Popular windows program ccleaner compromised with malware
Posted by ewv 7 years, 2 months ago to Technology
The widely used Piriform windows security/optimizer utility ccleaner used to clean out extraneous files and registry entries has been hacked, infecting over 2 million users.
The hack affected the 32 bit installer download for version 5.33 on Piriform's own servers for about a month before it was discovered by researchers at Cisco Talos. All anti-virus programs missed it because it was implanted under the company's own security signature. Piriform was purchased by the security company AVAST a few months ago.
The malware is described as a trojan set to send information back to servers controlled or used by the hackers.
Piriform says that the servers were discovered from addresses embedded in the malware and were disabled before being activated. Piriform says the malware was not publicly announced until it got control of the hackers' server, so as to not tip them off. It does not say why it believes there had been no isolated activations..
The newest monthly update of ccleaner, version 5.34 Sept. 12, 2017, fixes the problem by replacing the compromised files, which can be identified by their sha256 hash values:
ccleaner.exe v5.33
6F7840C77F99049D788155C1351E1560B62B8AD18AD0E9ADDA8218B9F432F0A9
ccleaner.exe v5.33
36b36ee9515e0a60629d2c722b006b33e543dce1c8c2611053e0651a0bfdb2e9
ccsetup533.6162.exe
1a4a5123d7b2c534cb3e3168f7032cf9ebf38b9a2a97226d0fdb7933cf6030ff
The program file ccleaner.exe is put in C:\Program Files\Piriform\ unless you install it somewhere else.
The malware also installa a new registry key that the new version 5.34 installer does not remove, but which is said to be dormant without the malware running: HKLM\SOFTWARE\Piriform\Agomo\
Technical details are described at
http://www.piriform.com/news/blog/201...
http://blog.talosintelligence.com/201...
The hack affected the 32 bit installer download for version 5.33 on Piriform's own servers for about a month before it was discovered by researchers at Cisco Talos. All anti-virus programs missed it because it was implanted under the company's own security signature. Piriform was purchased by the security company AVAST a few months ago.
The malware is described as a trojan set to send information back to servers controlled or used by the hackers.
Piriform says that the servers were discovered from addresses embedded in the malware and were disabled before being activated. Piriform says the malware was not publicly announced until it got control of the hackers' server, so as to not tip them off. It does not say why it believes there had been no isolated activations..
The newest monthly update of ccleaner, version 5.34 Sept. 12, 2017, fixes the problem by replacing the compromised files, which can be identified by their sha256 hash values:
ccleaner.exe v5.33
6F7840C77F99049D788155C1351E1560B62B8AD18AD0E9ADDA8218B9F432F0A9
ccleaner.exe v5.33
36b36ee9515e0a60629d2c722b006b33e543dce1c8c2611053e0651a0bfdb2e9
ccsetup533.6162.exe
1a4a5123d7b2c534cb3e3168f7032cf9ebf38b9a2a97226d0fdb7933cf6030ff
The program file ccleaner.exe is put in C:\Program Files\Piriform\ unless you install it somewhere else.
The malware also installa a new registry key that the new version 5.34 installer does not remove, but which is said to be dormant without the malware running: HKLM\SOFTWARE\Piriform\Agomo\
Technical details are described at
http://www.piriform.com/news/blog/201...
http://blog.talosintelligence.com/201...