
Malware identified in CCleaner 5.33 - spaar
http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html
======
happy-go-lucky
As a kid, the only OS I was aware of was Windows. Once, my computer was
infected to the point where it was almost unusable. A more experienced friend
suggested a non-free antivirus and the CCleaner. After a lot of effort, I
could get my machine back to working, but it became so slow that it led me to
discover Linux. Now, on a Windows 10 machine, I’ve nothing but Defender, and
since the aforementioned experience I’ve never had to use any other antivirus,
a ‘junk’ cleaner, etc. Once bitten, twice shy :)

Edit: I hated investing in anti-stuff.

~~~
superasn
> it led me to discover Linux

As someone who is the same boat but hasn't discovered Linux yet, how hard
would you say it would be to install a version of Linux that support 3
monitors (using an onboard ATI card and a PCIe card)? Last time I tried
installing it this is the part I gave up at.

Also as a person always been aware of Window I find the graphics in Ubuntu
lacking some finesse, i.e. the scrollbars, window panes look like that created
using Java applets (granted it is a matter of taste and personal choice) but
what is the most professional looking desktop to try right now?

Sorry i know this is off-topic but I too really want to switch from windows
and don't want to waste money in Macbooks so any advice would be appreciated.

~~~
ix-hispana
Don't go down that rabbit hole. Linux is not for desktop despite many years of
efforts. Even the distro with the greatest focus on UI (elementaryOS) looks
like a toy. That Linux is hugely successful everywhere EXCEPT in the desktop
should tell us something.

Just my honest opinion after 15 years of continuous use in university and
work.

XKCD still relevant today: [https://xkcd.com/456/](https://xkcd.com/456/)

~~~
dijit
Lets be real; as much as I shit on systemd, since it released the desktop
experience for people is much more well-rounded and I think it has helped
distro maintainers really push usability.

Usability of Linux in the past 10 years has been exponentially increasing.

~~~
ix-hispana
They're going to need something else. X11 and GNOME/KDE/etc will never be
mainstream. Ubuntu made a mistake not contributing to Wayland but they were
right to try Unity.

Ironically, Canonical is making money mainly with cloud services. Meaning
servers - what Linux is good at.

------
princekolt
There has been a number of cases of installers from trusted developers being
infected lately. (For example Transmission being infected twice...)

On our side (developers) we need to be careful with this idea that "we will
know" when something is wrong and be more careful when deploying software. It
would also be nice if some form of tool could be used to test a binary to make
sure it only contains what it should contain (sort of a whitelist of symbol
names compared to the source files, idk...) I'm sure something along these
lines probably exists for some different purpose.

~~~
contravariant
I'm not sure how exactly these infections work, but one method would be to
infect the developers' PCs. In which case you essentially can't trust
anything. You'd need some kind of byzantine fault tolerance (mandatory multi-
person code review?) to be sure nothing like this ever happens

What makes this scary is that, as far as I know, pretty much no software has
that kind of security, and there are several pieces of widely used software
that always update automatically (sometimes for good reason, sometimes not so
much).

~~~
elorant
You can enable AppLocker and have explicit control on what executes and what
not by creating rules. I know quite a few companies that enforce its use in
their employees' PCs.

~~~
cyphar
As an aside, AppLocker was trivially bypassable for several years -- there
were two different APIs that allowed you to set an "ignore AppLocker" flag. We
used to use it in high-school to play games (or in my case, run gvim and some
other development tools).

I think that there needs to be a more complete solution than just "secure the
developers machines". You need to have peer-review, where the developers sign
commits to approve them.

------
JohnTHaller
It's also worth noting that the default installer for CCleaner automatically
installs Chrome and sets it as the default browser with no notification in the
default process. Unless you click "More..." from one of the screens, then it
tells you. At least it was like this two weeks ago. Had to uninstall
bundleware Chrome again from multiple family members' PCs.

~~~
craftyguy
FYI, BleachBit is a (FLOSS) alternative to ccleaner, that works pretty well.

~~~
JohnTHaller
That's why I package it for our PortableApps.com users!
[https://portableapps.com/apps/utilities/bleachbit_portable](https://portableapps.com/apps/utilities/bleachbit_portable)

~~~
voltagex_
What would happen if someone got malware on to your machine that specifically
targeted PortableApps.com?

