How To Fix CCleaner Botnet Infection


CCleaner Infection

ccleaner-logo-1

I have always recommended CCleaner as a good utility for the normal Windows user to help keep their Windows systems free of clutter, and I still do. By “normal”, I mean those of us who are not geeky, power freaks who are able to strip an operating system down to its nuts and bolts and put it back together again.

But recently, the CCleaner installer got corrupted by a Botnet virus (Win.Trojan.Floxif-6336251-0). According to Talos, a division of Cisco, version 5.33 was hiding malware in the installer for CCleaner. This version was released on August 15 and was still being used for its download link on the official CCleaner page on September 11.

Are You Infected?

If you installed the free 32-bit version 5.33 of CCleaner, then, “Yep!”, you are– along with an estimated 2.27 million other unlucky folks.

To know which version you are currently running, simply fire up CCleaner and the version number is prominently displayed in the upper-left corner of the main window. If you are running version 5.33, uninstall it and get the latest clean version (5.34 as of this writing). This is important, as you will learn later in this post.

I mention the 32-bit version because, after some digging, I see no mention of the 64-bit version anywhere. That doesn’t mean this conclusion is absolute, but it is a good sign for those using the 64-bit version. If you are using the Cloud version, then it should have already updated to a clean uninfected version. Android versions are not affected by any of this.


What Does It Do?

According to MSN News,

It gathers information like your IP address, computer name, a list of installed software on your computer, a list of active software and a list of network adapters and sends it to a third-party computer server. Your credit card numbers, social security number and the like seem to be safe.

This may not sound too bad, but the above is not so comforting when you realize the bad guy could change things down the road to include more sensitive data.

How Did This Happen?

According to Talos, this is what may have happened:

Given the presence of this compilation artifact as well as the fact that the binary was digitally signed using a valid certificate issued to the software developer, it is likely that an external attacker compromised a portion of their development or build environment and leveraged that access to insert malware into the CCleaner build that was released and hosted by the organization. It is also possible that an insider with access to either the development or build environments within the organization intentionally included the malicious code or could have had an account (or similar) compromised which allowed an attacker to include the code.

How To Clean It up

If you have installed CCleaner after September  12, then you should have the latest version.

The good news is that it is relatively easy to fix the problem and there are a couple of ways to do it:


  1. First and foremost, uninstall the old version and download CCleaner version 5.34 (or later)
  2. The second way is to run Windows Defender. According to Microsoft, Defender is able to detect and remove this virus

Opting to update CCleaner is, in my opinion, the best and only viable route to take. Apparently, the malware is limited to a CCleaner Dynamic Link Library (DLL) file which is replaced when updating the software. A more drastic approach would be to permanently delete the software.

Final Thoughts

There seems to be a fast-growing trend for companies to hold off when it comes to notifying its customers about a security breach. (All one has to do is consider the Equifax debacle to know what I’m talking about.) In this case, it took Avast, the new owner of Piriform, nearly a month to get this fixed. This is disgraceful, in my opinion. In all fairness to Avast, I guess it is possible they didn’t know about it, but they are in the security business, after all, so what does that tell you…

Sadly, it has become almost normal these days for major companies to experience these sometimes devastating security “break-ins”, but it should not become the norm not to find out about them until weeks or months later, especially for the sole purpose of saving face. There are more important long-term consequences to consider. I would much rather have a consumer angry with me because I had been fooled by a crook than to be eternally distrusted by those very same for hiding the truth.

Distrust is a hard rap to beat,

Richard

UPDATE – CCleaner v5.35 has been released with a new certificate. You can download it here:

http://www.piriform.com/ccleaner/download/standard

References

About the Author

Richard Pedersen

Richard received his first computer, a C-64, in 1982 as a gift and began dabbling in BASIC. He was hooked! His love for computing has led him from the old “XT” boxes to the more modern fare and from clunky 10MB hard drives to smooth and fast modern day SSD drives. He has run BBS services, Fido mail, and even operated his own computer repair business.

