back to article Downloaded CCleaner lately? Oo, awks... it was stuffed with malware

Antivirus firm Avast has admitted inadvertently distributing a trojanised version of CCleaner, a popular PC tune-up tool, for nearly a month, infecting an estimated 2.27 million users. Cisco Talos discovered that servers distributing the program were leveraged to deliver malware to unsuspecting victims. "For a period of time …

Page:

  1. Zippy's Sausage Factory
    Facepalm

    So not the original version, but the version distributed by Avast Antivirus?

    By. Avast. Antivirus.

    /me uninstalls Avast...

    1. This post has been deleted by its author

    2. Mark Manderson
      Alert

      Avasts CC Cleaner

      Avast became the owners of CC Cleaner when they bought over AVG mate.

      1. Zippy's Sausage Factory

        Re: Avasts CC Cleaner

        Avast became the owners of CC Cleaner when they bought over AVG mate.

        Interesting. Their website makes no mention of that fact. Perhaps they'd rather people didn't know that...

    3. Anonymous Coward
      Anonymous Coward

      No, this is the normal version of CCleaner that is affected, not some specialist Avast version, shipped with Avast, avast now own Piriform. This is the normal standalone installer that everyone uses.

      The article is confusing because Piriform is now owned by Avast, but the installer that is infected was downloaded in the normal way when you check for upgrade via FileHippo/Pirform

      I had version 5.32 installed, and noticed the download installer had increased in size to 9.4MB for version 5.33, up from 6.8MB for 5.32. (Oddly 5.34 is still 9.4MB, but downloading the update in the software downloads 6.4MB). On seeing the size increase, I assumed they were shipping some form of Google Chrome add-on/other software included. The installer will install Google Chrome if it's not already installed on the machine. At the time I searched and also found another version on the Piriform website - CCleaner 'slim' which was still 6.8MB in size. This now seems to have disappeared.

      I saw the size increase and backed off from updating. It's always worth a bit of due-diligence, and think why has an installer increased in size by a third?

      I'm currently seeing/investigating an issue with an account that keeps getting created in the "Credentials Manager" on Windows 10, I'm starting to wonder if this is related to CCleaner on a machine that did get it. Search "cred" in the control panel and check what accounts are in there.

      1. MrT

        File size...

        ... CCleaner is just returning to a file size nearer to what it used to have - 5.27, for example, is 8.83MB (I've a copy here) which is only 552KB smaller than the latest one.

        Interesting point about the Credential Manager listings - although a lot of the system credentials (OneDrive, Office16, Windows Live and the associated 'virtualapp/didlogical' one, etc.) don't help here, with their random username field - they do look suspicious, especially that virtualapp one. This PC is a 32-bit Win7 system, with CCleaner installed (although it logs in as a limited user instead of admin), and there's are no odd users created recently - the OneDrive ones and the virtualapp one refresh each login.

      2. Nifty Silver badge

        The Credentials Manager issue is a known one and apparently something to do with the W10 Anniversary Edition and/or Cortana. Once a login to MS is made from the W10 user, there's an ever re-appearing account.

      3. Anonymous Coward
        Anonymous Coward

        I don't think your suspicion over the size increase of the installer helped you - just pure luck.

        Why do I say this? Because the portable zip of 5.33 was only 15kB bigger than 5.32. Furthermore, the trojaned 32 bit ccleaner.exe in 5.33 is only 22kB bigger than the clean version in 5.32. Both size increases are not especially unusual over recent versions.

        1. DropBear
          WTF?

          In an age where single pieces of software often come in packages of many gigabytes in size, any size change under fifty megs or so is simply random fluctuation, noise, not signal - regardless of how small the original package may have been.

          Any new feature, any change in a support lib or localization or skin set or help files or frameworks or build policies or installer options can fully be expected to change the package size by dozens of megabytes randomly, up or down but mostly just up, and there's just no way to tell whether it's a legit change or not unless you're willing to wait and see whether it blows up for any upgrade.

          The time of ruminating pensively over kilobytes or megabytes of size differences was over the same time floppy disks died, especially knowing that ultimately it only takes a few hundreds of bytes to pwn your ass comprehensively. The only thing size is relevant for these days is to gleefully inform you not even your shiny new SSD RAID array has enough space for what you want to install...

    4. Anonymous Coward
      Anonymous Coward

      Avast is bloated itself...

      In my opinion Avast went downhill the very moment they stopped being an anti virus program and insisted on becoming an "Internet protection suite". Their firewall was horribly bad, it had a major problem when it had to cope with many parallel connections (passive FTP anyone?) and would often put the whole OS to a grinding halt because it simply couldn't keep up.