------
AdmiralAsshat
My Windows 7 machine still has a nightly scheduled cronjob to run ccleaner in
headless mode. I mostly used it to automatically securely wipe anything I put
into the Recycle Bin.

Fortunately I don't think I've updated the program in 2-3 years, so it
probably doesn't have any malware in it, but still, rather scary to think that
was used to be a daily program for me is now infected.

Which reminds me, I probably need to call my dad and anyone else I installed
that for...

------
CharlesDodgson
I really liked the style of this article, it explained things that are very
technical in a way that someone with moderate knowledge of the concepts can
grasp. Hats off to the author!

------
legulere
With all these malware problems I look forward to more heavily sandboxed
operating systems based on capabilities. Maybe Fuchsia will be that operating
system, if it does not turn out to be a google spyware hell.

~~~
jerheinze
I think what you're looking for is Qubes OS [https://qubes-
os.org](https://qubes-os.org)

------
Jdam
"CCleaner is an application that allows users to _perform routine maintenance
on their systems_."

It's 2017, how is this still a thing?

~~~
pmlnr
I don't understand the question. Maintenance will always be a thing, carried
out by humans, cron, or the os itself doesn't really matter.

~~~
pbhjpbhj
Why doesn't MS Windows do the maintenance - CCleaner does things like clean up
ancient cache files, remove Windows update files, remove registry entries for
software that's no longer installed.

That sort of maintenance seems like it's the result of poor design in an OS
that has the hood welded shut.

I actually used ccleaner on Win 10 recently, an MS update had associated loads
of files with TWINUI which wasn't installed making things like viewing images
impossible. Ccleaner found of the order of thousands of stale entries, removed
them and made a backup. It also let me simply check and disable startup
programs - I don't think Win 10 has a way to do that in the user UI?

~~~
marian0_
The OS does it by itself. It even includes an application so you can do it
yourself if you want which is called "Disk Cleanup".

~~~
CamperBob2
Just as one data point, the last time I ran Disk Cleanup, it hosed my entire
Windows installation. The bug in question was documented as occurring in
Vista, but wasn't fixed in Windows 7, and for all I know, still isn't:

[http://www.winhelponline.com/blog/serious-disk-cleanup-
probl...](http://www.winhelponline.com/blog/serious-disk-cleanup-problem-
caused-by-broken-registration/)

------
tekni5
So it was only the 32-bit executable that was affected?

By default CCleaner installs both the 32-bit and 64-bit versions, however on
64-bit systems it only runs the 64-bit executable and points every shortcut it
makes to the 64-bit executable.

On one of my affected systems that appears to have had 5.33 installed, I
noticed no registry keys that appear to be created and that system never ran
the 32-bit executable.

Would it be safe to assume it's not affected and simply uninstalling CCleaner
5.33 is enough?

Piriform seems to suggest that only some useless system information was ever
released by the compromised version. The general worry is that it wasn't just
that information, but also other more important things like account logins and
such.

~~~
giancarlostoro
According to:
[https://news.ycombinator.com/item?id=15274517](https://news.ycombinator.com/item?id=15274517)

This blog post from Piriform has more details:
[http://www.piriform.com/news/release-
announcements/2017/9/18...](http://www.piriform.com/news/release-
announcements/2017/9/18/security-notification-for-ccleaner-v5336162-and-
ccleaner-cloud-v1073191-for-32-bit-windows-users)

Basically they believe it was only the 32-bit installer that was compromised.

~~~
r1ch
I wish there was more technical information, even the advisory is unclear
here.

The CCleaner installer is always 32 bit for compatibility - it installs both
32 bit and 64 bit program binaries. On 64 bit systems, the default shortcuts
are to the 64 bit binary.

So was the 32 bit installer compromised, or only the 32 bit binary? The
original advisory makes references to the installer which is quite confusing.
Tried to figure it out myself but I assume the loader has VM detection
techniques as I wasn't able to infect a VM.

------
AJ007
Just wait until everyone finds out that Avast sells your raw traffic data to
marketers and who knows else... (Google Jumpshot)

~~~
ballenf
Found this post from 2015 for anyone else curious for details:

[https://malwaretips.com/threads/avast-and-
jumpshot.46539/](https://malwaretips.com/threads/avast-and-jumpshot.46539/)

------
thrillgore
Once again, my bad habit of never upgrading in a timely manner has saved me a
particular breed of egg on my face.

------
TravelTechGuy
Question: I get my CCLeaner installers through Chocolatey, so it always
installs the 64 bit version.

Obviously, this gave me quite a scare, so I downloaded and ran both
MalwareBytes and Immunet - both came up negative. I checked my registry for
the keys mentioned in the article, and found none of them. Can I assume I'm
"safe" (well, one never is, but relatively speaking), or should I revert my
system to an August image?

~~~
iza
Apparently only the 32 bit installer was compromised.

------
madshiva
CCleaner like Avast never make the job for me, I have always told people to
stop using it.. but user need proof.

Even with ton of subject "I have removed X with CCleaner and now I.."

~~~
WorldMaker
While the malware-ification of Avast has been a relatively slow process, [1] I
have never trusted CCleaner, and I also groan when I see friends/family still
using CCleaner after all the times I've helped them get out of jams CCleaner
caused.

Anecdotally, I've seen CCleaner delete way too many false positives in the
Registry, breaking applications, (and people have never heeded it's warning to
properly backup the Registry), and worse entirely corrupt Registry Hives,
breaking Windows.

The Hive database format of the Windows Registry was built to be read-
mostly/write-rarely and doesn't survive well to active surgery, especially not
"I run CCleaner once a week with all the options checked". Like I said, I've
seen it corrupt entire Hives from too regular operation.

I'm also of the opinion that some of that "Windows slowdown" that these users
complain of is a snowball impact of too much Registry surgery leaving sadly
deteriorated/badly optimized for reading Hives behind, but that's mostly a
hypothesis I have not scientifically proven.

[1] I kind of forgive people still running Avast out of habit from bad old XP
days (not everyone got on the Microsoft Security Essentials train as fast as
they could, and that was as much a marketing/awareness problem), though as
knowledge that Windows Defender exists spreads there are increasingly fewer
excuses to still run Avast.

~~~
NiveaGeForce
Indeed, I explained some of the issues with cleaners here.

[https://news.ycombinator.com/item?id=15277316](https://news.ycombinator.com/item?id=15277316)

------
hourislate
Was reading a copy of Maximum PC a while back and they suggested Privazer
[http://privazer.com/](http://privazer.com/) . I've installed it on a couple
of machines and it seems to do a pretty thorough job in cleaning the system.

The CCleaner infection was for win32 machines and from what I understand
upgrading to the next version (v5.34) fixes the problem.

------
OscarTheGrinch
My new app: CCleanerCleaner will clear everything up in a jiffy.

------
kakarot
Wow that's crazy, I was on the toilet _just this morning_ running CCleaner on
my phone as I do weekly and the thought momentarily crossed my mind that I
shouldn't trust CCleaner on my phone (I limit my use of apps as much as I can)
but my next immediate thought was, "Nah, this is Piriform we're talking about,
they're one of the few free software developers I can probably trust to never
inject malware into their products."

I mean, I guess that's still true since the build was compomised by an outside
party, but it's still just an interesting moment of synchronicity.

------
jasonmaydie
Bundled installers are the worst thing about the old way windows software was
distributed.

~~~
WorldMaker
I think it _is_ just about time for all apps to be distributed only by APPX
package; now that the Project Centennial bridge has been available for several
Windows builds, and what with the Anniversary Update making sideloading on by
default, and the UX Upgrades for sideloading in the AU and Creators Update
(and now with all of that several months to a year old).

Office itself is in Preview on the Windows Store, and when that comes out of
Preview, other developers are especially going to be on notice to get
applications into APPX packages, if not the Store, because for most
applications if Office can do it, so can you.

------
jcims
Incredible write-up.

------
cJ0th
What's the easiest way to find out whether a computer is infected?

