Security Issue With CCleaner

Piriform’s CCleaner is a popular computer cleaning and optimizing product that many people use.  I have my doubts about the real effectiveness of these utilities, but many of my clients swear by it.  I have used CCleaner myself several times as one of the tools I used to clean up a malware infection.

Recently, the CCleaner software code was modified  to include a malicious backdoor.  This warning was published earlier in one of my Weekend Updates, but due to the popularity of this product, warranted a longer article.  This affected CCleaner version 5.33.6162 and CCleaner Cloud version 1.07.3191.  The software was illegally modified before it was released.  The company has initiated an investigation which is ongoing at this time.  They have also pushed an update to owners of the affected products.  If you have not updated your copy, do it now.

The code modification created a backdoor that was capable of running code downloaded from a server at a remote location on the Internet.  Once installed, the malicious code would collect the following information about the local system:

  • Name of the computer
  • List of installed software, including Windows updates
  • List of running processes
  • MAC addresses of first three network adapters
  • Additional information whether the process is running with administrator privileges, whether it is a 64-bit system, etc.

Presumably, this data collection was the first stage in a more involved attack.  Piriform says in their blog that they have identified and either taken down or disabled the servers that were responsible for distributing the altered product.

The information provided on the company blog does not indicate whether the distribution servers were company owned download sites, or third party download sites.  But one way to protect yourself for downloading altered software products is to stick with the official company download web sites.  Sites such as Major Geeks and Download.com have been on my radar for years because of their habit of pushing additional unwanted crapware on unsuspecting computer users.  Now it seems that third party sites may be trafficking in software containing malicious alterations, as well.

More information:

 

0

About the Author:

Cybersecurity analyst, pen-tester, trainer, and speaker. Owner of the WyzCo Group Inc. In addition to consulting on security products and services, Bob also conducts security audits, compliance audits, vulnerability assessments and penetration tests. Bob also teaches Cybersecurity Awareness Training classes. Bob works as an instruction for CompTIA’s non-profit IT-Ready Program in the Twin Cities. IT-Ready is a tuition free 8-week program designed to teach students of all ages the fundamentals of IT support to prepare them for an entry level position in Information Technology Support. Graduates of the classes take the exams to become CompTIA A+ certified. Bob is a frequent speaker at conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. Bob has been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com

Add a Comment


This site uses Akismet to reduce spam. Learn how your comment data is processed.