Warning: Malware-laden version of CCleaner 5.33
The popular system tuning application „CCleaner“ was shipped with a „blind passenger“ for about a month. Researchers at Talos have found out that the version available on the official download site contained a piece of malware. There are two factors which make this case particularly interesting: for one, the application has a very broad user base. According to information from the manufacturer, the application has a total of around two billion downloads and counting. The number of affected users is therefore very high. The manipulated version of CCleaner was also signed with a valid certificate. These certificates are meant to ensure that an application comes from a trusted vendor. Therefore, someone with access to a stolen certificate can reach a very wide audience – unsigned applications are not executed by Windows unless additional settings are manipulated.
G DATA customers are protected
The manipulated version 5.33 of CCleaner was shipped between August 15 and September 12.. All G DATA solutions detect the version as Win32.Backdoor.Forpivast.A.
An amended version has already been released. Users who have the affected version installed are advised to update to version 5.34. The free versions of the program do not install the update automatically – in this case, users need to download the updated setup file manually and install it.
Compromised downloads – not a new phenomenon
The fact that the infected version 5.33 had been signed with a valid certificate points to several potential security issues, ranging from a compromised certification process to a compromised certification authority.
However, spreading malware that was signed with a valid certificate or malware-laden versions of legitimate programs via official channels is by no means a new phenomenon. In the past, similar things happened to a Torrent-Client for Mac as well as a Linux-Distribution. The „Petna“ malware used the update infrastructure of an accounting software.
Malware authors appear to go to ever greater lengths in order to infect as many machines in the shortest possible amount of time. The supply chain is a very valuable target for this. If an attacker can successfully compromise the supply chain of a vendor, this has far-reaching consequences – this is also something that has happened already in the past.
https://www.gdatasoftware.com/blog/2017/09/30029-warning-ccleaner-5-33