      If they're that bad with a simple firewall, then what would their other be like? That's what I wondered about anyway, and got rid of the whole thing. Never looked back.

    5. Anonymous Coward
      Anonymous Coward

      Yes, the original version. Yes, the normal one downloaded from the Piriform Website.

      Yes, the original version. Yes, The normal one downloaded from the Piriform Website. We're talking the regular way this gets installed was infected. Avast are the owners now, that's the confusion here.

      If you downloaded and installed CCleaner 5.33 from the Piriform Website/FileHippo, you're infected.

      1. Anonymous Coward
        Anonymous Coward

        Re: Yes, the original version. Yes, the normal one downloaded from the Piriform Website.

        Not the Android version then?? Simone want to tell the biased / incompetent clowns at the BBC ???

        http://www.bbc.co.uk/news/technology-41306387

        "Quick throw together a story about ccleaner, who cares what's actually affected, give it some Android spin".. anyone still think the press doesn't have an agenda????

      2. Stuart Halliday

        Re: Yes, the original version. Yes, the normal one downloaded from the Piriform Website.

        Hmmm.... This probably explains why my Malwarebytes program keeps popping up that it's real-time protection is turned off...again. A threat scan by it or Defender doesn't reveal anything though.

    6. BillG
      Facepalm

      Unethical Behavior

      ...attackers hacked into a legitimate, trusted application and turned it malicious...

      CCleaner works great for years, but it gets squired by Avast and almost IMMEDIATELY it has malware?

      How is this not an inside job from someone at Avast?

      I haven't seen this level of unethical behavior since Avira included adware in its paid-for antivirus.

      1. td97402

        Re: Unethical Behavior

        “CCleaner works great for years, but it gets squired by Avast and almost IMMEDIATELY it has malware?”

        This kind of business deal takes weeks to months to complete, so more likely a coincidence,

        “How is this not an inside job from someone at Avast?”

        If anyone inside did it, likely it was someone from Piriform that didn’t like the takeover.

        “I haven't seen this level of unethical behavior since Avira included adware in its paid-for antivirus.”

        Ethics has nothing to do with this unless you think Avast did this on purpose.

      2. Zippy's Sausage Factory

        Re: Unethical Behavior

        Apparently it happened the week before Avast bought them, so they say.

    7. Oh Homer
      Terminator

      "CCleaner, was recently acquired by Avast"

      Damn, there goes another of the very few half-decent apps for Windows.

      Like the "food" manufacturing industry, eventually your choice of software vendors will be reduced to about half a dozen, and then one. In fact, the way things are going, eventually there will just be one company that owns everything, with one CEO who is, for all intents and purposes, the new emperor of planet Earth.

      I read a fantasy novel once that described a world in which monopolisation is considered to be a bad thing, and a mythical beast called a "regulator" is supposed to stop it happening. It must be out of print now, because nobody seems to be reading it.

      1. Domquark

        Re: "CCleaner, was recently acquired by Avast"

        "Damn, there goes another of the very few half-decent apps for Windows."

        I stopped using CCleaner when I discovered Windows Cleanup! by Steven Gould. The only annoying thing is the sound, which is easy to disable. I have run CCleaner, then Windows Cleanup!, with the latter discovering another Gig of crap that CC didn't find.

    8. JCitizen
      Megaphone

      Only the 32 bit version is affected..

      If you use the 64 bit - no problemo - also simply updating to the next version deletes the malware, but not one of the registry entries. It would probably be easier for folks not familiar with the registry to use Revo uninstaller to remove this version of CCleaner, so the offending left over reg entries can be deleted. The new version of CCleaner reportedly does not see this unnecessary entry, so no luck doing it that way. I'd post the reg edit, but you can find it on search easy enough.

      1. Anonymous Coward
        Anonymous Coward

        Re: Only the 32 bit version is affected..

        It's a combined installer though, including both 32Bit and 64Bit Versions. Seems unusual to target 'just' the 32Bit portion of the code.

  2. Anonymous Coward
    Anonymous Coward

    Whew!

    Talk about a close call. I came close to downloading CCleaner recently but wasn't actually interested in its functions and found what I needed elsewhere.

  3. JimmyPage Silver badge
    Linux

    Meanwhile ...

    haven't used (or needed) CCleaner since dumping Windows ....

    1. Sorry, you cannot reuse an old handle.

      Re: Meanwhile ...

      CCleaner also runs on Android. Does anyone know if that platform is also affected? (not sure about macOS or iOS...)

      1. Anonymous Coward
        Anonymous Coward

        Re: Meanwhile ...

        Yes it does run on osx, however it does not delete user defined files.

      2. Anonymous Coward
        Anonymous Coward

        Re: Meanwhile ...

        Nope, only windows,. Not that it matters, that's just unimportant details, plebs won't care most of them can barely read...

        http://www.bbc.co.uk/news/technology-41306387

        https://ibb.co/it4K8k

      3. Mikel

        Re: Meanwhile ...

        Android and iOS have app isolation. That means an app scanner app could not possibly work because it can't access the other apps, nor the system. At most it can scan downloads.

        If you're habituated to Windows so badly that it's inconceivable to operate a non-Windows mobile device without third party protection from the Windows design flaws it doesn't have, the Android app you didn't need can use whatever permissions you gave it to not fullfil its advertised purpose. It would follow then that you gave it all of them.

    2. Anonymous Coward
      Anonymous Coward

      Re: Meanwhile ...

      I haven't used (or needed) CCleaner since I got an ounce of sense and realised that nobody actually needs a registry cleaner, and they are little more than snake oil. Fodder for pseudo-experts and fiddlers.

      1. Anonymous Coward
        Anonymous Coward

        Re: Meanwhile ...

        To be fair, it does offer more than just registry cleaning. It was useful on OS X too, as a simple and free way to clean up dead entrails of uninstalled apps, cookies and wotnot in one go.

        1. Anonymous Coward
          Anonymous Coward

          Re: Meanwhile ...

          http://freemacsoft.net/appcleaner/ will remove app entrails, but not cookies.

          Enabling access to the users library and you can delete those pesky database/local storage files that Safari does not delete.

        2. richardalm

          Re: Meanwhile ...

          I might put CCleaner on new builds and upgrades for a single tool-- the one for editing Windows start up -- which is much easier and safer than coaching somebody over the phone with regedit. Other than that, CCleaner doesn't keep Windows any cleaner than late model Windows and browsers do.

          Most Windows users who rely on apps like CCleaner are indeed non-techies who have little knowledge of NTFS and how awesome it can be (when left to its own devices). But there's nothing dubious about hobbiests using a power tool or two. It's too bad, though, about their ignorant down-votes here at El Reg if the software is deemed less useful than it was for Windows 95. Aggresssive down- or up-voting too often has the odor of representatives on a mission.

      2. Hans 1
        Windows

        Re: Meanwhile ...

        [...] snake oil. Fodder for pseudo-experts and fiddlers.

        Yes, sad to see you got 17 downvotes ... there is even a senior lead Slurp developer who supports your view, yet, a bunch of n00bs downvoted you on here ... dunno where this site is going, but I am appalled by the lack of expertise of some of the comment@rds on here, to say the least ... must be those fine Window Cleaner and Surface Experts, again ...

      3. JCitizen

        Re: Meanwhile ...

        To AC - "I haven't used (or needed) CCleaner since I got an ounce of sense and realised that nobody actually needs a registry cleaner"

        I rarely need the registry cleaner - if you operated as a restricted user just like you should on every other operating system, all you usually need to do to get rid of malware is run CCleaner at least before log off, shut down, or restart on Windows. I like it because it is easier than constantly running manual scans with my AV and AM solutions. I've tested this, and unless the malware is capable if silent install into the app data folder, other than "temp", CCleaner will take care of it. I've never run into a malware that can do anything without permission from the restricted user so far. Just don't get click happy with every pop up you see, and things will be JUST FINE!! I run a honey pot lab BTW, so I've seen just about every scenario you can imagine!

  4. Paul Woodhouse
    Facepalm

    think there's only one thing that can be said here....

    FAIL

  5. 0laf
    Pirate

    I don't think I downloaded it in the affected window but...when you assume...

  6. BeakUpBottom

    Who knew?

    I always thought CCleaner was malware, oh well, near miss, not!

    They don't really explain what happened ... were they breached? Someone surfing pron on the build server? A careless mixup with something they were analysing (presumably not on an airgapped machine).

    Normally it wouldn't really matter, but with a firm that should be security focussed vague assurances don't really cut it.

  7. mark l 2 Silver badge

    I always though most people were using it to CCleaner to remove evidence of the pron surfing from their PC, so now that pretty much all internet browsers now have a private browsing mode I thought their install numbers would have dropped?

    1. Anonymous Coward
      Anonymous Coward

      Not Pron. I use it for cashback sites like TCB/Quidco.

      Not Pron, I use it to clear cookies thoroughly for cashback sites like TCB/Quidco. I get 100% tracking using that method, especially with companies like Aviva, that are normally the first to reject, due to cross-site cookies.

    2. Terry 6 Silver badge

      I have been using it to delete as much as possible the stuff that Microsoft dumped on to the computer in Win 10 and disable automatic start ups.. The tools had both these functions and made the job easy. But that's not a good enoug reason for me to keep them now. Nor will I keep Avast.

    3. JCitizen
      Megaphone

      Where CCleaner really shines..

      is in removing stuff from the temp files in the app data folder and LSOs. That last acronym is what Zombie files are called ( or persistent cookies), it is one of the few free ways of getting rid of those nasty files, because not just any file cleaner can do that.

      I like to run it to delete any malware attack files sleeping in the folders waiting for the user to make a mistake. I've tested for that many times, and I discovered as long as the malware isn't going outside the "temp" folders, you can rid you self of it post haste that way. Much easier than scanning with your favorite resident AV/AM solution.

      AND despite what people say about registry editors, I've found that when unruly installer/uninstallers corrupt an uninstall routine, or say an application had an unsuccessful update patch, the registry cleaner undeniably helps fix the problem!! I may not use the registry cleaner for years, unless a problem comes up - because I generally use Revo to cleanup after bad uninstall routines. Coders are not want to remove all their junk from you files when you are ready to get rid of an app you don't like or just don't need anymore. I refuse to accept that a registry cleaner is NOT necessary - because without them I had headaches galore! I've also found that CCleaner's reg cleaner helps after a nasty battle with malware. The AM solutions do not always clean up the detritus very well it seems.

  8. chivo243 Silver badge

    This sounds familiar

    Didn't this happen to Microsoft? Dodgy WU site?

  9. Florida1920
    Big Brother

    Gosh, and it doesn't come from Russia

    Wonder how many Homeland Security types are running Avast at home?

  10. This post has been deleted by its author

  11. luminous

    Now will anyone listen to people who say that automatic updating of software is NOT a good idea.

    1. Archaon

      @luminous: Not the best time to tell Equifax that.

    2. Brewster's Angle Grinder Silver badge

      It's not an argument for or against it. If the build gets compromised, you're shafted.

      Okay, manual updating will have reduced the number of people who installed the infected copy, and allowed the ultra-paranoid to avoid it. But it leaves a bunch of non-tech users completely unaware they have contaminated software. And those copies will remain infected until they're upgraded. At least those on automatic update now have a clean copy. And if they didn't run the infected copy, they're safe.

      1. Anonymous Coward
        Anonymous Coward

        Too much to hope for

        The truth of the matter is that it's simply not possible for hundreds of millions (or even billions) of fairly clueless consumers and office workers to run a big, complicated, general-purpose operating system with all the trimmings AND have security take care of itself automatically.

        Economically, "one size fits all" has been a miracle worker, drastically reducing the cost of computers and software. But the fundamental axiom of security is that it militates *strongly* against everything else you could possibly want.

    3. cowbutt
      WTF?

      Unless you have the resources and time to do analysis in a sandbox of every update that comes your way, automatic updating is still less risky than continuing to run software with known vulnerabilities. And, even if you do sandbox analysis, then there's still a chance that vulnerabilities in your existing version will be exploited before you complete the analysis to inform you that the update was indeed safe.

      But, there's a logical problem - like looking for WMDs in Iraq, one cannot *prove* the absence of malicious behaviour: one more hour, day, or week of analysis might always turn up something unpleasant.

  12. Rob D.
    Unhappy

    Target in sight

    Piriform CCleaner had great target characteristics for a supply chain attack: free to download, popular and extensively referenced (see how many tech sites recommend CCleaner on their 'top utilities' list), higher download volume, extensive current usage, requires privileged access to do its job, smaller company background (so limited internal security). A lot of effort went in to that so wondering who's next on the list?

    Whether the Avast acquisition had any impact (other than to include Avast in the embarrassment) isn't clear yet. Piriform have been pretty open so far about what happened and when but knowing how the delivery systems were compromised is more interesting, especially if Avast proves to be a recently introduced weak link.

    1. Loud Speaker

      Re: Target in sight

      (see how many tech sites recommend CCleaner on their highest paying affiliates list

  13. Jon Smit

    Not the only 'security' product that's borked recently

    In recent months I've had my system buggered by updates from Bitdefender AVP and Comodo firewall. Have they been employing ex Symantec staff?

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like