39 Comments

  1. Thanks Richard for your insight on this. I do not understand the rationale of holding back when a problem is discovered. Trust is an important component today when dealing with companies. I would think the loss of trust would certainly turn into a loss of revenue.
    By being upfront with customers and working hard to rectify any problem would go a long way to maintain that level of trust.

    On an other matter, likely not in your basket. Whenever I come to DaveComputerTips site I can no longer use my mouse wheel to scroll the page down/up when using Google Chrome. It continues to work fine in other sites and works fine when I open the DaveComputerTips site in Firefox. Any thoughts? It is just annoying.

    • Hi Tom,

      Thanks for the kind words.

      I have noticed this strange mouse behavior when using MS Edge (I don’t have Chrome). For me, it’s not DCT but YouTube pages that stop responding to the wheel.
      A tap on one of the up/down cursor keys usually fixes the problem, for that particular page at that particular time.
      I don’t know what’s going on but it is most likely a browser issue. This has never happened to me using Firefox, Waterfox, IE, or Opera.

      Hope this helps,
      Richard

      • I agree, it is likely a browser problem. I have other strange things going on when I use Chrome on my desktop that do not show up when I run Chrome on my laptop.
        I had an open ticket with Google about it, but after trying several things they suggested, including completely removing and reinstalling it twice, they seem have given up with me. 🙂

        • It’s just me, but I have never liked Chrome for a number of reasons.
          In any case, maybe it’s time to change browsers? Use one that works, that’s all I can say,

        • I would like to add i have the same issue when using chrome and mouse scrolling on this site but other sites work fine. Wondered if it was a code issueP

        • Hi Peter,

          Did this happen with previous versions of Chrome, or is this something new?
          The reason I am suspicious of the browser is that DCT uses WordPress as its CMS along with millions of other sites around the world. I don’t see how it could be a DCT coding problem. Since Chrome is probably the most popular browser right now, I would think the comments would be churning with complaints and yours is only the second time I’ve heard of this. Don’t get me wrong, I am happy that you let us know about it. And you, too, TomL…

          If it becomes a real problem, then I will probably be forced into installing Chrome on my machine so I can duplicate and track down the bug. I do not look forward to that unhappy proposition. Nope, not one little bit.

          I can’t speak for Chrome, but IE11, Firefox, Waterfox, and Palemoon all work perfectly. MS Edge has the occasional hiccup, but that is an Edge bug and can be easily overcome with a single Up or Down keystroke, and I’ve only experienced this behavior on YouTube.

          Thanks for your help,
          Richard

        • My experience with the no mouse scroll on the DCT site is recent, last month or two. So, I would say it is with a resent version of Chrome.

        • Hi TomL,

          Thanks for the update. If this persists after the next Chrome version update, please let me know.
          Which version do you currently have installed that is giving you trouble?

          Thank you,
          Richard

      • I have the latest stable version of chrome: Version 61.0.3163.100 (Official Build) (64-bit)

        Noticed the bug a bit ago possibly a month but forgot to bring it up. Found an old post about disabling chrome://flags/#smooth-scrolling but that didn’t fix it.

        Tried in IE 11 and there is no issue so not sure what could cause it.

        • Hi Peter,

          Thanks for the update. Our readers are pretty much saying that it’s an issue with Chrome. Some digging on the Internet should offer more clues,
          Richard

        • Did something change lately? Not sure if its been addressed in another post but I seem to be able to scroll fine now? However I’d love to use your forum and tried the other day I already have a wordpress account so tried to use that but didn’t seem to like it but then didn’t want me to register with a new account either. Now I get

          “You have been temporarily locked out of this system. This means that you will not be able to sign-in or use several other features that may compromise security. Please try back in a short while. “

        • Hi Peter,
          I’m not sure what the exact problem you are having is. I’m not an expert when it comes to the Forum, so I will pass your question along to others who know more about it than I.
          Glad scrolling is working for you now.

