back to article Downloaded CCleaner lately? Oo, awks... it was stuffed with malware

Antivirus firm Avast has admitted inadvertently distributing a trojanised version of CCleaner, a popular PC tune-up tool, for nearly a month, infecting an estimated 2.27 million users. Cisco Talos discovered that servers distributing the program were leveraged to deliver malware to unsuspecting victims. "For a period of time …

  1. Zippy's Sausage Factory
    Facepalm

    So not the original version, but the version distributed by Avast Antivirus?

    By. Avast. Antivirus.

    /me uninstalls Avast...

    1. This post has been deleted by its author

    2. Mark Manderson
      Alert

      Avasts CC Cleaner

      Avast became the owners of CC Cleaner when they bought over AVG mate.

      1. Zippy's Sausage Factory

        Re: Avasts CC Cleaner

        Avast became the owners of CC Cleaner when they bought over AVG mate.

        Interesting. Their website makes no mention of that fact. Perhaps they'd rather people didn't know that...

    3. Anonymous Coward
      Anonymous Coward

      No, this is the normal version of CCleaner that is affected, not some specialist Avast version, shipped with Avast, avast now own Piriform. This is the normal standalone installer that everyone uses.

      The article is confusing because Piriform is now owned by Avast, but the installer that is infected was downloaded in the normal way when you check for upgrade via FileHippo/Pirform

      I had version 5.32 installed, and noticed the download installer had increased in size to 9.4MB for version 5.33, up from 6.8MB for 5.32. (Oddly 5.34 is still 9.4MB, but downloading the update in the software downloads 6.4MB). On seeing the size increase, I assumed they were shipping some form of Google Chrome add-on/other software included. The installer will install Google Chrome if it's not already installed on the machine. At the time I searched and also found another version on the Piriform website - CCleaner 'slim' which was still 6.8MB in size. This now seems to have disappeared.

      I saw the size increase and backed off from updating. It's always worth a bit of due-diligence, and think why has an installer increased in size by a third?

      I'm currently seeing/investigating an issue with an account that keeps getting created in the "Credentials Manager" on Windows 10, I'm starting to wonder if this is related to CCleaner on a machine that did get it. Search "cred" in the control panel and check what accounts are in there.

      1. MrT

        File size...

        ... CCleaner is just returning to a file size nearer to what it used to have - 5.27, for example, is 8.83MB (I've a copy here) which is only 552KB smaller than the latest one.

        Interesting point about the Credential Manager listings - although a lot of the system credentials (OneDrive, Office16, Windows Live and the associated 'virtualapp/didlogical' one, etc.) don't help here, with their random username field - they do look suspicious, especially that virtualapp one. This PC is a 32-bit Win7 system, with CCleaner installed (although it logs in as a limited user instead of admin), and there's are no odd users created recently - the OneDrive ones and the virtualapp one refresh each login.

      2. Nifty Silver badge

        The Credentials Manager issue is a known one and apparently something to do with the W10 Anniversary Edition and/or Cortana. Once a login to MS is made from the W10 user, there's an ever re-appearing account.

      3. Anonymous Coward
        Anonymous Coward

        I don't think your suspicion over the size increase of the installer helped you - just pure luck.

        Why do I say this? Because the portable zip of 5.33 was only 15kB bigger than 5.32. Furthermore, the trojaned 32 bit ccleaner.exe in 5.33 is only 22kB bigger than the clean version in 5.32. Both size increases are not especially unusual over recent versions.

        1. DropBear
          WTF?

          In an age where single pieces of software often come in packages of many gigabytes in size, any size change under fifty megs or so is simply random fluctuation, noise, not signal - regardless of how small the original package may have been.

          Any new feature, any change in a support lib or localization or skin set or help files or frameworks or build policies or installer options can fully be expected to change the package size by dozens of megabytes randomly, up or down but mostly just up, and there's just no way to tell whether it's a legit change or not unless you're willing to wait and see whether it blows up for any upgrade.

          The time of ruminating pensively over kilobytes or megabytes of size differences was over the same time floppy disks died, especially knowing that ultimately it only takes a few hundreds of bytes to pwn your ass comprehensively. The only thing size is relevant for these days is to gleefully inform you not even your shiny new SSD RAID array has enough space for what you want to install...

    4. Anonymous Coward
      Anonymous Coward

      Avast is bloated itself...

      In my opinion Avast went downhill the very moment they stopped being an anti virus program and insisted on becoming an "Internet protection suite". Their firewall was horribly bad, it had a major problem when it had to cope with many parallel connections (passive FTP anyone?) and would often put the whole OS to a grinding halt because it simply couldn't keep up.

      If they're that bad with a simple firewall, then what would their other be like? That's what I wondered about anyway, and got rid of the whole thing. Never looked back.

    5. Anonymous Coward
      Anonymous Coward

      Yes, the original version. Yes, the normal one downloaded from the Piriform Website.

      Yes, the original version. Yes, The normal one downloaded from the Piriform Website. We're talking the regular way this gets installed was infected. Avast are the owners now, that's the confusion here.

      If you downloaded and installed CCleaner 5.33 from the Piriform Website/FileHippo, you're infected.

      1. Anonymous Coward
        Anonymous Coward

        Re: Yes, the original version. Yes, the normal one downloaded from the Piriform Website.

        Not the Android version then?? Simone want to tell the biased / incompetent clowns at the BBC ???

        http://www.bbc.co.uk/news/technology-41306387

        "Quick throw together a story about ccleaner, who cares what's actually affected, give it some Android spin".. anyone still think the press doesn't have an agenda????

      2. Stuart Halliday

        Re: Yes, the original version. Yes, the normal one downloaded from the Piriform Website.

        Hmmm.... This probably explains why my Malwarebytes program keeps popping up that it's real-time protection is turned off...again. A threat scan by it or Defender doesn't reveal anything though.

