Hackers Hid Backdoor In CCleaner Security App
-
@kyle said in Hackers Hid Backdoor In CCleaner Security App:
Kinda makes you wonder why such a popular piece of software went more than a month without being noticed there was a breech.
Because... closed source. Many fewer eyes on it, no way to automate testing it. And the vendor has little incentive to invest in doing that since their customers can't tell if they've been ignoring it or not (unless something like this happens.)
-
@dashrender said in Hackers Hid Backdoor In CCleaner Security App:
@coliver said in Hackers Hid Backdoor In CCleaner Security App:
@dustinb3403 said in Hackers Hid Backdoor In CCleaner Security App:
Here is the MD5 I got from the free version of their website.
1a5ad5d2f52871c4f811485236671310 for Version 5.34
But we don't know if that one is a legit copy either. Without being able to see the code the security vendor has, hopefully, lost the market's trust. We can't be sure there isn't an undiscovered vulnerability in the most recent build.
I'm confused - is CCleaner itself at fault? or was their network breached and an infected version compiled from source that was then hosted on their website? or even more simply - the website was hacked an infected version uploaded there?
"...investigation found the CCleaner download server was hosting the backdoored app as far back as September 11."
It's Piriform / Avast at fault, no question there. The exact source of the breach is not released, but Avast got compromised, didn't find the breach, and failed at basic security principles for downloads that all combined to make this a huge fail on their part. This will certainly affect Avast more generally. How can we trust Avast / Piriform after this, not because they were breached, but because of how they have handled it?
-
Wow, Avast are definitely off of the "ever do business with them, ever" list for sure...
"From Avast's EVP and CTO, Ondřej Vlček
"On September 12, we determined that older versions of our Piriform CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 had been compromised. No other Piriform or Avast products were affected whatsoever. We resolved this quickly by September 15, and believe no harm was done to any of the CCleaner business users or consumers. We are continuing to investigate how this compromise happened, who did it, and why. We are also working with U.S. law enforcement in their investigation.
This is a serious incident and we sincerely apologize to our users. Our users’ security is of utmost importance to us, and we are taking increased security measures to make sure something like this cannot happen again. This was a Piriform CCleaner incident which started before Avast acquired the company and the Piriform team has immediately posted on their site explaining it to their customers:
http://www.piriform.com/news/release-announcements/2017/9/18/security-notification-for-ccleaner-v533...
http://www.piriform.com/news/blog/2017/9/18/security-notification-for-ccleaner-v5336162-and-ccleaner...
There is some false and misleading information from a Cisco Talos report we want to correct.
Cisco boasts a large number of downloads from CCleaner which is irrelevant. Regardless of the number of historical CCleaner downloads, the total number of users who used the software that was affected by this incident was 2.27M. Due to our immediate action to update the user base, this number is now down to 730k and is rapidly decreasing as we continue with the migration process. The incident only affected users of version 5.33.6162 running on 32-bit version of Windows. In addition to that, we believe that these users are safe now as our investigation indicates we were able to disarm the threat before it was able to do any harm.
Cisco claims you need to restore your system to remove the threat. This is incorrect. Updating to CCleaner 5.34 removes the malware which can no longer do harm because the server was shut down by Avast and no malicious payload was delivered from it before it was shut down. In the case of CCleaner Cloud, the software was automatically updated.
The Cisco blog claims that they were the source identifying the threat. This is incorrect. Cisco was not the source of information about this threat. We knew about the threat when they contacted us on Sept 14th and had already taken action to stop it. The threat was first discovered and reported to us by researchers in a security company called Morphisec. Suspicious activity was reported to us on September 12, 2017, and we immediately started an investigation process. We also immediately contacted U.S. law enforcement and worked with them on resolving the issue. Cisco informed us on September 14, 2017 about this issue after our investigation was underway. At the request of law enforcement authorities, we asked Cisco to delay publicizing the breach until we were successful in bringing down the server.
As a security company, you can imagine how critical it is for us to keep our customers safe. We have worked around the clock in the last 6 days to resolve the issue and minimize the impact on our customers. As part of this, we needed to make sure no information was made publicly available before taking down the CnC server as that may have triggered delivery of the second stage payload -- something we absolutely wanted to avoid. On the other hand, we believe in transparency and so we went out with the story the next working day (the server was taken down on Friday and the story was published on Monday morning)."
-Ondřej Vlček
EVP & CTO, Avast" -
Talk about bullshit... full of lies and excuses. Bottom line here is that they tried to cover this up, Cisco busted them, and now they will claim anything to downplay the seriousness of the breach and their botched handling of it after the fact.
-
-
-
Pictures were not loading. These are the responses that I made to Avast. Several were deleted by mods (that Avast pays) which makes the whole thing that much worse.
-
The worst thing is that Avast pays for the privilege of posting, and then posts that point out that they are lying get deleted. Then additional posts pointing this out get deleted. Whether directly told to do so or not, an agent paid by Avast had posts pointing out that Avast was doing things wrong deleted. As Avast is paying the bills there, there is a huge responsibility to not act with inpropriety because there is money involved and this is a hugely serious ethics issue. And that the issue is already one of Avast's ethics, it's just adding fuel to the fire.
-
I only ever used the portable version from portableapps.com
No install necessary and it, well, I used to use it from a USB stick every now and then.Personally, I'd rather pay for RevoUninstaller (free version only does 32 bit software). It runs the uninstall (like appwiz.cpl), and does a post uninstall cleanup of left overs (registry items, files, and folders).
Much better application IMO. -
There is an open source competitor now I think tht is supposed to be pretty good.
-
@scottalanmiller said in Hackers Hid Backdoor In CCleaner Security App:
There is an open source competitor now I think tht is supposed to be pretty good.
Is Bulk Crap Uninstaller that you are thinking of?
-
@black3dynamite said in Hackers Hid Backdoor In CCleaner Security App:
@scottalanmiller said in Hackers Hid Backdoor In CCleaner Security App:
There is an open source competitor now I think tht is supposed to be pretty good.
Is Bulk Crap Uninstaller that you are thinking of?
Not sure, but does not sound familiar.
-
-
@coliver said in Hackers Hid Backdoor In CCleaner Security App:
So much for “just remove the old version of Ccleaner. There’s nothing to worry about”.
Avast have just shot themselves in the foot in a very public way.
-
@nadnerb said in Hackers Hid Backdoor In CCleaner Security App:
@coliver said in Hackers Hid Backdoor In CCleaner Security App:
So much for “just remove the old version of Ccleaner. There’s nothing to worry about”.
Avast have just shit themselves in the foot in a very public way.
Yep the poo they were slinging at Cisco landed squarely at their own feet.
-
And since when CCleaner is a security app? Original name was crap cleaner if I remember correctly, and that's what it does, cleans crap. How does that relate to security?
-
@marcinozga said in Hackers Hid Backdoor In CCleaner Security App:
And since when CCleaner is a security app? Original name was crap cleaner if I remember correctly, and that's what it does, cleans crap. How does that relate to security?
Most of the things it was removing are security issues, viruses, malware, keylogger etc. It's always been a security appliance. Just because it performed janitorial duties as well (like removing temp files) doesn't mean it's not a security appliance.
-
@marcinozga said in Hackers Hid Backdoor In CCleaner Security App:
And since when CCleaner is a security app? Original name was crap cleaner if I remember correctly, and that's what it does, cleans crap. How does that relate to security?
It's owned by Avast, a security company. Since when does a security company provide malicious software? Then when they are found out try and cover up the tool and the extent of the infection?
-
@coliver said in Hackers Hid Backdoor In CCleaner Security App:
@marcinozga said in Hackers Hid Backdoor In CCleaner Security App:
And since when CCleaner is a security app? Original name was crap cleaner if I remember correctly, and that's what it does, cleans crap. How does that relate to security?
It's owned by Avast, a security company. Since when does a security company provide malicious software? Then when they are found out try and cover up the tool and the extent of the infection?
Avast recently purchases Piriform (the original developers of CCleaner).
-
@dustinb3403 said in Hackers Hid Backdoor In CCleaner Security App:
@coliver said in Hackers Hid Backdoor In CCleaner Security App:
@marcinozga said in Hackers Hid Backdoor In CCleaner Security App:
And since when CCleaner is a security app? Original name was crap cleaner if I remember correctly, and that's what it does, cleans crap. How does that relate to security?
It's owned by Avast, a security company. Since when does a security company provide malicious software? Then when they are found out try and cover up the tool and the extent of the infection?
Avast recently purchases Piriform (the original developers of CCleaner).
Correct. So Avast transversely owns CCleaner.