CCleaner Compromised to Distribute Malware for Almost a Month

Axel PC

Senior Member
Yeah crazy, have to be extra careful now-a-days with anything online. It's not the CompuServe dial-up days of the internet anymore lol.

All the more reason to move over to 64bit.. ;)
Fortunately my laptop is 64 and version of Windows is 64 bit.

I'm curious though if we'll see that bot net come to fruition, as was could have been the point of the hack?
 

kemical

Windows Forum Admin
Staff member
Premium Supporter
Even though I'm 64bit I still checked anyway for the rogue folder that's apparently supposed to appear in the registry but happily nothing there..
 

pnamajck

Honorable Member
CCleaner Malware Incident - What You Need to Know and How to Remove
subheading: Why didn't antivirus software catch the infection?
"The CCleaner binary that included the malware was signed using a valid digital certificate."


CCleaner Compromised to Distribute Malware for Almost a Month
subheading: Threat actor compromised CCleaner infrastructure
"Cisco Talos believes that a threat actor might have compromised Avast's supply chain and used its digital certificate to replace the legitimate CCleaner v5.33 app on its website with one that also contained the Floxif trojan."


basically, at this point … nobody yet knows how the certificate was breached (allegedly) … inside job or not. and our own local anti-virus and malware-sniffers were unable to spot it … simply because the digital signature was 'authentic'.

notwithstanding … could this be the tactic in the near future? could hackers start inserting their malware under the guise of valid certificates … such as what happened here? and then upload it into a secure server of a prominent security exchange?

i mean, if it happened in this scenario … it can definitely happen within a controlled environment. thereby … microsoft will need to resort with creating 2fa and 3fa when it comes to digital certificates? "yes, this certificate is authentic … let's check for the ans data-streams for a second-seal and third-seal."

i can see yet another type of security software looming on the horizon … "we will 'validate' your valid certificates by intervening with ceo within each company … i.e. is this certificate really valid, or does it just state it is valid?" oh yeah … and this new enterprising company will charge $69 for year-long subscription.

neemo … just out of curiosity, have you tried downloading that nefarious 32bit version of ccleaner-5.33 onto your computer … and did you sic webroot anti-virus on it? and what were the results? did the product question the operator about the install/certificate?

i think a consortium of some real brainiacs needs to assemble and manifest one single all-encompassing security sentry … that system will know every possibly way of exploiting any software. you mock me and say "designing such a system would never be possible" … to which i quietly challenge "you got a better idea?"

anyway … thanks for this post, mike … once again, i am enlightened.
 
Last edited:

KM Richards

Honorable Member
If one simply stayed with version 501... they would be safe, right?

I usually go to the options on most software (except Firefox) and disable automatic updates so I can decide if and when it is updated.
 

nmsuk

Windows Forum Admin
Staff member
Premium Supporter
You're safe now to update it. Piriform have fixed it.
 

KM Richards

Honorable Member
From what I was reading, the compromise was only applicable to version 5.33.6162

Nothing has been said about there being a problem for previous versions.
 

nmsuk

Windows Forum Admin
Staff member
Premium Supporter
From what I was reading, the compromise was only applicable to version 5.33.6162

Nothing has been said about there being a problem for previous versions.
Was also only 32bit machines.

Sent from my Nexus 6 using Tapatalk
 

Axel PC

Senior Member
Yeah I read about that too. Should be interesting to see what comes of this down the road. If any future attacks turn out to be related to it. A lot of major companies are on that IP list.

Sent from my SM-G935P using Windows Forums mobile app
 
Top