked, and the current version available from Piriform is version 5.34. (Piriform was bought by antivirus giant Avast in July.)
Edmund Brumaghin, Ross Gibb, Warren Mercer, Matthew Molyett, and Craig Williams at Talos report:
Talos recently observed a case where the download servers used by software vendor to distribute a legitimate software package were leveraged to deliver malware to unsuspecting victims. For a period of time, the legitimate signed version of CCleaner 5.33 being distributed by Avast also contained a multi-stage malware payload that rode on top of the installation of CCleaner…
Even though the downloaded installation executable was signed using a valid digital signature issued to Piriform, CCleaner was not the only application that came with the download. During the installation of CCleaner 5.33, the 32-bit CCleaner binary that was included also contained a malicious payload that featured a Domain Generation Algorithm (DGA) as well as hardcoded Command and Control (C2) functionality.
The details are complex, but the upshot clear: Somebody managed to tack a malware package onto the legitimate distribution file for CCleaner. If you install CCleaner 5.33, your machine hooks into a bot network.
Talos published very convincing logs of attempts by infected machines to hook into the bot Command sites. The primary infection Command server has been taken offline, as has a secondary server.
According to Talos, the Virus Total regimen for checking antivirus products against a submitted sample only turned up one AV package that correctly identifies this infection, “Win.Trojan.Floxif-6336251-0.”
Antivirus packages will likely increase their detections in the next few hours, but it’s still concerting.
According to Reuters, Avast estimates that “2.27 million users had downloaded the August version of CCleaner.” It isn’t clear from the report if that’s the total number of downloads for CCleaner 5.33. Reuters goes on to quote Avast as saying the C2 server was closed down on Sept. 15, “before any known harm was done.”
Avast CTO Ondrej Vlcek said that updating CCleaner to the most recent recent versions fixes any issues, as “the only malware to remove is the one embedded in the CCleaner binary itself”…
Security researchers are now investigating other malware campaigns that appear to have been carried out from Avast’s infrastructur, including a Locky ransomware distribution campaign.
We’ll be following up on AskWoody.com, as soon as the site comes back. Oy.