CCleaner (Piriform) Malicious Code Breach! d7x/d7II/dSupportSuite Users Take Notice!
Sept 26th, 2017 Update: Yesterday this appeared on Bleeping Computer:
Avast Publishes Full List of Companies Affected by CCleaner Second-Stage Malware
Bleeping also put out a nice article from the 22nd, containing a nice summary if you’re just catching up on the news (because of course more has emerged since our last update, and we shouldn’t just assume you read it elsewhere):
Info on CCleaner Infections Lost Due To Malware Server Running Out of Disk Space
Sept 21st, 2017 Update: These articles also came out yesterday, unfolding some plot twists to this story. If you get your news here, you could do better!
It seems a new backdoor was discovered and … you just need to read these:
CCleaner Command and Control Causes Concern
CCleaner Malware Infects Big Tech Companies With Second Backdoor
Original post is below, but be aware some details may no longer be accurate as the story unfolds.
This came out two days ago on the CCleaner blog: Security Notification for CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 for 32-bit Windows users.
It seems that CCleaner has had malicious code bundled into their 32bit binaries (along with their “Cloud” version) and the tampering occurred prior to distribution. The infected binaries were provided for download from their official site/update servers and distributed legitimately for about a month, silently infecting users to send data back to the ethers. It also occurred completely under the nose of their new parent company Avast, the anti-virus software maker who acquired Piriform (the makers of CCleaner) as recently as July. In fact, yesterday Avast released their own blog post about it, Update to the CCleaner 5.33.6162 Security Incident.
For the consumers who’ve used any of their products, you need to know this, but I’ve got ZERO advice for what you do with that information (other than maybe call a tech if you aren’t tech oriented, because you have software on your PC that is sending bits of your data elsewhere.) On second thought, I’m told that Malwarebytes says their software removes/fixes it, and I see they have a blog post here: [Updated] Infected CCleaner downloads from official servers (they have the free/trial/paid user-level “scanner” software which I’m sure all editions take care of the issue quite effectively.)
With prevention, the damage is done and over for the most part unless you’re still running the infected CCleaner, but that person isn’t reading this article… By next update at least all of our CryptoPrevent users who haven’t noticed or heard should have detection sigs for the affected binaries, and Folder Watch can quarantine or the Program Filtering can pick it up on execution as well. In fact from a few days ago when ClamAV was the only anti-virus engine to detect it (VirusTotal.com) today it lists 41/64 engines detecting it, and that’s just how it goes in this industry. If you have the infection but you have any sort of security software, you won’t have the infection for long.
Finally the elephant in the room is trust.
I’m sure that the CCleaner developer could’ve been as shocked as anyone else to learn about the incident, but I just don’t know. As for Avast, if checking CCleaner (and their other software) binaries with their own security staff, or even just a little software scan with their product, was not part of their decision to acquire Piriform/CCleaner, then I’d be very surprised (and maybe I should be…)
Regardless, if you use CCleaner or Piriform products, I don’t think that this is any reason to stop using them, or the parent company’s Avast’s products. We should all now agree that malicious activity can breach even the most trustworthy, and we should also agree that when the incident is over it isn’t always a “trust” issue at all, maybe it’s more rare than we’d normally admit, but we just got burned. So far that’s all anyone knows here, but the thing is it wasn’t just CCleaner users, but the people at Piriform got burned too, meaning whoever punches the clock there that isn’t involved in this (which is up to and including maybe everyone.)
I have no real advice here, and in fact I would like to explicitly offer no suggestion at all; but at this point in time, there are two points to understand:
1. Piriform hasn’t entirely dealt with the issue until they know who did it, but that is a legitimate and long established “good” app and company, and you should have no doubt that Piriform (and their parent company Avast, the makers of that big anti-virus software product, I might reiterate) will be paying attention more closely from here on out. That should be more comforting than it might sound to someone already burned.
2. Realize that this can happen to any other legitimate and long established (“trusted”) software by the time you make the switch, if it didn’t happen already and it’s just undetected to date (as was the case here.)
So the best I can offer for the time being is just a little food for your own thought, with the disclaimer that you take this information like anything else you read on the internets, with a grain of salt! (That, and don’t forget you are likely infected, so get your PC looked at!)
Now, speaking only to our IT Professional / Tech Shop customers, here’s what you need to know as a tech/IT pro who maybe uses CCleaner through a custom app profile with our software:
Malicious code has infected 32bit binaries of the 3rd party software CCleaner, which can be found as a default/included custom app profile in our more popular tech-oriented/non-consumer Foolish IT apps dating back to the original d7, so there’s a high probability that someone is using it in their tech work and repair scenarios… 64bit systems are unaffected, and there isn’t a “Cloud” version in our example profiles for 3rd party applications, so you should know if that’s an issue because you created and use the customized profile.
