The trojan itself reportedly only ran on Windows 32 bit systems, but the values above were created on 64 bit systems as well. Malwarebytes will detect the presence of those values and flag them as These values are not created by any clean versions of CCleaner, just by the infected ones. HKEY_LOCAL_MACHINE\SOFTWARE\Piriform\Agomo Users that are unsure whether they were affected by this and whether their data may have been sent to the C2 server can check for the presence of the following values under the registry key: One point we should take note of is that the breach preceded the take-over of Piriform by Avast. By exploiting the trust relationship between software vendors and the users of their software, attackers can benefit from users' inherent trust in the files and web servers used to distribute updates.Avast posted a clarification explaining what happened and giving a timeline of the events. This is a prime example of the extent that attackers are willing to go through in their attempt to distribute malware to organizations and individuals around the world. That and you don’t expect an antivirus firm to infect you with malware. Taking advantage of that trust is partially why this attack is so distressing. If you installed it, then go grab a clean version of CCleaner now if you intend to keep using the software.ĬCleaner has been popular for years, trusted by tech-savvy users. The freebie version won’t automatically update to a version without a backdoor. At the time of this writing that is version 5.34. Users should also update to the latest available version of CCleaner to avoid infection. Affected systems need to be restored to a state before August 15, 2017, or reinstalled. If even a small fraction of those systems were compromised, an attacker could use them for any number of malicious purposes. Cisco Talos said, “The impact of this attack could be severe given the extremely high number of systems possibly affected.” Piriform previously claimed that there have been 2 billion total CCleaner downloads with an additional 5 million weekly installs. Piriform said, “It would have been an impediment to the law enforcement agency’s investigation to have gone public with this before the server was disabled and we completed our initial assessment.”Īn estimated 2.27 million systems installed the infected CCleanerĪlthough Avast doesn’t want users to panic, it admitted to Forbes that an estimated 2.27 million systems installed the backdoored versions. 24, the company released a non-malware tainted version on Sept. Piriform confirmed the attack, saying Avast “determined on the 12th of September that the 32-bit version of our CCleaner v and CCleaner Cloud v products, which may have been used by up to 3% of our users, had been compromised in a sophisticated manner.” A non-backdoored version of CCleaner was released the same day.Īs for the compromised cloud version, CCleaner Cloud v, which was released on Aug. It is also possible that an insider with access to either the development or build environments within the organization intentionally included the malicious code or could have had an account (or similar) compromised which allowed an attacker to include the code.” Cisco Talos researchers said, “It is likely that an external attacker compromised a portion of their development or build environment and leveraged that access to insert malware into the CCleaner build that was released and hosted by the organization.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |