Backdoor in CCleaner Infects Windows Users With Malware

Avast has advised users of its CCleaner which is an optimization application for Windows to immediately update their software after discovering a backdoor in the tool. Here’s what Forbes had to say:

The affected app, CCleaner, is a maintenance and file clean-up software run by a subsidiary of anti-virus giant Avast. It has 2 billion downloads and claims to be getting 5 million extra a week, making the threat particularly severe, researchers at Cisco Talos warned. Comparing it to the NotPetya ransomware outbreak, which spread after a Ukrainian accounting app was infected, the researchers discovered the threat on September 13 after CCleaner 5.33 caused Talos systems to flag malicious activity.

Further investigation found the CCleaner download server was hosting the backdoored app as far back as September 11. Talos warned in a blog Monday that the affected version was released on August 15, but on September 12 an untainted version 5.34 was released. For weeks then, the malware was spreading inside supposedly-legitimate security software.

The malware would send encrypted information about the infected computer – the name of the computer, installed software and running processes – back to the hackers’ server. The hackers also used what’s known as a domain generation algorithm (DGA); whenever the crooks’ server went down, the DGA could create new domains to receive and send stolen data. Use of DGAs shows some sophistication on the part of the attackers.

Now it’s really embarrassing when an anti-virus company has one of its own products be a vehicle for malware. Clearly someone over at Avast was asleep at the switch. If you’re a Windows user who uses this software, I’d be dumping it right now and following these directions to see if you were infected. Then you should install(if you must) to the latest version which is available for download here.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: