So not the original version, but the version distributed by Avast Antivirus?
By. Avast. Antivirus.
/me uninstalls Avast...
Antivirus firm Avast has admitted inadvertently distributing a trojanised version of CCleaner, a popular PC tune-up tool, for nearly a month, infecting an estimated 2.27 million users. Cisco Talos discovered that servers distributing the program were leveraged to deliver malware to unsuspecting victims. "For a period of time …
This post has been deleted by its author
No, this is the normal version of CCleaner that is affected, not some specialist Avast version, shipped with Avast, avast now own Piriform. This is the normal standalone installer that everyone uses.
The article is confusing because Piriform is now owned by Avast, but the installer that is infected was downloaded in the normal way when you check for upgrade via FileHippo/Pirform
I had version 5.32 installed, and noticed the download installer had increased in size to 9.4MB for version 5.33, up from 6.8MB for 5.32. (Oddly 5.34 is still 9.4MB, but downloading the update in the software downloads 6.4MB). On seeing the size increase, I assumed they were shipping some form of Google Chrome add-on/other software included. The installer will install Google Chrome if it's not already installed on the machine. At the time I searched and also found another version on the Piriform website - CCleaner 'slim' which was still 6.8MB in size. This now seems to have disappeared.
I saw the size increase and backed off from updating. It's always worth a bit of due-diligence, and think why has an installer increased in size by a third?
I'm currently seeing/investigating an issue with an account that keeps getting created in the "Credentials Manager" on Windows 10, I'm starting to wonder if this is related to CCleaner on a machine that did get it. Search "cred" in the control panel and check what accounts are in there.
... CCleaner is just returning to a file size nearer to what it used to have - 5.27, for example, is 8.83MB (I've a copy here) which is only 552KB smaller than the latest one.
Interesting point about the Credential Manager listings - although a lot of the system credentials (OneDrive, Office16, Windows Live and the associated 'virtualapp/didlogical' one, etc.) don't help here, with their random username field - they do look suspicious, especially that virtualapp one. This PC is a 32-bit Win7 system, with CCleaner installed (although it logs in as a limited user instead of admin), and there's are no odd users created recently - the OneDrive ones and the virtualapp one refresh each login.
I don't think your suspicion over the size increase of the installer helped you - just pure luck.
Why do I say this? Because the portable zip of 5.33 was only 15kB bigger than 5.32. Furthermore, the trojaned 32 bit ccleaner.exe in 5.33 is only 22kB bigger than the clean version in 5.32. Both size increases are not especially unusual over recent versions.
In an age where single pieces of software often come in packages of many gigabytes in size, any size change under fifty megs or so is simply random fluctuation, noise, not signal - regardless of how small the original package may have been.
Any new feature, any change in a support lib or localization or skin set or help files or frameworks or build policies or installer options can fully be expected to change the package size by dozens of megabytes randomly, up or down but mostly just up, and there's just no way to tell whether it's a legit change or not unless you're willing to wait and see whether it blows up for any upgrade.
The time of ruminating pensively over kilobytes or megabytes of size differences was over the same time floppy disks died, especially knowing that ultimately it only takes a few hundreds of bytes to pwn your ass comprehensively. The only thing size is relevant for these days is to gleefully inform you not even your shiny new SSD RAID array has enough space for what you want to install...
In my opinion Avast went downhill the very moment they stopped being an anti virus program and insisted on becoming an "Internet protection suite". Their firewall was horribly bad, it had a major problem when it had to cope with many parallel connections (passive FTP anyone?) and would often put the whole OS to a grinding halt because it simply couldn't keep up.
If they're that bad with a simple firewall, then what would their other be like? That's what I wondered about anyway, and got rid of the whole thing. Never looked back.
Yes, the original version. Yes, The normal one downloaded from the Piriform Website. We're talking the regular way this gets installed was infected. Avast are the owners now, that's the confusion here.
If you downloaded and installed CCleaner 5.33 from the Piriform Website/FileHippo, you're infected.
Not the Android version then?? Simone want to tell the biased / incompetent clowns at the BBC ???
http://www.bbc.co.uk/news/technology-41306387
"Quick throw together a story about ccleaner, who cares what's actually affected, give it some Android spin".. anyone still think the press doesn't have an agenda????
...attackers hacked into a legitimate, trusted application and turned it malicious...
CCleaner works great for years, but it gets squired by Avast and almost IMMEDIATELY it has malware?
How is this not an inside job from someone at Avast?
I haven't seen this level of unethical behavior since Avira included adware in its paid-for antivirus.
“CCleaner works great for years, but it gets squired by Avast and almost IMMEDIATELY it has malware?”
This kind of business deal takes weeks to months to complete, so more likely a coincidence,
“How is this not an inside job from someone at Avast?”
If anyone inside did it, likely it was someone from Piriform that didn’t like the takeover.
“I haven't seen this level of unethical behavior since Avira included adware in its paid-for antivirus.”
Ethics has nothing to do with this unless you think Avast did this on purpose.
Damn, there goes another of the very few half-decent apps for Windows.
Like the "food" manufacturing industry, eventually your choice of software vendors will be reduced to about half a dozen, and then one. In fact, the way things are going, eventually there will just be one company that owns everything, with one CEO who is, for all intents and purposes, the new emperor of planet Earth.
I read a fantasy novel once that described a world in which monopolisation is considered to be a bad thing, and a mythical beast called a "regulator" is supposed to stop it happening. It must be out of print now, because nobody seems to be reading it.
"Damn, there goes another of the very few half-decent apps for Windows."
I stopped using CCleaner when I discovered Windows Cleanup! by Steven Gould. The only annoying thing is the sound, which is easy to disable. I have run CCleaner, then Windows Cleanup!, with the latter discovering another Gig of crap that CC didn't find.
If you use the 64 bit - no problemo - also simply updating to the next version deletes the malware, but not one of the registry entries. It would probably be easier for folks not familiar with the registry to use Revo uninstaller to remove this version of CCleaner, so the offending left over reg entries can be deleted. The new version of CCleaner reportedly does not see this unnecessary entry, so no luck doing it that way. I'd post the reg edit, but you can find it on search easy enough.
Android and iOS have app isolation. That means an app scanner app could not possibly work because it can't access the other apps, nor the system. At most it can scan downloads.
If you're habituated to Windows so badly that it's inconceivable to operate a non-Windows mobile device without third party protection from the Windows design flaws it doesn't have, the Android app you didn't need can use whatever permissions you gave it to not fullfil its advertised purpose. It would follow then that you gave it all of them.
I might put CCleaner on new builds and upgrades for a single tool-- the one for editing Windows start up -- which is much easier and safer than coaching somebody over the phone with regedit. Other than that, CCleaner doesn't keep Windows any cleaner than late model Windows and browsers do.
Most Windows users who rely on apps like CCleaner are indeed non-techies who have little knowledge of NTFS and how awesome it can be (when left to its own devices). But there's nothing dubious about hobbiests using a power tool or two. It's too bad, though, about their ignorant down-votes here at El Reg if the software is deemed less useful than it was for Windows 95. Aggresssive down- or up-voting too often has the odor of representatives on a mission.
[...] snake oil. Fodder for pseudo-experts and fiddlers.
Yes, sad to see you got 17 downvotes ... there is even a senior lead Slurp developer who supports your view, yet, a bunch of n00bs downvoted you on here ... dunno where this site is going, but I am appalled by the lack of expertise of some of the comment@rds on here, to say the least ... must be those fine Window Cleaner and Surface Experts, again ...
To AC - "I haven't used (or needed) CCleaner since I got an ounce of sense and realised that nobody actually needs a registry cleaner"
I rarely need the registry cleaner - if you operated as a restricted user just like you should on every other operating system, all you usually need to do to get rid of malware is run CCleaner at least before log off, shut down, or restart on Windows. I like it because it is easier than constantly running manual scans with my AV and AM solutions. I've tested this, and unless the malware is capable if silent install into the app data folder, other than "temp", CCleaner will take care of it. I've never run into a malware that can do anything without permission from the restricted user so far. Just don't get click happy with every pop up you see, and things will be JUST FINE!! I run a honey pot lab BTW, so I've seen just about every scenario you can imagine!
I always thought CCleaner was malware, oh well, near miss, not!
They don't really explain what happened ... were they breached? Someone surfing pron on the build server? A careless mixup with something they were analysing (presumably not on an airgapped machine).
Normally it wouldn't really matter, but with a firm that should be security focussed vague assurances don't really cut it.
is in removing stuff from the temp files in the app data folder and LSOs. That last acronym is what Zombie files are called ( or persistent cookies), it is one of the few free ways of getting rid of those nasty files, because not just any file cleaner can do that.
I like to run it to delete any malware attack files sleeping in the folders waiting for the user to make a mistake. I've tested for that many times, and I discovered as long as the malware isn't going outside the "temp" folders, you can rid you self of it post haste that way. Much easier than scanning with your favorite resident AV/AM solution.
AND despite what people say about registry editors, I've found that when unruly installer/uninstallers corrupt an uninstall routine, or say an application had an unsuccessful update patch, the registry cleaner undeniably helps fix the problem!! I may not use the registry cleaner for years, unless a problem comes up - because I generally use Revo to cleanup after bad uninstall routines. Coders are not want to remove all their junk from you files when you are ready to get rid of an app you don't like or just don't need anymore. I refuse to accept that a registry cleaner is NOT necessary - because without them I had headaches galore! I've also found that CCleaner's reg cleaner helps after a nasty battle with malware. The AM solutions do not always clean up the detritus very well it seems.
This post has been deleted by its author
It's not an argument for or against it. If the build gets compromised, you're shafted.
Okay, manual updating will have reduced the number of people who installed the infected copy, and allowed the ultra-paranoid to avoid it. But it leaves a bunch of non-tech users completely unaware they have contaminated software. And those copies will remain infected until they're upgraded. At least those on automatic update now have a clean copy. And if they didn't run the infected copy, they're safe.
The truth of the matter is that it's simply not possible for hundreds of millions (or even billions) of fairly clueless consumers and office workers to run a big, complicated, general-purpose operating system with all the trimmings AND have security take care of itself automatically.
Economically, "one size fits all" has been a miracle worker, drastically reducing the cost of computers and software. But the fundamental axiom of security is that it militates *strongly* against everything else you could possibly want.
Unless you have the resources and time to do analysis in a sandbox of every update that comes your way, automatic updating is still less risky than continuing to run software with known vulnerabilities. And, even if you do sandbox analysis, then there's still a chance that vulnerabilities in your existing version will be exploited before you complete the analysis to inform you that the update was indeed safe.
But, there's a logical problem - like looking for WMDs in Iraq, one cannot *prove* the absence of malicious behaviour: one more hour, day, or week of analysis might always turn up something unpleasant.
Piriform CCleaner had great target characteristics for a supply chain attack: free to download, popular and extensively referenced (see how many tech sites recommend CCleaner on their 'top utilities' list), higher download volume, extensive current usage, requires privileged access to do its job, smaller company background (so limited internal security). A lot of effort went in to that so wondering who's next on the list?
Whether the Avast acquisition had any impact (other than to include Avast in the embarrassment) isn't clear yet. Piriform have been pretty open so far about what happened and when but knowing how the delivery systems were compromised is more interesting, especially if Avast proves to be a recently introduced weak link.