Piriform says that it's still investigating where the attack came from, and the company sent a. All collected information was encrypted by base64 via a custom alphabet, which pinged a hardcoded IP address, signaling the delivery of the second stage of the malicious package. Users of CCleaner Cloud version have received an automatic update,' explained the company. However, the extent of obfuscation of this backdoor went a few steps further.
#Ccleaner cloud version 1.07.3191 code#
#Ccleaner cloud version 1.07.3191 update#
CCleaner users that are running older versions or that do not trust the one they are using now are encouraged to update their CCleaner software to.
If you suspect you may have downloaded CCleaner version or CCleaner Cloud version, scan your system for malware. It decrypted and unpacked hardcoded shellcode (10 kB large) - simple XOR-based cipher was used for this. First of all, check the version of CCleaner on your system.Hidden through "encrypted strings" and "indirect API calls", the malicious load was run just before the main application's code, specifically performing the following actions: The two-stage backdoor that was identified was capable of running code from "a 3rd party computer server in the USA" and to cause the transmission of "non-sensitive data (computer name, IP address, list of installed software, list of active software, list of network adapters)".ĭue to the company contacting law enforcement, and the nature of the investigation, the issue hadn't been disclosed previously, however, the unauthorized server was shut down on the 15 of this month. About 2.27 million users have been affected, according to Avast CTO, Ondrej Vlcek. Regardless, perhaps a little more concerning that the mismatched timeline, the compromised executable was actually digitally signed using a valid certificate from the developer. Apparently, CCleaner in particular has been a tad of a headache for its parent company recently.Īccording to an announcement on its official blog, Piriform stated that the 32-bit versions of both CCleaner - released on August 14, updated to a non-compromised version September 12 - and CCleaner Cloud - released August 24, updated to a non-compromised version on September 15 - were part of a "security incident".Īlthough Piriform states that it discovered some suspicious activity on September 12 and issued an update for CCleaner the same day, researchers at Cisco Talos state that they informed Avast of the issue relating to the two aforementioned programs on September 13. A mere two months ago, Czech antivirus company Avast acquired Recuva, Speccy, and CCleaner developer Piriform for an undisclosed amount of money.
0 kommentar(er)