------
vels
What can be done on machines that have a new install of CCleaner - Is there a
patch available ?

Also does this effect the Mac OSX version of CCleaner or just the windows
version ?

~~~
csydas
Edit: Updating with their release blogpost instead, as it's clearer:

Release Post: [http://www.piriform.com/news/release-
announcements/2017/9/18...](http://www.piriform.com/news/release-
announcements/2017/9/18/security-notification-for-ccleaner-v5336162-and-
ccleaner-cloud-v1073191-for-32-bit-windows-users)

Affected Versions:

>This compromise only affected customers with the 32-bit version of the
v5.33.6162 of CCleaner and the v1.07.3191 of CCleaner Cloud. No other Piriform
or CCleaner products were affected. We encourage all users of the 32-bit
version of CCleaner v5.33.6162 to download v5.34 here: download. We apologize
and are taking extra measures to ensure this does not happen again.

macOS seems fine, it looks like it was their 32bit Windows/Cloud offerings:

[http://www.piriform.com/news/blog/2017/9/18/security-
notific...](http://www.piriform.com/news/blog/2017/9/18/security-notification-
for-ccleaner-v5336162-and-ccleaner-cloud-v1073191-for-32-bit-windows-users)

>Before delving into the technical details, let me say that the threat has now
been resolved in the sense that the rogue server is down, other potential
servers are out of the control of the attacker, and we’re moving all existing
CCleaner v5.33.6162 users to the latest version. Users of CCleaner Cloud
version 1.07.3191 have received an automatic update. In other words, to the
best of our knowledge, we were able to disarm the threat before it was able to
do any harm.

So if you have a Windows copy, look for a patch I guess. Seems like it's not
just fixed, but the rogue server taken down.

------
quaffapint
They also have a portable version, which is what I always use, so you don't
have the installer issue (of course the main exe could be compromised, but
that's not the case here).

------
kronos29296
Just Wow. I am happy now that I haven't updated my installation of ccleaner
for over a year and so I am safe.

~~~
romanovcode
I'm happy I'm not using Windows XP so I don't need this crapware anymore
because Windows10 runs fast w/o it.

~~~
fbouynot
Well, if you're about to use Malwarebytes / Rogue Killer / ZHP Cleaner, you
will win hours by cleaning all these temporary files before a scan.

------
lunorian
Does anyone know whether the macOS Version was infected?

~~~
ballenf
Others have stated only 32-bit Windows installer was comprimised. So, no,
macOS version was not infected.

------
makkesk8
good thing I refuse to update, still on 5.25 :D

------
bobsoap
"CCleanup" appears to be a wordplay on "cleaning up CCleaner", but it's
confusing and unnecessary. Even though the original article is named that way,
I propose changing the thread title to the proper, well-known application
name, CCleaner.

~~~
user5994461
Installer neither on your system. They do more harm than good.

~~~
pbhjpbhj
Any proof?

~~~
lightedman
[https://www.google.com/search?q=ccleaner+broke+my+computer&i...](https://www.google.com/search?q=ccleaner+broke+my+computer&ie=utf-8&oe=utf-8)

Two seconds to type four words into the search bar.

~~~
pbhjpbhj
That doesn't prove the parents contention which was "they do more harm than
good". They presumably have something they've based that opinion on other than
the existence of problems with a particular app - if you don't have anything
substantive to add then please keep your "lm[f]gtfy, lolz" type comments to
yourself, thanks.

~~~
user5994461
The opinion is based on the broken computers and applications that happen
after running CCleaner.

That software basically go through your computer and delete a ton of things
that it considers useless. Have you ever seen the defaults settings? For
instance, it used to delete the history, cache and settings from all major
browsers.

------
Tanya_Romanova
that's rotten news you guys. if ccleaner goes bad, then eset nod 32 will soon
do too?:((((

------
ameyv
Uninstalling CCleaner and formatting now.

~~~
dan1234
Not much point in uninstalling if you're going to format anyway.

~~~
RationPhantoms
It's the software equivalent of a double tap.

------
Zeklandia
I guess we know how Equifax got hacked.

~~~
jlgaddis
Yes, via an unpatched Apache Struts vulnerability.

