How To Fix CCleaner Botnet Infection


CCleaner Infection

ccleaner-logo-1

I have always recommended CCleaner as a good utility for the normal Windows user to help keep their Windows systems free of clutter, and I still do. By “normal”, I mean those of us who are not geeky, power freaks who are able to strip an operating system down to its nuts and bolts and put it back together again.

But recently, the CCleaner installer got corrupted by a Botnet virus (Win.Trojan.Floxif-6336251-0). According to Talos, a division of Cisco, version 5.33 was hiding malware in the installer for CCleaner. This version was released on August 15 and was still being used for its download link on the official CCleaner page on September 11.

Are You Infected?

If you installed the free 32-bit version 5.33 of CCleaner, then, “Yep!”, you are– along with an estimated 2.27 million other unlucky folks.

To know which version you are currently running, simply fire up CCleaner and the version number is prominently displayed in the upper-left corner of the main window. If you are running version 5.33, uninstall it and get the latest clean version (5.34 as of this writing). This is important, as you will learn later in this post.

I mention the 32-bit version because, after some digging, I see no mention of the 64-bit version anywhere. That doesn’t mean this conclusion is absolute, but it is a good sign for those using the 64-bit version. If you are using the Cloud version, then it should have already updated to a clean uninfected version. Android versions are not affected by any of this.

What Does It Do?

According to MSN News,


It gathers information like your IP address, computer name, a list of installed software on your computer, a list of active software and a list of network adapters and sends it to a third-party computer server. Your credit card numbers, social security number and the like seem to be safe.

This may not sound too bad, but the above is not so comforting when you realize the bad guy could change things down the road to include more sensitive data.

How Did This Happen?

According to Talos, this is what may have happened:

Given the presence of this compilation artifact as well as the fact that the binary was digitally signed using a valid certificate issued to the software developer, it is likely that an external attacker compromised a portion of their development or build environment and leveraged that access to insert malware into the CCleaner build that was released and hosted by the organization. It is also possible that an insider with access to either the development or build environments within the organization intentionally included the malicious code or could have had an account (or similar) compromised which allowed an attacker to include the code.

How To Clean It up

If you have installed CCleaner after September  12, then you should have the latest version.

The good news is that it is relatively easy to fix the problem and there are a couple of ways to do it:

  1. First and foremost, uninstall the old version and download CCleaner version 5.34 (or later)
  2. The second way is to run Windows Defender. According to Microsoft, Defender is able to detect and remove this virus

Opting to update CCleaner is, in my opinion, the best and only viable route to take. Apparently, the malware is limited to a CCleaner Dynamic Link Library (DLL) file which is replaced when updating the software. A more drastic approach would be to permanently delete the software.


Final Thoughts

There seems to be a fast-growing trend for companies to hold off when it comes to notifying its customers about a security breach. (All one has to do is consider the Equifax debacle to know what I’m talking about.) In this case, it took Avast, the new owner of Piriform, nearly a month to get this fixed. This is disgraceful, in my opinion. In all fairness to Avast, I guess it is possible they didn’t know about it, but they are in the security business, after all, so what does that tell you…

Sadly, it has become almost normal these days for major companies to experience these sometimes devastating security “break-ins”, but it should not become the norm not to find out about them until weeks or months later, especially for the sole purpose of saving face. There are more important long-term consequences to consider. I would much rather have a consumer angry with me because I had been fooled by a crook than to be eternally distrusted by those very same for hiding the truth.

Distrust is a hard rap to beat,

Richard

UPDATE – CCleaner v5.35 has been released with a new certificate. You can download it here:

http://www.piriform.com/ccleaner/download/standard

References

About the Author

Richard Pedersen

Richard received his first computer, a C-64, in 1982 as a gift and began dabbling in BASIC. He was hooked! His love for computing has led him from the old “XT” boxes to the more modern fare and from clunky 10MB hard drives to smooth and fast modern day SSD drives. He has run BBS services, Fido mail, and even operated his own computer repair business.

There are 39 comments

Your email address will not be published. Required fields are marked *