Jump to content
Usr6

CCleaner Hacked to Distribute Malware

Recommended Posts

If you have downloaded or updated CCleaner application on your computer between August 15 and September 12 of this year from its official website, then pay attention—your computer has been compromised.

CCleaner is a popular application with over 2 billion downloads, created by Piriform and recently acquired by Avast, that allows users to clean up their system to optimize and enhance performance.

Security researchers from Cisco Talos discovered that the download servers used by Avast to let users download the application were compromised by some unknown hackers, who replaced the original version of the software with the malicious one and distributed it to millions of users for around a month.

This incident is yet another example of supply chain attack. Earlier this year, update servers of a Ukrainian company called MeDoc were also compromised in the same way to distribute the Petya ransomware, which wreaked havoc worldwide.

Avast and Piriform have both confirmed that the Windows 32-bit version of CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 were affected by the malware.

Detected on 13 September, the malicious version of CCleaner contains a multi-stage malware payload that steals data from infected computers and sends it to attacker's remote command-and-control servers.

Moreover, the unknown hackers signed the malicious installation executable (v5.33) using a valid digital signature issued to Piriform by Symantec and used Domain Generation Algorithm (DGA), so that if attackers' server went down, the DGA could generate new domains to receive and send stolen information.
"All of the collected information was encrypted and encoded by base64 with a custom alphabet," says Paul Yung, V.P. of Products at Piriform. "The encoded information was subsequently submitted to an external IP address 216.126.x.x (this address was hardcoded in the payload, and we have intentionally masked its last two octets here) via a HTTPS POST request."
The malicious software was programmed to collect a large number of user data, including:
 
  • Computer name
  • List of installed software, including Windows updates
  • List of all running processes
  • IP and MAC addresses
  • Additional information like whether the process is running with admin privileges and whether it is a 64-bit system.

According to the Talos researchers, around 5 million people download CCleaner (or Crap Cleaner) each week, which indicates that more than 20 Million people could have been infected with the malicious version the app.
 
"The impact of this attack could be severe given the extremely high number of systems possibly affected. CCleaner claims to have over 2 billion downloads worldwide as of November 2016 and is reportedly adding new users at a rate of 5 million a week," Talos said.

However, Piriform estimated that up to 3 percent of its users (up to 2.27 million people) were affected by the malicious installation.

Affected users are strongly recommended to update their CCleaner software to version 5.34 or higher, in order to protect their computers from being compromised. The latest version is available for download here.

 

Sursa: http://thehackernews.com/2017/09/ccleaner-hacked-malware.html

  • Upvote 1
Link to comment
Share on other sites

Am actualizat la 5.34 acum, insa daca citeam si eu mai atent, vedeam ca versiunea afectata este pe 32 de biti, iar eu folosesc pe 64. M-am uitat in Process Explorer, am verificat semnatura programelor si scan pe VirusTotal.com, mai ales ca nu folosesc anti-virus de ani buni. Am instalat si MBAM si am dat un scan rapid. Nimic.

 

CCleaner a inceput sa se duca la vale si e pacat sa se intample asta, mai ales ca e un programel foarte util. Anul asta, a fost prima data cand a trebuit sa apelez la suportul lor, sa rezolve un bug care-l facea sa ruleze intr-o bucla infinita, neterminand niciodata de curatat, pe Windows 8.1. L-am rulat in debug mode si le-am trimis fisierul log, sa vada ce-i cu el.

Link to comment
Share on other sites

Un alt programel bun pentru asa ceva, gratuit, era inainte COMODO System-Cleaner. Am folosit versiunile 3 si 4, iar din anumite puncte de vedere, isi facea treaba mai bine decat CCleaner fara Winapp2.ini. Dupa, l-au scos de pe site, ca mai apoi sa-l adauge cu plata (parca). Nu mai stiu care e acum treaba cu el, dar puteti sa verificati.

Link to comment
Share on other sites

34 minutes ago, alexu said:

Un alt programel bun pentru asa ceva, gratuit, era inainte COMODO System-Cleaner. Am folosit versiunile 3 si 4, iar din anumite puncte de vedere, isi facea treaba mai bine decat CCleaner fara Winapp2.ini. Dupa, l-au scos de pe site, ca mai apoi sa-l adauge cu plata (parca). Nu mai stiu care e acum treaba cu el, dar puteti sa verificati.

Probabil ca e asta acum? https://system-utilities.comodo.com/

Link to comment
Share on other sites

Ce sa mai zicem de cei de la Equifax http://bgr.com/2017/09/08/equifax-hack-lawsuit-class-action-how-to-join/

 

"Equifax has said that around 143 million customers may have had data stolen as a result of the hack. Details taken include names, addresses, dates of birth, social security numbers, and in some cases credit cards and driver’s licenses.

The case has been filed by Olsen Daines PC along with Geragos & Geragos, a firm founded by celebrity lawyer Mark Geragos that now specializes in class-action suits. Ben Meiselas, an attorney at Geragos, said that they’ll be seeking up to $70 billion in damages, which would be the largest class-action suit in US history, according to the firm."

Link to comment
Share on other sites

Nu ca nu era imputita, dar se impute si mai tare... http://blog.talosintelligence.com/2017/09/ccleaner-c2-concern.html

 

Talos recently published a technical analysis of a backdoor which was included with version 5.33 of the CCleaner application. During our investigation we were provided an archive containing files that were stored on the C2 server. Initially, we had concerns about the legitimacy of the files. However, we were able to quickly verify that the files were very likely genuine based upon the web server configuration files and the fact that our research activity was reflected in the contents of the MySQL database included in the archived files.

In analyzing the delivery code from the C2 server, what immediately stands out is a list of organizations, including Cisco, that were specifically targeted through delivery of a second-stage loader. Based on a review of the C2 tracking database, which only covers four days in September, we can confirm that at least 20 victim machines were served specialized secondary payloads. Below is a list of domains the attackers were attempting to target.

  • Upvote 1
Link to comment
Share on other sites

On 9/19/2017 at 8:58 AM, gaddafi said:

Ce sa mai zicem de cei de la Equifax http://bgr.com/2017/09/08/equifax-hack-lawsuit-class-action-how-to-join/

 

"Equifax has said that around 143 million customers may have had data stolen as a result of the hack. Details taken include names, addresses, dates of birth, social security numbers, and in some cases credit cards and driver’s licenses.

The case has been filed by Olsen Daines PC along with Geragos & Geragos, a firm founded by celebrity lawyer Mark Geragos that now specializes in class-action suits. Ben Meiselas, an attorney at Geragos, said that they’ll be seeking up to $70 billion in damages, which would be the largest class-action suit in US history, according to the firm."

 

lol - http://www.bbc.co.uk/news/technology-41347467

  • Thanks 1
  • Upvote 1
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...