Warning: 32-bit version of CCleaner 5.33 compromised

[HansV]

(Also posted in Other Applications)

Piriform has released a bulletin acknowledging that the versions of CCleaner v5.33.6162 (released on the 15th of August, 2017) and CCleaner Cloud v1.07.3191 (released on the 24th of August, 2017) for 32-bit Windows contained a backdoor that could be used to send some information from your computer to a server in the USA.
The versions for 64-bit Windows and other Piriform products were not affected.

If you still have one of the above versions, you are urgently recommended to install the versions released in September.

See Security Notification for CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 for 32-bit Windows users

[StuartR]

It looks like the default installation on 64 bit Windows is the unaffected 64 bit version, so for most of us this should just be a reminder to be vigilant

[HansV]

Yes, indeed. The 64-bit version is installed by default on 64-bit Windows. But it's a frightening idea that it's possible to introduce malware into popular software from a major security company (Piriform has been owned by Avast since July of this year)...

[stuck]

Sometimes it pays to be not only a dinosaur but a slow dinosaur. I'm still on 32 bit Ccleaner v5.32, i.e. I've missed out on v5.33.

Ken

[Argus]

Hehe, then I'm a fossil in Jurassic Park; I'm on v. 5.30 (and 64-bit).

I think most of the updates recently has been about Win 10, Edge etc. Kids stuff.

Great start for Avast.

[Jay Freedman]

I've looked at the blog posts from Morphisec and Cisco Talos, which both reported the malware to Avast. It's pretty clear that it was an "inside job" by someone who had access to Piriform's build server. According to Morphisec,

First, we identified that the TLS initialization of callback functions was probably altered by a modification of the visual studio runtime file... Such modifications can be done by someone with access to the machine that compiles the code.

I'll be interested to hear the details of the investigation if and when the perpetrator is identified.

[HansV]

A disgruntled employee?

[stuck]

A disgruntled employee?

That sounds like a conspiracy theory has got hold of you, have you checked your tin foil hat recently?

Ken

[HansV]

A hack by the foreign government of your choice would have been a real conspiracy theory!

[stuck]

A hack by the foreign government of your choice...

Now you're talking!

Ken

[HansV]

tinfoilhat.jpg

[StuartR]

Why is that man wearing my hat?

[stuck]

Why is that man wearing my hat?

Perhaps he's painting his ceiling? Or perhaps he's on his way to your house, to paint your ceiling? I'm reliably informed you have several in need of a coat of paint

Ken

[HansV]

Why is that man wearing my hat?

He's a bit weird...

[Leif]

Why is that man wearing my hat?

He obviously read your mind and copied the (faulty) design.

[StuartR]

He can't possibly have read my mind Leif, you know full well that tin foil hats provide complete protection against both mind control AND mind reading

[StuartR]

Perhaps he's painting his ceiling? Or perhaps he's on his way to your house, to paint your ceiling? I'm reliably informed you have several in need of a coat of paint

I finished painting my ceiling now Ken, that's why my tin foil hat is a bit paint spattered.

[stuck]

...I finished painting my ceiling now...

Feel free to pop up north this weekend and help me with paint some walls.

Ken

[rgrosz78]

Recent developments are really scary:
https://arstechnica.com/information-tec ... -appeared/

"Now that it's known the CCleaner backdoor actively installed a payload that went undetected for more than a month, Williams renewed his advice that people who installed the 32-bit version of CCleaner 5.33.6162 or CCleaner Cloud 1.07.3191 reformat their hard drives. He said simply removing the stage-one infection is insufficient given the proof now available that the second stage can survive and remain stealthy."

[HansV]

It is worrying, but there are two mitigating factors:
1) Only computers with 32-bit Windows were infected. A very large majority of users will have 64-bit Windows, since that has been the default for the last 10 years or more.
2) The second-stage infection was only activated on computers within a small number of corporate domains (see the list shown in the article).
The number of computers that meet both criteria is likely to be small. But those should indeed be reformatted.