    6. BillG
      Facepalm

      Unethical Behavior

      ...attackers hacked into a legitimate, trusted application and turned it malicious...

      CCleaner works great for years, but it gets squired by Avast and almost IMMEDIATELY it has malware?

      How is this not an inside job from someone at Avast?

      I haven't seen this level of unethical behavior since Avira included adware in its paid-for antivirus.

      1. td97402

        Re: Unethical Behavior

        “CCleaner works great for years, but it gets squired by Avast and almost IMMEDIATELY it has malware?”

        This kind of business deal takes weeks to months to complete, so more likely a coincidence,

        “How is this not an inside job from someone at Avast?”

        If anyone inside did it, likely it was someone from Piriform that didn’t like the takeover.

        “I haven't seen this level of unethical behavior since Avira included adware in its paid-for antivirus.”

        Ethics has nothing to do with this unless you think Avast did this on purpose.

      2. Zippy's Sausage Factory

        Re: Unethical Behavior

        Apparently it happened the week before Avast bought them, so they say.

    7. Oh Homer
      Terminator

      "CCleaner, was recently acquired by Avast"

      Damn, there goes another of the very few half-decent apps for Windows.

      Like the "food" manufacturing industry, eventually your choice of software vendors will be reduced to about half a dozen, and then one. In fact, the way things are going, eventually there will just be one company that owns everything, with one CEO who is, for all intents and purposes, the new emperor of planet Earth.

      I read a fantasy novel once that described a world in which monopolisation is considered to be a bad thing, and a mythical beast called a "regulator" is supposed to stop it happening. It must be out of print now, because nobody seems to be reading it.

      1. Domquark

        Re: "CCleaner, was recently acquired by Avast"

        "Damn, there goes another of the very few half-decent apps for Windows."

        I stopped using CCleaner when I discovered Windows Cleanup! by Steven Gould. The only annoying thing is the sound, which is easy to disable. I have run CCleaner, then Windows Cleanup!, with the latter discovering another Gig of crap that CC didn't find.

    8. JCitizen
      Megaphone

      Only the 32 bit version is affected..

      If you use the 64 bit - no problemo - also simply updating to the next version deletes the malware, but not one of the registry entries. It would probably be easier for folks not familiar with the registry to use Revo uninstaller to remove this version of CCleaner, so the offending left over reg entries can be deleted. The new version of CCleaner reportedly does not see this unnecessary entry, so no luck doing it that way. I'd post the reg edit, but you can find it on search easy enough.

      1. Anonymous Coward
        Anonymous Coward

        Re: Only the 32 bit version is affected..

        It's a combined installer though, including both 32Bit and 64Bit Versions. Seems unusual to target 'just' the 32Bit portion of the code.

  2. Anonymous Coward
    Anonymous Coward

    Whew!

    Talk about a close call. I came close to downloading CCleaner recently but wasn't actually interested in its functions and found what I needed elsewhere.

  3. JimmyPage Silver badge
    Linux

    Meanwhile ...

    haven't used (or needed) CCleaner since dumping Windows ....

    1. Sorry, you cannot reuse an old handle.

      Re: Meanwhile ...

      CCleaner also runs on Android. Does anyone know if that platform is also affected? (not sure about macOS or iOS...)

      1. Anonymous Coward
        Anonymous Coward

        Re: Meanwhile ...

        Yes it does run on osx, however it does not delete user defined files.

      2. Anonymous Coward
        Anonymous Coward

        Re: Meanwhile ...

        Nope, only windows,. Not that it matters, that's just unimportant details, plebs won't care most of them can barely read...

        http://www.bbc.co.uk/news/technology-41306387

        https://ibb.co/it4K8k

      3. Mikel

        Re: Meanwhile ...

        Android and iOS have app isolation. That means an app scanner app could not possibly work because it can't access the other apps, nor the system. At most it can scan downloads.

        If you're habituated to Windows so badly that it's inconceivable to operate a non-Windows mobile device without third party protection from the Windows design flaws it doesn't have, the Android app you didn't need can use whatever permissions you gave it to not fullfil its advertised purpose. It would follow then that you gave it all of them.

    2. Anonymous Coward
      Anonymous Coward

      Re: Meanwhile ...

      I haven't used (or needed) CCleaner since I got an ounce of sense and realised that nobody actually needs a registry cleaner, and they are little more than snake oil. Fodder for pseudo-experts and fiddlers.

      1. Anonymous Coward
        Anonymous Coward

        Re: Meanwhile ...

        To be fair, it does offer more than just registry cleaning. It was useful on OS X too, as a simple and free way to clean up dead entrails of uninstalled apps, cookies and wotnot in one go.

        1. Anonymous Coward
          Anonymous Coward

          Re: Meanwhile ...

          http://freemacsoft.net/appcleaner/ will remove app entrails, but not cookies.

          Enabling access to the users library and you can delete those pesky database/local storage files that Safari does not delete.

        2. richardalm

          Re: Meanwhile ...

          I might put CCleaner on new builds and upgrades for a single tool-- the one for editing Windows start up -- which is much easier and safer than coaching somebody over the phone with regedit. Other than that, CCleaner doesn't keep Windows any cleaner than late model Windows and browsers do.

          Most Windows users who rely on apps like CCleaner are indeed non-techies who have little knowledge of NTFS and how awesome it can be (when left to its own devices). But there's nothing dubious about hobbiests using a power tool or two. It's too bad, though, about their ignorant down-votes here at El Reg if the software is deemed less useful than it was for Windows 95. Aggresssive down- or up-voting too often has the odor of representatives on a mission.

      2. Hans 1
        Windows

        Re: Meanwhile ...

        [...] snake oil. Fodder for pseudo-experts and fiddlers.

        Yes, sad to see you got 17 downvotes ... there is even a senior lead Slurp developer who supports your view, yet, a bunch of n00bs downvoted you on here ... dunno where this site is going, but I am appalled by the lack of expertise of some of the comment@rds on here, to say the least ... must be those fine Window Cleaner and Surface Experts, again ...

      3. JCitizen

        Re: Meanwhile ...

        To AC - "I haven't used (or needed) CCleaner since I got an ounce of sense and realised that nobody actually needs a registry cleaner"

        I rarely need the registry cleaner - if you operated as a restricted user just like you should on every other operating system, all you usually need to do to get rid of malware is run CCleaner at least before log off, shut down, or restart on Windows. I like it because it is easier than constantly running manual scans with my AV and AM solutions. I've tested this, and unless the malware is capable if silent install into the app data folder, other than "temp", CCleaner will take care of it. I've never run into a malware that can do anything without permission from the restricted user so far. Just don't get click happy with every pop up you see, and things will be JUST FINE!! I run a honey pot lab BTW, so I've seen just about every scenario you can imagine!

  4. Paul Woodhouse
    Facepalm

    think there's only one thing that can be said here....

    FAIL

  5. 0laf
    Pirate

    I don't think I downloaded it in the affected window but...when you assume...

  6. BeakUpBottom

    Who knew?

    I always thought CCleaner was malware, oh well, near miss, not!

    They don't really explain what happened ... were they breached? Someone surfing pron on the build server? A careless mixup with something they were analysing (presumably not on an airgapped machine).

    Normally it wouldn't really matter, but with a firm that should be security focussed vague assurances don't really cut it.

  7. mark l 2 Silver badge

    I always though most people were using it to CCleaner to remove evidence of the pron surfing from their PC, so now that pretty much all internet browsers now have a private browsing mode I thought their install numbers would have dropped?

    1. Anonymous Coward
      Anonymous Coward

      Not Pron. I use it for cashback sites like TCB/Quidco.

      Not Pron, I use it to clear cookies thoroughly for cashback sites like TCB/Quidco. I get 100% tracking using that method, especially with companies like Aviva, that are normally the first to reject, due to cross-site cookies.

    2. Terry 6 Silver badge

      I have been using it to delete as much as possible the stuff that Microsoft dumped on to the computer in Win 10 and disable automatic start ups.. The tools had both these functions and made the job easy. But that's not a good enoug reason for me to keep them now. Nor will I keep Avast.

    3. JCitizen
      Megaphone

      Where CCleaner really shines..

      is in removing stuff from the temp files in the app data folder and LSOs. That last acronym is what Zombie files are called ( or persistent cookies), it is one of the few free ways of getting rid of those nasty files, because not just any file cleaner can do that.

      I like to run it to delete any malware attack files sleeping in the folders waiting for the user to make a mistake. I've tested for that many times, and I discovered as long as the malware isn't going outside the "temp" folders, you can rid you self of it post haste that way. Much easier than scanning with your favorite resident AV/AM solution.

      AND despite what people say about registry editors, I've found that when unruly installer/uninstallers corrupt an uninstall routine, or say an application had an unsuccessful update patch, the registry cleaner undeniably helps fix the problem!! I may not use the registry cleaner for years, unless a problem comes up - because I generally use Revo to cleanup after bad uninstall routines. Coders are not want to remove all their junk from you files when you are ready to get rid of an app you don't like or just don't need anymore. I refuse to accept that a registry cleaner is NOT necessary - because without them I had headaches galore! I've also found that CCleaner's reg cleaner helps after a nasty battle with malware. The AM solutions do not always clean up the detritus very well it seems.

  8. chivo243 Silver badge

    This sounds familiar

    Didn't this happen to Microsoft? Dodgy WU site?

  9. Florida1920
    Big Brother

    Gosh, and it doesn't come from Russia

    Wonder how many Homeland Security types are running Avast at home?

  10. This post has been deleted by its author

  11. luminous

    Now will anyone listen to people who say that automatic updating of software is NOT a good idea.

    1. Archaon

      @luminous: Not the best time to tell Equifax that.

    2. Brewster's Angle Grinder Silver badge

      It's not an argument for or against it. If the build gets compromised, you're shafted.

      Okay, manual updating will have reduced the number of people who installed the infected copy, and allowed the ultra-paranoid to avoid it. But it leaves a bunch of non-tech users completely unaware they have contaminated software. And those copies will remain infected until they're upgraded. At least those on automatic update now have a clean copy. And if they didn't run the infected copy, they're safe.

      1. Anonymous Coward
        Anonymous Coward

        Too much to hope for

        The truth of the matter is that it's simply not possible for hundreds of millions (or even billions) of fairly clueless consumers and office workers to run a big, complicated, general-purpose operating system with all the trimmings AND have security take care of itself automatically.

        Economically, "one size fits all" has been a miracle worker, drastically reducing the cost of computers and software. But the fundamental axiom of security is that it militates *strongly* against everything else you could possibly want.

    3. cowbutt
      WTF?

      Unless you have the resources and time to do analysis in a sandbox of every update that comes your way, automatic updating is still less risky than continuing to run software with known vulnerabilities. And, even if you do sandbox analysis, then there's still a chance that vulnerabilities in your existing version will be exploited before you complete the analysis to inform you that the update was indeed safe.

      But, there's a logical problem - like looking for WMDs in Iraq, one cannot *prove* the absence of malicious behaviour: one more hour, day, or week of analysis might always turn up something unpleasant.

  12. Rob D.
    Unhappy

    Target in sight

    Piriform CCleaner had great target characteristics for a supply chain attack: free to download, popular and extensively referenced (see how many tech sites recommend CCleaner on their 'top utilities' list), higher download volume, extensive current usage, requires privileged access to do its job, smaller company background (so limited internal security). A lot of effort went in to that so wondering who's next on the list?

    Whether the Avast acquisition had any impact (other than to include Avast in the embarrassment) isn't clear yet. Piriform have been pretty open so far about what happened and when but knowing how the delivery systems were compromised is more interesting, especially if Avast proves to be a recently introduced weak link.