It’s worthy of note the malicious code was planted … ok I haven’t read it all (it would seem at least before digital code signing) which means it was an “inside job” and therefore changing your download links in the custom app profiles won’t matter, it wasn’t that kind of breach…
For more technicals on the CCleaner thing, the folks at Cisco’s Talos Intelligence Group have a nice technical analysis in CCleanup: A Vast Number of Machines at Risk and thanks to our own Brantley for the link, who pointed out the pic of ClamAV near the bottom with the very first detection, good job! (ClamAV is an anti-virus engine which seems like the historical last to recognize or do much of anything, another fine example of how things shift quickly, frequently, and wildly in this industry.)
d7II and d7x (Alpha)
CCleaner (under the default custom app in d7II/d7x) should re-download itself every 7 days, so if the affected version exists in your d7II 3rd Party Tools directory, and for example you lived under a rock and didn’t know about the breach, then the infected version will be there for at most another 5 days before it is replaced by Piriform’s most recent version which we would all hope is still as clean as it should be right now.
In fact, you can disable the re-download option right now (d7II Config for the custom app, persistent settings tab, you want the check at the top I believe) and it won’t ever update unless it isn’t there, so in a bench / network / office / USB flash drive scenario you’re good to go with the download you have, still a very good program for what it does and more than likely legit/clean at the moment, and it won’t update anymore so you can use it without worrying about the profile updating it to a version you don’t trust yet.
Of course you’re reading this, and hopefully you clicked on the alert in the lower status bar, then please just go delete the entire “\3rd Party Tools\ccleaner” directory, and the “\3rd Party Tools\ccleaner.zip” file if they exist from ALL of your copies of d7II/d7x, and be done with it; the (hopefully) still clean versions will download automatically as usual, as you decide to use them.
If you made it this far and you are a d7II subscriber, please also check out the d7x Alpha info page to understand what is different and consider testing it, the download is found in the new d7x Manual.
I do believe it is a default option for maintenance, and although I don’t recall the specific download rules in the final v10.something, I do not believe it updates much. Anyone using this tool should seek to do the same as mentioned above and delete your CCleaner files, let them re-download and use that if you insist, for the time being. Then look into d7II and the upcoming d7x first and step up.
dSupportSuite (and dMaintenance)
Owners of dSupportSuite may know the software includes example custom app profiles for CCleaner/Defraggler as 3rd party downloads, and those who’ve deployed dSS profiles to your clients using these apps are of course affected.
So with every maintenance cycle of dSupportSuite (weekly) by default when an internet connection exists it should attempt to download the latest 3rd party tools configured for use. Good for the fix, not so much when it was a problem! The same automated re-download on every maintenance also applies to the older dMaintenance stand-alone apps (both the original tech version and later home edition.)
Although the issue has been corrected (for the moment) on Piriform’s end, and we’re sure that they (and their parent company alike) will be keeping a close eye on future releases, you wouldn’t be wrong to push out a new profile that doesn’t include it, at least for a time.
Also, those machines have infected code possibly running on them right now, and as much as any fix (which will more than likely be present in their security product already on their system within the next few days, if it isn’t already neutralized) your clients need to be made aware of the breach itself.
The same goes for many tech shops and repair guys out there, I think your customers need to hear it IF they can possibly be affected. Probably most tech shops at one point in time or another have had at least one employee use CCleaner on a customer’s system, quite a few probably within the last month, world-wide… That’s conservative, but my guess more than likely is that CCleaner is just part of the way things are done in many tech shops, by most if not all techs who are allowed to do their own thing, if not being some semi-to-official company mandate (depending on how large the company is they shy away from 3rd party apps without $$ agreements, but under 20 employees it’s completely possible.) It surely is in the toolbox of most door to door guys, wouldn’t you think?
This wide-spread usage is for a good reason, let’s not forget. I think most agree it’s also good at doing what it advertises. Dispute the app’s necessity all you want (and I would personally do it in some other article to some degree) but I don’t ever recall finding fault with the company’s character, and we still have it in the custom app profiles our tech customers use for a reason. As stated earlier it is a legitimate and long established “good” app and company, so don’t’ forget Piriform’s reputation and read up on how they are handling it well right now.
I’m sure since it’s so widely respected and used, a quick visit to your favorite tech forums and you’ll find plenty of tips and example scripts on what others are already saying to their customers.
I know it’s an ugly conversation with any client, depending on how one might view the situation, but if you approach it with honesty, it can be a good opportunity to reconnect with clients maybe you haven’t seen in a while, and show them some concern and care. It’s good to build any of your client relationships through all seasons, and the integrity pays in good ways.