Avast Unknowingly Bundled Malware With CCleaner For Almost A Month

Status
Not open for further replies.

alchap1

Prominent
Sep 18, 2017
1
0
510
0
FYI, just ran Malwarebytes on my 64-bit machine with CCleaner v5.34.6207 already installed.

Malwarebytes detected Trojan.Nyetya for download of ccsetup533.exe and \Program Files (86)\iolo\System Checkup
 

3ogdy

Distinguished
Jul 13, 2009
717
2
19,165
77
On September 13, Talos was conducting some beta testing for its new exploit detection technology when it noticed that CCleaner 5.33 (the latest version at the time) was being flagged by the new software.


The Talos team further analyzed the CCleaner file, and although the file was correctly signed by the vendor, CCleaner was not the only application being downloaded on users’ systems. The 32-bit binary of CCleaner 5.33 also included a malicious payload with a connection to a hardcoded command and control server.

The affected version of CCleaner (v5.33) was released on August 15, which gave the malware almost a month to infect CCleaner users. Version 5.34 came out on September 12, the same day the CCleaner devs found the malware themselves, and it didn’t have the malware bundled with it.


OK, this makes no sense at all. Talos says 5.33 was the latest version at the time, which is September 13th, yet 5.34 had come out a day before?
 

ddpruitt

Honorable
Jun 4, 2012
1,109
0
11,360
45


Talos never said that. Tom's once again editorializing without admitting it. The actual writeup states just that they were doing testing on 5.33, not why they were using it. My guess is that since it was beta testing it didn't really matter and they just went with what they had lying around.
 

ddpruitt

Honorable
Jun 4, 2012
1,109
0
11,360
45
My respect and trust in a company depends on how they handle an incident like this. It's clear that this malware was intended to allow another large scale botnet and that there were several breakdowns in the software development process that allowed this to happen.

Talos makes it pretty clear that there was a serious problem on Piriform's end (how do you build and send something out when the source obviously doesn't match what is in your release branch???). They spell out what happened and what they know and don't know and try to avoid assigning blame.

On the other hand Piriform's statement makes it seem like they figured it out and eliminated the problem and released an update. It's pretty obvious they just got damn lucky the new version doesn't have the malware, probably because it got built on different machine from the affected release. They aren't taking any responsibility for what's a pretty massive breach on there end.

With that type of response I won't ever support the use of Avast or Piriform software in the foreseeable future.
 

turkey3_scratch

Polypheme
Ambassador
The affected version of CCleaner (v5.33) was released on August 15, which gave the malware almost a month to infect CCleaner users. Version 5.34 came out on September 12, the same day the CCleaner devs found the malware themselves, and it didn’t have the malware bundled with it.
You're going to tell me that CCleaner devs didn't know that malware was in the software they create? Sounds like bull crap to me, it seems much more likely to me CCleaner was paid to mix malware with their software for a big sum of money.

Unless someone can legitimately explain to me how Malware "accidentally" gets bundled with software that they program themselves and compile.
 

N3TRICITY

Reputable
Sep 18, 2015
8
0
4,520
1
Our organization tested avast (and other programs) in our DMZ (mirror of the live network). In the first week, avast failed to live up to its advertised claims, and effectively resulted in shutting down the virtual mirror.

Their [avast] customer service response was also ineffective, offering no patch or fix.

I understand end users usually don't have the ability to test software like this, however, I recommend that they either install it on a less critical Austen before deploying to an asset
 

Christopher1

Distinguished
Aug 29, 2006
662
1
19,015
5
Guys, if you are dropping CCleaner because of this, you are fools.
Every software has had a problem like this from time to time. It is a learning experience and perhaps the answer/solution is to have development machines physically segregated from the internet or with very very very highly distrustful firewalls between development machines that have to be connected to the internet for some reason and the internet itself.

I downloaded CCleaner's Portable version just a few minutes after reading this just to see what had changed in CCleaner. Much lighter on resources and found some registry keys and unnecessary files that PrivaZer and other software had missed on my machine.

Developers are NOT seers. Many times developers simply take X file repository and use it to build their latest version of their software. If somehow that file repository has been compromised (by someone hacking the development machine it was on or someone being paid to actively compromise the file repository) things like this happen.
 

Christopher1

Distinguished
Aug 29, 2006
662
1
19,015
5


Avast customer service is done by peons overseas. If you truly want them to fix something that is an extreme security vulnerability or 'destroys the virtual machine' issue you have to keep on asking to be 'bumped up' until you get to the English-speaking people who are able to understand what you are saying.

If you were testing prototype Avast software on a virtual machine or mirror then things like that happen from time to time. If it was 'final' version software you have a right to be reasonably angry at Avast for mucking up your systems.

Avast is known to have problems in the past 4 years. They are always sending out broken updates to their software that actively harm the computers of people who run the software.
 

Olle P

Distinguished
Apr 7, 2010
638
33
19,040
24
"Other factors limiting the potential impact were the fact that the malware ... only activating on Windows accounts with administrator privileges."
Without admin privileges the function of CCleaner is pretty limited. (Cleaning registry and other useful stuff.)
 

karlylite

Prominent
Sep 20, 2017
1
0
510
0
I had the malware detected by Webroot...and I have the 64 bit version of CC Cleaner Pro. So its not only in the 32-Bit version of CC Cleaner.
 

This is an anti-malware company distributing malware in one of their popular products for a full month, and it wasn't even them who eventually detected it (or if they did, they might have been hoping to keep quiet about it and hope no one noticed).

Honestly, lots of anti-malware companies seem a bit dodgy though. AV software often behaves like a rootkit, purportedly to prevent malware from disabling it, but that also means it has the potential to do nefarious things behind the scenes, outside the view of the operating system. And from a business perspective, major outbreaks of malware tend to be a good thing for these companies, as it encourages people to buy their software, even if it doesn't actually provide much protection against new malware and as yet unknown vulnerabilities. Any serious designer of malware is going to make sure their software is not detected by any existing anti-malware software anyway. At best, AV software just provides a patch to stop malware after it's already infiltrated lots of systems.

And while it's unlikely Avast included malware in CCleaner on purpose, I wouldn't doubt if some other anti-malware company was behind it, trying to make a major competitor look bad. It is noteworthy that this didn't happen until shortly after Avast acquired Piriform, so that seems a like a possible scenario. Either way, as a company providing a form of security, Avast should have had better precautions in place to prevent something like this from happening.



So, should we consider their years of broken updates a "learning experience"? : P
 

Olle P

Distinguished
Apr 7, 2010
638
33
19,040
24
Given that it looks like an insider job my thought is more that it's some Piriform employee that doesn't like the takeover.

 
Status
Not open for further replies.

ASK THE COMMUNITY