    1. Loud Speaker

      Re: Target in sight

      (see how many tech sites recommend CCleaner on their highest paying affiliates list

  13. Jon Smit

    Not the only 'security' product that's borked recently

    In recent months I've had my system buggered by updates from Bitdefender AVP and Comodo firewall. Have they been employing ex Symantec staff?

  14. TRT Silver badge

    Was there a reason...

    they specified 32 bit Windows in their response? Where exactly did the vulnerability lie? What systems might be affected?

    1. Anonymous Coward
      Anonymous Coward

      Re: Was there a reason...

      64bit Windows OS has driver signing and other user restrictions on the OS. So it may not effect 32bit Windows OS.

      1. JCitizen
        Alert

        Re: Was there a reason...

        Exactly the opposite - only the 32 bit version of the update was affected. CCleaner x64 was not compromised.

  15. Old one

    Any invasion checking

    So through all this article and comments I have not seen any mention of counter efforts that a user should do other then uninstall and download a new copy. Apparently its only 32 bit versions were affected but seeing they waited 6 days to announce being compromised could they also be holding back on it also have been 64 bit effected.

    As it is Avast owned, I am surprised that they have not at least offered free scan for the malware that their product carried. Who better to know exactly what dirt needs to be cleaned up.

    1. MrT

      Re: Any invasion checking

      In a moment of clarity, I thought it might be a disgruntled employee who objected to the takeover by Avast, since it seems like an inside job. From the blog posting on Piriform, it reads as if the malware hasn't fully activated - yet - and seems to be defanged for now.

      On a side note, it's interesting to see how different malware suites squabble on over everyone else being PUPs or suspicious - ZoneAlarm Extreme Security installs PC Tuneup, which Malwarebytes flags up as PUP, then anything by Iobit gets the warning from MWB, so much so that they have told users to expect and ignore the "we're doomed!" messages.

      Maybe one of them will hurry up and release a clean-up tool for this. Since it's gone from Cisco Talos telling us to nuke everything earlier on, to Piriform now telling us to calm down a bit because it's being tackled, maybe it'll all turn out okay without all the headless chicken impressions.

  16. Zog_but_not_the_first
    Facepalm

    So...

    To clarify, if you've downloaded CCleaner at all recently, you're infected.

    Any tips on how to get rid of it?

    1. Steve the Cynic

      Re: So...

      "Any tips on how to get rid of it?"

      Corporal Hicks: I say we take off, nuke the site from orbit.

      [looks to Ripley]

      Corporal Hicks: It's the only way to be sure.

      'Course the neighbours might not like that...

    2. Anonymous Coward
      Anonymous Coward

      Re: So...

      Use avast.....

    3. JCitizen
      Coffee/keyboard

      Re: So...

      Only two installers were affected - the 32 bit and cloud version, from what I understand = simply updating to the newest version will get rid of the malware, but you may have to use REGEDIT to manually delete this entry - and yes I'd delete it, because it sets a bad trigger for anything else that might go wrong in the suture. Just delete Agomo - if you are not familiar with editing the registry, maybe you'd better get a geek friend to do it. And no - CCleaner will not find this superfluous entry. Oh, and delete any downloaded exe files you may have used to update CCleaner; you wouldn't want to accidentally activate the wrong update again.

      HKEY_LOCAL_MACHINE\SOFTWARE\Piriform\Agomo

  17. Marcel
    Linux

    Doesn't matter

    If you need CCleaner it means you already have malware on your pc. Isn't removing malware with virus scanners and anti-malware software not just cleaning up after the fact? And is the problem not your OS/browser/behaviour?

    1. Charles 9

      Re: Doesn't matter

      You never heard of a drive-by attack?

    2. fidodogbreath

      Re: Doesn't matter

      If you need CCleaner it means you already have malware on your pc.

      CCleaner is mostly used to clear caches, MRUs, etc. that take up space and (potentially) compromise privacy. It's not really a malware tool. Perhaps you're thinking of Malwarebytes?

    3. Digitall
      Linux

      Re: Doesn't matter

      Windows can't be the Malware, can it?

      1. hawky

        Re: Doesn't matter

        ... it's full of bugs, so might as well be malware.

    4. The obvious
      Mushroom

      Re: Doesn't matter

      You do have malware on your machine, malware called CCleaner...

    5. Elmer Phud

      Re: Doesn't matter

      Rubbish, it is a great bit of kit to help clean up a new machine.

      I've found MCAfee on machines with no sign of it in the Windows list of progs, yet with CCleaner it was there --and all the little other supposed 'essentials' that need to be removed or disabled to make life worth living.

      And a reg clean-up is needed now and them with Windows - even just to remove file associations with SW you will never even install.

      1. DropBear

        Re: Doesn't matter

        "You never heard of a drive-by attack?"

        To be fair, none of the articles oh-so-keen to use hip and cool terminology I've seen ever bothered to subsequently explain what certain IT attacks might have in common with gangsters in suits squeezed into a slow-moving black limo emptying their Tommy guns into a building. Not a single one of them. I mean it's perfectly fine since I'm sure there's no person on Earth unaware of what, for instance, a halocline is, but I sure won't be going looking for the nearest Don I can find asking him to elaborate...

  18. The obvious

    Hopefully el-reg readers are aware of...

    this nugget of wisdom from el-reg itself.

    "Our testing produced very little evidence that registry fixers and third-party defragmenters do any good at all, although other users with serious computer problems may experience otherwise."

    As such if I ever see a machine with CCleaner on it, I assume it is borked and due for nuking. :)

    1. John F***ing Stepp

      Re: Hopefully el-reg readers are aware of...

      This is kind of wierd; there are down votes on every post that disses ccleaner.

      You cannot really marry software, but, I quess if you think you have it is nice to know that you are the faithful sort.

      (in your heart you know that ccleaner still loves you and won't hit you again.)