          Richard

  2. Quite right you are Richard when you say “Sadly, it has become almost normal these days for major companies to experience these sometimes devastating security “break-ins”, but it should not become the norm not to find out about them until weeks or months later, especially for the sole purpose of saving face.” I know that had I been in such a position, I would like to know immediately.

    Just to add nostalgia, in the days when we bought software on disks (the 1.4M type), there was a well know company which sold there product with the disks shrink wrapped, and it contained a virus. Seems an employee inserted a pirated game disk into their computer infecting the entire system prior to the software release. Accidents happen, and can happen to everyone. A company which comes clean right away should be given a second chance, Mindblower!

    • Hi Mindblower,

      LastPass, the popular password management system, suffered an incursion a while back and they responded openly, quickly, and fixed the problem in a timely manner.
      Very professional.

      By responding in this way they have only increased my belief in them as a trustworthy operation.

      That is all we can ask, but we deserve it, too. The bad guys certainly aren’t going away.

      Thank you for your comment,
      Richard

  3. So severe and apropos that I would bet the attack is from an insider. And If I was working for Piriform I would not like my company to be bought by Avast either.

    CCleaner 5.33 has been installed on 3 of the 5 PC running in my home. Fortunately, the only one with 32-bit Windows had still v5.20!

    I think that there are more than 2.27 million unlucky folks: many PCs with 64-bit procs and little memory still use 32-bit Windows.

    With ClamWin, I found Win.Trojan.Floxif-6336251-0 in the installer and in CCleaner.exe, the 32-bit binary. The link created by the installer normally leads to CCleaner64.exe on 64-bit systems, but the installer has always copied both files. I never knew why.

    I think Avast should release a patch shortly: 32-bit PCs likely to be running a “headless botnet” should be cleaned. If possible.

    This is no good news for Avast. Probably lots worse than their site hacked a few years ago. And it demonstrates once more than antivirus editors are mostly quack doctors, unable to cure themselves.

  4. It seems a second stage malware was actually launched but apparently only affected a few. Apparently it targeted mainly companies possibly trying to steal information, trade secrets etc.

    What has interested me is an article claiming both a 32 and 64 bit virus existed while Piriform claims only the 32 bit version was affected. There is a solution to see if you are infected apparently by checking if a certain registry key exists. Piriform claim that simply uninstalling or upgrading fixes the issue but it may look like the issue is bigger than originally thought which is why I think avast should release a standalone tool. https://www.ghacks.net/2017/09/21/ccleaner-malware-second-payload-discovered/

    It also makes me wonder how reliable are whitelisting AVs? If we whitelist a well known and well used program and it is breached and infected will the infection get through because the whitelist is basically set to allow everything?

    • I always thought that Piriform-Avast were underestimating the issue.
      If the hackers were smart enough to infiltrate Piriform, why would they have limited the infection to 32-bit machines? Especially if they wanted to steal information from powerful companies.

      • Hi Francois_C,

        Given that this malware targeted Windows computers and that most Windows 10 users are probably running 64-bit versions of that OS, I would have to agree that it seems a bit short-sighted for the bad guys to be targeting a smaller market.

        Thanks for your comment,
        Richard

    • Hi Peter,
      Martin’s CCleaner is very good and worth a read.

      White listing should only be needed when a site is black listed by default and you have a very good reason to go there on a regular basis. The Piriform site would not have been black listed to begin with.
      Any software you download should be scanned by AV software, if it’s worth its salt; even Defender does this. Granted, this doesn’t help much if the malware payload isn’t yet known or recognized. And there’s no way I’d be downloading software from sites that are black listed.

      The CCleaner situation proves that you cannot trust AV programs 100 percent. They only serve as a single layer of protection.

      Thank you for your comments,
      Richard

  5. Richard,
    I first saw the story about CCleaner on 9/18. According to Piriform’s security notification on their news blog, the threat wasn’t discovered until 9/12/17 by Avast. (http://www.piriform.com/news/blog/2017/9/18/security-notification-for-ccleaner-v5336162-and-ccleaner-cloud-v1073191-for-32-bit-windows-users). Granted, the threat existed for about 30 days until it was discovered but 6 days to fix it and shut down the server involved seems pretty good. Especially when compared to Equifax, Target, and Home Depot, which took months before anyone knew about them.

  6. Richard,

    Why would anyone in their right mind want to ‘FixCCleaner’ after the huge problem recently caused by Piriform, promoting hijacked garbage. One would think that a computer ‘expert’ would recommend removing the dreadful programme, along with the also untrustwothy, sneaky Avast semi-useless proramme.
    Other excellent, non-infecting programmes, Privazer, Win Optimizer by Ashampoo, Reg Organizer by Chemtable are far superior to CCleaner.
    Emsisoft is another trustworthy anti-virus/antimalware/antiransomware programme.
    I have been a computer maintenance technician for more than 35 years, continue to check and test software, read DCT and other weekly newsletters for many years and am appalled that you still approve of black-marked CCleaner and little or no mention of the above superior programmes for those who trust DCT for reommendations.
    Even Jim Hillier gave Privazer accolades for it’s superiority over CCleaner

    • Hi James,

      Suggesting that I may not be in my “right mind” is not the best way to begin an intelligent and friendly conversation.

      CCleaner is a utility I have been using for years. I trust it when it hasn’t been compromised by scumbags.

      Millions of people use CCleaner and I thought an article about working around the corruption issue was timely if, as it turns out, to be somewhat incomplete. (Much was learned about the level of severity after this article was posted.)

      This post was never intended to be a comparison of various utilities in the same genre. Saying one program is superior to another is a difficult premise to back up and each comparison would deserve its own article. Everyone has their own favorites and that mainly stems from what they get used to and not so much about which one is better.

      I, for one, don’t believe Piriform was knowingly “promoting hijacked garbage.” It is clear that you have a certain disdain for both Piriform and Avast. That’s fine. You may rant all you want, but I will continue to use CCleaner not because it is inferior or superior by some mysterious subjective measure, but because I happen to like it.

      Thank you for your comments,
      Richard

      To read the Jim Hillier article that James is referring to, go here: https://davescomputertips.com/ccleaner-vs-privazer-which-is-more-effective/

      • Hi Richard,
        I agree with you. I have used CCleaner for years on my PCs, and I still think it is the best cleaning utility available. And I also keep using it, though I was a bit disconcerted by this attack (which targeted CCleaner because of its popularity and good reputation).
        BTW, I noticed that on my wife’s W10 laptop, that never had v5.33, Windows Defender, yesterday, seemed to block the shortcut to CCleaner64.exe (v5.34). I overwrote with v5.35 (the zip archive), and the shortcut was back.

        • Hi Francois_C,

          I think we were all troubled by this hack. It can happen to any publisher, though. The bad guys aren’t going anywhere.

          This is the first I’ve heard of the 64-bit version having problems of any kind, regardless of the version number.

          Thanks for letting us know,
          Richard

        • Hi Richard,
          When I noticed that the shortcut was disabled (a message telling that CCleaner64.exe did not exist, thought I could see it in Total Commander), I did not think the binary was really infected. I thought Microsoft wanted everybody to update their CCleaner version.
          But I would like to know whether someone noticed the same behavior.

    • To James H. Lord:

      Kindly read my comment in the How To Fix MalwareBytes “Unable To Connect” Error article. See no reason to post the same information twice, Mindblower!

    • To All:

      As Richard and a few others have mentioned, the Mouse problem is a Chrome issue. The link Richard gave seems to have resolved the issue, but this is FALSE.
      People are still having issues on sites using Chrome. Clearly, some fixes work for some, and not for all. I also tried out Chrome and experienced for myself the same fault. Wake up Chrome designers and fix your problem, Mindblower!

Leave a Reply

Your email address will not be published. Required fields are marked *