![]() ![]() It turns out to be a 32-bit executable of CCleaner version 5.33, digitally signed on, e.g. Only one executable detected by our ccleaner_compromised_pdb rule was not infected: an executable with SHA256 hash c48b9db429e5f0284481b4611bb5b69fb6d5f9ce0d23dcc4e4bf63d97b883fb2. Most of these files did not have a (valid) signature: they were modified versions, e.g. We saw examples of portable application packages distributing this compromised version of CCleaner (like LiberKey) and also RAR files with pirated versions of CCleaner.Ģ3 files were actual executables, and were all compromised versions of the 32-bit executable of CCleaner version 5.33, except one. Most of these are actually container files (like ZIP files): CCleaner is a popular application, and is distributed through various channels other than Piriform’s website. With this rule, we were able to identify 235 files on VirusTotal. This string is the full path of the Program Database (PDB) file, a debug file created by default by Visual Studio and referenced in compiled executables. The first 2 rules we created are hash based, but the third rule (ccleaner_compromised_pdb) is based on a particular string found in CCleaner’s 32-bit executables. You can scan the C: drive of a computer with YARA like this:Īnd there are also many other scanning tools that include the YARA engine, like ClamAV. $b = 's:\\workspace\\ccleaner\\branches\\v5.33\\bin\\CCleaner\\ReleaseTV\\CCleaner.pdb' $a = 's:\\workspace\\ccleaner\\branches\\v5.33\\bin\\CCleaner\\Release\\CCleaner.pdb' Well played Kaspersky, that was right on the nose.First reported by Talos and Morphisec, the compromise of CCleaner version 5.33 is still making news.Īt NVISO Labs, we created YARA detection rules as soon as the news broke, and distributed these rules to our clients subscribed to our NVISO Security Advisories. How many users were impacted by this? And who was behind this?įunnily enough, Kaspersky popped up a notification today on my PC, asking me to update from 5.34 to version 5.35. The bigger question is, why did Avast (the parent company of Piriform) take almost a week to release an update, after it was notified by Cisco on September 13th. So, it appears that Cisco was correct to say that, and Piriform has changed the certificate to ensure that a similar hack isn't done again. But the hacked version had a similar certificate, but its timestamp showed it had been signed about 15 minutes later than the one previously released.Ĭisco's post mentioned that " Ideally this certificate should be revoked and untrusted moving forward". ![]() However, if you had read Cisco Talos' findings, it clearly mentioned that CCleaner 5.33 had originally been digitally signed with a certificate from Symantec. This may not much sense to users, as the original statement where the company announced the news, wasn't exactly a very transparent message. Now, a new statement posted on the Piriform website, says that "CCleaner version 5.35 has been released with a new digital signature", in order to update their systems. The reason? Well, as you may have read our previous article, a hacked version of CCleaner 5.33 was being distibuted from its official servers, which collected data from PCs it was installed on. Piriform has updated CCleaner to version 5.35 just days after releasing 5.34. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |