- #Pirform ccleaner malware update#
- #Pirform ccleaner malware upgrade#
- #Pirform ccleaner malware software#
#Pirform ccleaner malware upgrade#
“These users should upgrade even though they are not at risk as the malware has been disabled on the server side,” they advised. Steckler and Vlcek reiterated that 2.27 million users were affected by the compromise, and that since the compromise discovery, that number has come down to 730,000 (those still using the affected v). As a temporary precaution, they migrated the Piriform build environment to the Avast infrastructure, and are in the process of moving the entire Piriform staff onto the Avast internal IT system. Moreover, this code is executed before any of the original CCleaner code is executed and the executable is automatically signed by the build machine,” he added.īut how did the attackers managed to compromise this server and this machine? Avast is still not ready to share. This makes the code injection very useful and stealth. “Such modifications can be done by someone with access to the machine that compiles the code. Michael Gorelik, VP R&D at Morphisec, explained that, after analyzing the malware, they found that the TLS initialization of callback functions was probably altered by a modification of the visual studio runtime file.
We strongly suspect that Piriform was being targeted while they were operating as a standalone company, prior to the Avast acquisition,” they noted. The server was provisioned earlier in 2017 and the SSL certificate for the respective https communication had a timestamp of July 3, 2017. “The compromise may have started on July 3rd.
#Pirform ccleaner malware update#
In today’s update on the situation, Avast CEO Vince Steckler and CTO Ondrej Vlcek said that the hackers were likely already in the process of hacking into the Piriform servers as Avast was putting everything in place to complete the acquisition of Piriform (in July 2017). September 18: Piriform makes the announcement about the compromise, Cisco Talos releases a blog post detailing the threat, later that day Morphisec releases a short write-up about it.As Avast noted in an update today, “the threat was effectively eliminated as the attacker lost the ability to deliver the payload.” Around the same time, Cisco registered the malware’s secondary DGA domains. September 15: Avast and law enforcement take down the backdoor’s C&C server.September 13: Cisco discovers the malware (also via customer log analysis) and notifies Avast.September 12: Morphisec notifies Avast, Avast releases a clean version of CCleaner (), pushing it out as a lightweight automatic update to CCleaner users where it was possible, and started notifying the remaining users to upgrade to the latest version of the product ASAP.September 11: Morphisec researchers flag the malware after analyzing the logs of some of its products installed at customer sites.August 24: Malicious CCleaner Cloud (v) made available for download from Piriform’s servers.
#Pirform ccleaner malware software#
On Monday, Cisco and Piriform – the Avast-owned company behind the popular CCleaner utility – announced that certain versions of the software have been backdoored by hackers.Ī blog post by security outfit Morphisec later revealed they were the ones who first notified Avast of the problem.
0 kommentar(er)
