Tuesday, September 19, 2017

CCCleaner 5.33 32-bit with actual developer signature gets a backdoor


CCCleaner 5.33 32-bit with actual developer signature gets a backdoor

Piriform ( acquired by Avast in the Summer of '17) got the word out out pretty early, Their Blog post is here,

Graham Cluley at Smashing Security seemed to get the scoop, where he cited Cisco Talos who "first identified the problem" and coordinated the disclosure.

 I think the most intriguing things are:
  1. How did the attackers get use of the signing certificate, which seems to indicate that the Piriform/Avast infrastructure was compromised, and how will they revoke it? 
  2. The free version of CCleaner doesn't auto-update. This might have saved a *LOT* of people since it's routinely used by tech support people to fix mysterious errors on corporate machines.  There seems to be a standalone "Portable" version available, Techspot talks about it here  , including a "Duplicate file finder", which sounds interesting for people like me with sucky backup and photo workflows :-/
  3. Intriguing or Ironic - I've seen it run on an enterprise machine, and leave something behind which was picked by the enterprise software scanner, as obsolete software, with no indicator of the exact version.  How do you delete that?  more to follow, I hope...
Update: CCleaner might drop a startup turd on your system, even if it's the portable - this thread talks about it: https://forum.piriform.com/?showtopic=42073



Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)