# Hack Vulnerability in CCleaner.



## HanaBi (Sep 18, 2017)

Following on from the massive security hack over at Equifax & Google PlayStore, it is important for users of CCleaner to make sure they're not using version 5.33, which was released by Avast/Piriform on 15th August 2017.

The release has a number of critical malware vulnerabilities that could be compromised by hackers.

The full version in question is  v5.33.6162  and v1.07.3191 of CCleaner Cloud for 32 bit machines and phones.

The recommendation from Avast is to upgrade to v5.34 and  v1.07.3214 respectively, although this may not be sufficient, with one vendor-  Cisco Talos - recommending a complete wipe and reinstall of all software to one's machine in order to be absolutely sure all remnants have been removed.

Hackers installed backdoor in CCleaner, Avast’s Piriform warns


----------



## HanaBi (Sep 21, 2017)

Following on from my original post, there is some serious concern regarding the ramifications of the "infected" CCleaner versions highlighted above.

Avast/Piriform, rolled out v5.34 and v1.07.3214 updates so were said to resolve the issue, however in what is seen as a panic measure. a new version has been released (5.35.6210) which unlike 5.34, carries a message that suggests the new release contains "important changes". So perhaps 5.34 wasn't all that effective afterall.








Moreover,  Cisco-Talos, are still persistent in recommending infected machines are completely wiped down to bare metal and then either restored from a backup prior to the release of the infection v.5.33, or to manually install software and apps from scratch.

QUOTE - "_These new findings raise our level of concern about these events, as elements of our research point towards a possible unknown, sophisticated actor,” Talos' post says. “These findings also support and reinforce our previous recommendation that those impacted by this supply chain attack should not simply remove the affected version of CCleaner or update to the latest version, but should restore from backups or reimage systems to ensure that they completely remove not only the backdoored version of CCleaner but also any other malware that may be resident on the system_.”

CCleaner targeted top tech companies in attempt to lift IP


----------



## J Riff (Sep 23, 2017)

I took it off. Just tryed SuperAntiSpyware, it found some malware.


----------



## Hugh (Sep 24, 2017)

From my limited knowledge/reading on this, the hack seems to be aimed at far bigger players than myself.  Although I had the relevant ccleaner freebie and used it regularly, I'm assuming/hoping that I'm OK.  During that time period I also scanned regularly with AVG (paid up) and Malwarebytes Antimalware (freebie).


----------



## Dave (Sep 24, 2017)

Is v5.32 perfectly okay? 

It is asking me to upgrade to v5.35 but I didn't bother given what I've heard, and no malware is being highlighted by the other things I run. 


J Riff said:


> I took it off. Just tryed SuperAntiSpyware, it found some malware.


They do different things though. I use both. I've never found any malware present with SuperAntiSpyware though, I've just removed cookies. I have some other things too, which would prevent executing downloaded malware in the first place.


Hugh said:


> From my limited knowledge/reading on this, the hack seems to be aimed at far bigger players than myself.  Although I had the relevant ccleaner freebie and used it regularly, I'm assuming/hoping that I'm OK.  During that time period I also scanned regularly with AVG (paid up) and Malwarebytes Antimalware (freebie).


I think it is aimed at bigger players than us, but if you have v5.34 I would strongly advise that you follow the advice to restore to a point before you downloaded it.


----------



## HanaBi (Sep 24, 2017)

Dave said:


> Is v5.32 perfectly okay?
> 
> It is asking me to upgrade to v5.35 but I didn't bother given what I've heard, and no malware is being highlighted by the other things I run.
> They do different things though. I use both. I've never found any malware present with SuperAntiSpyware though, I've just removed cookies. I have some other things too, which would prevent executing downloaded malware in the first place.
> I think it is aimed at bigger players than us, but if you have v5.34 I would strongly advise that you follow the advice to restore to a point before you downloaded it.



V5.32 is clean but obviously out of date and should be updated as soon as..

Interestingly my Avira AV software detected the infected V5.33 when I created a standalone VM with Windows 10 installed and CCleaner v5.33. When I ran Avira it picked it up and dumped into quarantine. However, Malwarebytes did not detect it, which is interesting in itself.

Whether v5.33 is aimed at the bigger players or not, it is advisable to remove it and replace it with v5.35 (and not v5.34, which although supposedly clean, is more of a rushed fixpack for 5.33)

Depending on the sensitivity of what you store on your machine, it is advisable to create an encrypted backup to an external hard drive or to the Cloud; and to change critical passwords too, once you've got rid of v.5.33


----------



## Hugh (Sep 24, 2017)

Many thanks @HanaBi and @Dave for your advice.

I did update to v.5.35 as soon as suggested by ccleaner though was not aware at the time of the urgency.

Concerning perhaps that my AVG had detected nothing.

I will change passwords.


----------