      1. AJ MacLeod

        Re: Hopefully el-reg readers are aware of...

        Those downvotes are probably because most of those posts are written by ignorant people who think that CCleaner's primary use is as a registry cleaner.

        In fact, it's been a good and hitherto reliable general cleanup program for Windows for years - I certainly share the general scorn of registry cleaners and have never ever used that part of the software.

        I hadn't realised that it had been bought by Avast, otherwise I'd have thought twice about touching it again - I always hated their bloated and useless AV software and more recently they've completely ruined AVG too (granted, AVG had done a half the job for them in the past three or four years :( )

        Does anyone know if the portable version also installed Malware on systems?

        1. TRT Silver badge

          Re: Hopefully el-reg readers are aware of...

          It is also a far more comprehensive uninstaller and startup tweaker than you get in the OS, as well as the disk space utilisation tool being quite handy sometimes. Not had a problem with it myself, ever. However learning that it's now owned by Avast, I'm less than happy to continue using it.

        2. cowbutt
          Alert

          Re: Hopefully el-reg readers are aware of...

          The 32 bit ccleaner.exe in the portable version of 5.33 included the Floxif malware. If you've ever run it on a system, that system should be considered compromised. You'll have to decide between Talos' recommendation to restore to a pre-CCleaner 5.33 backup of the system, or Piriform's assertion that Floxif only ever profiled machines and sent the details back to the attackers' C2 host.

          The 64 bit ccleaner64.exe in the portable version of 5.33 seems to be safe. If you only ever used that version, then supposedly you have no reason to be concerned.

  19. Anonymous Coward
    Anonymous Coward

    "servers distributing the program were leveraged to deliver" "build environment and leveraged that access"

    FFS is that retard HR consultant still there?

    What's wrong with: "servers distributing the program were used to deliver" "build environment and used that access"

    1. Wayland

      I was quite impressed by the term 'leveraged' until you pointed out it means 'used'.

      1. Glenturret Single Malt

        No doubt pronounced "levveraged"

        1. MrT

          At least using a lever (levver) makes it sound a bit like hard work. I'm still waiting to see 'synergy' pop up in the follow-up press releases...

  20. JeffyPoooh
    Pint

    "The dodgy software was signed..."

    "The dodgy software was signed using a valid certificate that was issued to Piriform Ltd..."

    Huh? How? A "signed" bit of software is supposed to be blah-blah-blah and thus secure from such things.

    "...by Symantec."

    Oh, I see. The morons at Symantec strike again.

    1. Charles 9

      Re: "The dodgy software was signed..."

      Certificates can't save you from INSIDERS, and it looks like the build was infected from the inside, BEFORE it was signed.

    2. cowbutt
      FAIL

      Re: "The dodgy software was signed..."

      Symantec issue (sell) code-signing certificates to software authors. Those authors then sign their artifacts (executables, DLLs, whatever) before release, so as to allow users/admins (and the OS) to verify that they are indeed legitimate and unmodified. Symantec do not sign artifacts themselves, nor do they perform any kind of per-release code review of their customers' pre-release software.

      Symantec (and other CAs) may do some due diligence to assure themselves that the applicant is not impersonating an established code signing entity, and that they are technically competent to keep their certificate safe and only sign things they intend to, but then again, they may not. Certainly, attackers have previously managed to get their hands on legitimate signing keys and certificates and use them to sign malware in the past - various versions of Stuxnet were signed with Realtek, JMicron and Foxconn certificates.

  21. Anonymous Coward
    Windows

    Obligatory old geezer aside

    Looks like the attacker(s) compromised the build system that produced the binary installer package. For some reason, Ken Thompson's paper Reflections on Trusting Trust (link) springs to mind.

    Software companies might take a good look at how the supply chain is managed for other high-value products (where "high value" means "dangerous if compromised"). The ur-case is the Tylenol poisonings and the manufacturer's response. Your meds have a secure supply chain and tamper-proof packaging because of it.

    1. Charles 9

      Re: Obligatory old geezer aside

      Problem is, a determined ed opponent will simply replace any compromised seals with new ones. Plus tamper-proofing is useless against an insider who can meddle with things PRIOR to them being sealed.

      1. cowbutt
        Thumb Up

        Re: Obligatory old geezer aside

        And this is why, when I'm checking whether untrusted installers are signed, I check to see if they've been signed with the same certificate as previous, trusted installers.

        It would be nice if the OS could pin certificates automatically, and highlight to users/admins if the signing certificate has changed from the previously-installed version.

        1. Charles 9

          Re: Obligatory old geezer aside

          Except in this case an inside job would probably be using THE SAME certificate. No help there.

  22. Anonymous Coward
    Anonymous Coward

    AVG / Avast New Policy of.....

    Selling out users privacy now anyway, I guess...

    It all makes sense now in a screwed up world...

    How did we ever get here? What a world, what...

  23. J.G.Harston Silver badge

    People are dissing CCleaner, but what exactly is so diss-able about it? I've got v4.17/2014 and use it from time to time after any time I've done online banking or uninstalled something I've tested and discarded. I've never found any problems with it.

    I agree that Avast Antivirus has grown unmanageably though. It takes ages to start up, everything seems to move around between updates, and it's now in "finger painting" mode.

    1. Patrician

      ".....People are dissing CCleaner, but what exactly is so diss-able about it? ..."

      Because it causes more issues than it "fixes" and a lot of the "problems" it "finds" are non-issues and do not need fixing.

      Nobody uses Windows 95/98 anymore so a registry cleaner is completely unnecessary.

      1. Roland6 Silver badge

        >Because it causes more issues than it "fixes"

        Examples please from the actual usage of CCleaner on Win7/8/10 ie. currently supported versions of Windows.

        I only ask because whilst cleaners/performance enhancement utilities were hit and miss back in the 1990's on Win95/98/ME when many Windows developers had little real understanding of the registry, neither myself or anyone else in my circle have had problems arising from the use of CCleaner in recent times (eg. since XP-SP3) - other than with a 'cleaned' system, previously thoroughly infected with malware that had played it's merry games with the registry, executables and the filesystem(*)...

        >a lot of the "problems" it "finds" are non-issues and do not need fixing.

        Is that a problem?

        I used to use CCleaner a lot on XP to quickly reset the IE browser cache, whenever IE struggled to load because of cache issues. Similarly, there have been times with Win7 when Chrome has been unable to update itself due to cache issues, a quick run of CCleaner and problem resolved.

        (*) Aside: in these cases the problems that arise merely confirm a 'cleaned' system is unstable and in need of a complete reinstall.

  24. Agent Tick

    what exactly...

    ... is that malware doing? Any details on that?

  25. wayne 8

    I used a registry cleaner back in W98 days. If I ran it a second time it would clean more stuff out. Run it a few times and Windows would not run. Then I would do the only thing that cleans Windows up, a reinstall.

    If they really worked, then a second run should not find anything to do.

    I consider Windows tune up applications to be malware, much like I consider Windows.

    Depressing to see ads displayed by Android apps that shout "Phone running Slow? Run [some shit product] Now!"

    1. Elmer Phud

      "If they really worked, then a second run should not find anything to do."

      CCleaner tends to do that.

      Running stuff on W98 and trying to compare with today is not exactly the same is it?

      Things tend to change a bit.

      (and who didn't have a 98 boot floppy to get XP users up and running again?)

    2. Hans 1
      Paris Hilton

      The thing is, some of the ccleaner backers claim it is not only a registry cleaner, as it deletes MRU's (which are registry entries, n00b), finds installed software (again, registry keys n00b^2), and apparently cleans up other stuff such as startup programs (registry keys (for the most part, msconfig is your friend)) ....

      Listen, mate, if you are so keen on keeping your MRU's clean, clean them once, export registry key and keep it in a safe location ... when you wanna clean, delete and import. 5 minute job to write & test a batch script... no more time spent trying to keep CCleaner up-to-date ...

      You never know what CCleaner will do, MRU's are safe, installed software pretty much also .. but the rest ?

      If you are in front of a computer that need cleaning, you backup & reinstall ... really, it is that simple.

      Ccleaner users are n00bs, no ifs, buts, or maybes.

      Downvote all you want, I don't care, but please, think for two minutes and accept that you are wrong, no, seriously, you are, really!

      Paris, coz she likes a good thorough cleaning every now and then ...

      1. AJ MacLeod

        @ Hans1

        If you genuinely think that wiping a PC and reinstalling the OS and all applications (then manually overwriting their registry keys with old versions - seriously?!) - is an acceptable alternative to a quick clean up of accumulated temporary files, old system logs etc you should perhaps step away from the keyboard now...

      2. JCitizen
        Go

        CCleaner's best feature..

        Is cleaning Zombie files, or LSO cookies. It is one of the few free utilities that does that. If you ask any IT expert that has been around a LONG time, they all recommend CCleaner. It is an industry wide understanding. Personal opinions are fine, but you will never brow beat me into uninstalling CCleaner - it has proven itself in my honey pot lab over, and over and over again.

      3. Roland6 Silver badge
        Happy

        >The thing is, some of the ccleaner backers claim it is not only a registry cleaner, as it deletes MRU's (which are registry entries, n00b)

        So Hans 1, should I stop using MS Office as it has a setting that modifies the MRU list and other settings that modify registry keys, as by your definition its a registry cleaner?

  26. Anonymous Coward
    Anonymous Coward

    CCLeaner 5.33 malware removal

    I do use CCLeaner on all 3 personal machines, the basic cleaning function is quite good at removing residual files browsers dont seem to tidy.

    I don't automatically update but did recently on 3 home machines.

    The malware has been detected by the Cisco Talos team beta testing their Immunet product.

    This blog entry describe the infection and contains a link to download the immunet Av/ anti malware product.

    http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html

    The blog recommends restoring to a point before the update was applied which is sensible advice. But Immunet can detect and quarantine the nasties inserted by the doctored installer.

    If you decide not to do a full restore then you'll need to perform a full system scan. This took 3 1/2 hours on my laptop and I have a couple of other machines to do tomorrow where I will probably just factory reset the machines (both are window tablets mainly used for internet and email).

    I may end up doing a full reinstall but need to be absolutely sure that all documents photo's etc have been secured as several family members use this laptop when they visit.

    A.C. because I'm so embarrassed about not noticing the big increase in installer size.

  27. Howard Hanek
    Linux

    CCleanerOuter or Something

    So to remove the junk that should have never accumulated in the first place we've opened millions of doors to 21st Century Pirates who don't look at all like Johnny Depp and have absolutely no sense of humor?

  28. Winkypop Silver badge
    Megaphone

    NEW PRODUCT

    Introducing CCleanerCCleaner!

    Is your CCleaner program infested with bugs and malware?

    Try CCleanerCCleaner today!

    1. GrapeBunch
      Angel

      Re: NEW PRODUCT

      Try CCleanerCCleaner today!

      Ubik.

  29. Destroy All Monsters Silver badge
    Coat

    All we have to fear is the Pear itself!

    (That went pear-shaped fast etc.)

  30. Jamie Jones Silver badge
    Facepalm

    I'm an idiot

    Am I the only one to initially think "this Cisco Talos person has the same name as that network-hardware company".

    hmmm

    1. TRT Silver badge
      Facepalm

      Re: I'm an idiot

      Oh! It's a person. I thought it was a cool name for a team in a well known IT outfit. *red face*

  31. jimdandy
    Windows

    So...from the above, it seems that anyone who has used CCleaner in the past 6 mos is a sucker, and should have known better. And that anyone who has used Avast as an anti-malware/anitvirus/and-anti-whatever program is pretty much hoisted. By their own petard. And of course that includes those paid-for users.

    So, brilliant ones: what is your solution to the problem of people who want to keep their skirts clean, and like to do something about it once in a while? I get the "jettison Avast ASAP" point of view. Including the regardless-of-the-dirty-CCleaner-is-rotten POV.

    Most of the users out there are not the "striding-brilliantly-through-the-Cosmos" adepts that y'all are.

    Isn't it about time that you offered some alternate suggestions?

    1. Elmer Phud

      Yup, I didn't get round to updating on this machine (everything is set to ask - not update).

      But it's been a vital tool for quick cleans of friend's machines where years and years of basic usage has ended up with more detritus to wade through than actual useful stuff.

      Progs installed, uninstalled, half-installed, failed installs -- all sorts of backyard junk, plus the never ending 'temp' files.

      Usually Ccleaner then Malwarebyes - maybe the other way round next time?

    2. Patrician

      Alternatives to CCLeaner are not necessary on a modern OS no no alternative offered or needed. Alternative, free, AV? Stop trying to use free software and pay for a decent AV, Bit Defender, F-Secure, Eset etc. All are better than the "free" ones.

    3. JCitizen
      Coffee/keyboard

      All of my clients are on a budget...

      and cannot afford much more than one paid solution. I've been putting Avast on their systems for years, and sometimes they were using an inferior free bee, and always had trouble with them. Avast has its quirks, but they are usually easy to correct. Now I only recommend even poor people should try to buy MBAM. If they go in together and buy a 3 license copy, they can get a really good deal and spread them among them selves. I still recommend Avast, because it will block many problems before they ever get on the computer, so MBAM has nothing to deal with in those instances. Avast is noisy, and I think that is why people think it acts like malware - I LIKE It to get noisy, because other wise you don't know the otherwise legitimate site is using bad security practices. There are just too many good features on Avast, like the application updater, and notifier, to ignore it. I will admit, that on folks using Windows 10, I feel the built in Defender is enough, but even then I recommend MBAM Premium if they have anything to lose! I will admit the paid for version of Avast is a pain in the behind and I will never recomment it!

      1. Charles 9

        Re: All of my clients are on a budget...

        "Now I only recommend even poor people should try to buy MBAM."

        And if they're TOO poor even for that?

  32. Ruisert

    I've used CCleaner for years (10 at least) and find it to be very handy at cleaning crap (CCleaner's original name was Crap Cleaner) like temp files many product installations fail to clean up. And when I do run it, it generally frees up a GIG or two of drive space. My mom, who is the very epitome of a clueless computer user picked up another browser hijacker the other day - I ran CCleaner on it, all better.

    But I guess it's typical human behavior to blast something without having a clue as to what it actually does.

    1. VulcanV5
      Paris Hilton

      Re: Ruisert

      Not sure about it being typical human behaviour, more like typical Generation Moron behaviour from some commentards trying to show off their intellectual superiority on here and failing miserably.

      I too have used CCleaner since the days it was known as CrapCleaner (the name didn't upset its home UK market but was eventually deemed too much for sensitive souls across the Pond) and of course, it isn't malware.

      CCleaner started life more than a decade ago as a quick and easy cleaner of crap. It still is. Additional tools have been bundled in over the years, including a 'registry cleaner' whose value (to me) has always seemed pointless, as well as hazardous, but which others seem to like: their choice. The CCleaner version I run is the freebie, not the paid-for, and is old enough to have cobwebs all over it. But it works fast to clear caches, cookies and what have you whenever required, and plays nicely with my Malwarebytes Premium, Panda AV, and WinPatrol. It has always erred on the safe side, and though out-performed, as it were, by the only other utility of this type I've ever bothered with -- Kerish Doctor -- it has, unlike Kerish, never mis-identified any of the clutter.

      I'm sorry Piriform has sold out to Avast because it's the end of an era and past experience of Avast has taught me to keep well clear of any of its bloatware. I'll keep on though with CCleaner 5.13.5460 which, as far as I'm aware, is still available on software archival sites, and leave the Generation Moron representatives on here to continue on with their own condemnation of a product about which they very clearly know absolutely sod all.

      1. TRT Silver badge

        Re: Ruisert

        I've always found the registry cleaner to work well. Its value is limited nowadays, but on a 32-bit machine with 2-4Gb of memory and several programs running, risking the HIVE files getting too big to fit into actual RAM and becoming paged to disk instead... well, CCleaner's registry tool would prune 100s of K off the file, the machine still worked, and the reported things being removed were mostly left over broken links to .NET files orphaned by upgrades. If a machine had been sitting there updating for years, with software going on and coming off, then the reported issues from that tool could easily run into the thousands. I always used to rerun it until I got two consecutive "no problems", because keys referred to keys, which referred to keys, which referred to nothing.

      2. Charles 9

        Re: Ruisert

        "I too have used CCleaner since the days it was known as CrapCleaner (the name didn't upset its home UK market but was eventually deemed too much for sensitive souls across the Pond) and of course, it isn't malware."

        Why didn't they just rename it CrudCleaner? Same implication, cleaner cuss word.

    2. Hans 1

      But I guess it's typical human behavior to blast something without having a clue as to what it actually does.

      CCleaner does more harm than good, it is a useless piece of software, snake oil, if you like.

      Don't trust me, fine, would you trust an MVP more than the MHP ?

      https://answers.microsoft.com/en-us/windows/forum/windows_7-performance/recommended-registry-cleaners/871eb3a9-3b97-4113-a257-6a43795f2175?auth=1

      I the MHP (Microsoft Most Hated Professional) recommends against using that crap ...

      To those who doubt ... I know ccleaner, I have used it in the past to see what it does ... it is snake oil.

      1. JCitizen
        Megaphone

        I call BS to any detractor of this people's choice!!

        I cal BS to anybody claiming to be a professional that says CCleaner is useless - maybe you don't want to mess with the registry cleaner OH KAYYyy! But too many of the other features and proven themselves, along with the reg cleaner to me over the years, to convince me of any other reality. I've NEVER had a problem with CCleaner - I've ALWAYS solved problems with it, and all of my clients have breathed a sigh of relief every since.

        NOBODY can talk me down or convince me otherwise, as I have just seen too much happen; especially in my honeypot lab! In fact I have actually seen malware try to manipulate CCleaner icons, and shortcuts in an effort to foil any restricted rights user from operating it - you can't tell me it is not effective in removing most threats that stay inside the parameters the operating system sets, just as long as the user doesn't fall for any Social Engineering to allow the attack. I've seen too much proof to be convinced other wise!

        1. TRT Silver badge

          Re: I call BS to any detractor of this people's choice!!

          CCleaner removes threats? Really? Are people getting it confused with some sort of malware protection?

      2. VulcanV5

        @ Hans 1

        Your ability to comprehend the user-chooser multiple functionality of CCleaner is obviously as fitful as your ability to express coherent thought. For the record: I wouldn't even trust CHP to tell me anything useful about that particular software, never mind MVPs or MHPs. Or any other Muddled Vacuous Pratt, either.

      3. David Nash Silver badge

        @Hans1

        On that link you posted MHP etc... the writer (Ken Blake) responds to a commenter asking what he should be doing, if not running a reg cleaner:

        "But there are many things you can do in this regard that are

        completely safe. For example, you can run Disk Cleanup and do all of

        the choices there. No problem and it gets rid of some things you don't

        need, thereby saving a little (usually very little) disk space.

        Similarly, you can run CCleaner, which does a lot of the same things,

        perhaps a little more thoroughly. CCleaner is safe to use, as long

        as you don't use its registry cleaning functionality, which is not

        safe."

        Interestingly he also recommends Avast, amongst other things.

  33. Wayland

    Wise Care and Kasperski installed but...

    ... still CC Cleaner managed to find it's way onto the system after only a day with the customer.

    Getting 666 Threats detected please pay £20 and occasional BSD.

    Kasperski is usually quite picky who it will let on your system so how come it did not detect the bad guys? It looks like I am going to have to wipe and start again.

    1. Elmer Phud

      Re: Wise Care and Kasperski installed but...

      ".. still CC Cleaner managed to find it's way onto the system after only a day with the customer."

      It takes a click or two to do it -- AFAIK it needs help to get there.

    2. Roland6 Silver badge

      Re: Wise Care and Kasperski installed but...

      ... still CC Cleaner managed to find it's way onto the system after only a day with the customer.

      But did the customer/end user know what Wise Care did?

      I suspect that someone simply installed a cleanup tool they knew and understood; unfortunately, the version happened to have been compromised...

      Kasperski is usually quite picky who it will let on your system so how come it did not detect the bad guys?

      Yes, it would seem that questions need to be answered as to why the payload wasn't detected. Suspect that as it was a 'trusted' installer, the security scanner turned a blind eye, whereas some tools will (if set to the correct level of paranoid) scan every file installed and executed by an installer.

  34. imanidiot Silver badge
    Facepalm

    Uhhhhhhm, what?

    "Ondrej Vlcek, Avast's CTO, told The Register that there was "no indication that the second-stage payload activated" and hence no need to do a wipe and clean install as recommended by Cisco Talos."

    Ohh, I have (currently) unactived mallware on my system, but this guy says it's fine so let's do nothing....

  35. Dixx

    Monat miene arsche. The first time I saw this was eighteen moths ago. Catch up guys.

    1. Captain Badmouth

      @ Dixx

      <The first time I saw this was eighteen moths ago.>

      You should clean out that machine...

  36. Patrician

    Isn't CCleaner nothing but malware in it's own right?

  37. Grimsterise

    Forsooth!

    Lets get that straight: Independent company is sold to big antivirus firm.

    One month later their flagship product is infected with a virus.

    Hmmm, and arched eyebrows all round.

  38. Norman123

    I appreciate your dissemination of this info. I just uninstalled CCleaner and hope my Kaspersky had stopped its bad behavior. Any feedback if other antivirus could defect and stop it?

  39. thosrtanner

    only the 32 bit installer?

    Well, I have a 64 bit version of windows. Yet somehow windows defender (yup, free, comes with windows) detected the malware and quarantined it (as well as the downloaded file). And detected and cleaned registry entries.

    Yes, I use ccleaner because windows doesn't automatically clean your tmpdir and it ends up with tons of crap. not so impressed with the cookie/history cleaning and I treat the registry cleaning with a large pinch of salt (there are some programs that have been known to put entries in the registry that purport to be a file path, but the path doesn't exist, the program appears merely to be looking for the key), and to be honest I've hardly ever used it.

  40. JJKing
    Pirate

    Oh dear.

    Arrr, it be just in time for the world Speak Like A Pirate Day arrr.

    Avast me hearties, malware borders away, arrr.

  41. GrapeBunch

    VM ?

    I wonder if in the "future" we're going to be using VMs instead of most of our anti-malware. At the end of the session, the software might offer to preserve any files you've asked to be downloaded. These files will have been malware-checked by anti-malware software running in the background (so reduced real-time bottlenecks). It's a bit like the way public computers boot to ROM (not literally, I'm just calling it that) with each new user. New software? Runs in a VM, too. It would not be computing as we know it. There might be hurdles in regard to EULAs and copy protection. But it might be safer than what we have. Just a suggestion. Let the experts weigh in!

  42. Paul Woodhouse

    Been many years since I used CCleaner, I did used to but IIRC it may or may not have been responsible for b0rking a couple of machines I was trying to clean up, certainly didn't help them, what I tend to use now for cleaning is a combination of malwarebytes, autoruns and treesize for a basic cleanup will fire up process explorer if I'm suspicious of anything....

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like