Cuidado con CCleaner, puede traer malware.

Como han hackeado desde el 13 de septiembre el sistema web de Piriform que es la desarrolladora de CCleaner, ahora el bajar o actualizar este y otros de sus programas puedes traer adherido codigo malware del tipo BACKDOOR.

Lo anterior lo desubrieron empleado de cisco talos al emprender un analisis de los resultados en el trafico que pasa por sus sistemas, donde avast reporta positivos en la deteccion de codigo sospechoso desde ccleaner.

https://betanews.com/2017/09/18/ccleane ... d-backdoor


Mientras tanto Piriform desde su blog ya ha emitido un comunicado de la situacion, donde reconocen este hackeo y el riesgo de seguridad que trae ccleaner en estos momentos.

https://www.piriform.com/news/blog/2017 ... dows-users


Dear CCleaner customers, users and supporters,

We would like to apologize for a security incident that we have recently found in CCleaner version 5.33.6162 and CCleaner Cloud version 1.07.3191. A suspicious activity was identified on September 12th, 2017, where we saw an unknown IP address receiving data from software found in version 5.33.6162 of CCleaner, and CCleaner Cloud version 1.07.3191, on 32-bit Windows systems. Based on further analysis, we found that the 5.33.6162 version of CCleaner and the 1.07.3191 version of CCleaner Cloud was illegally modified before it was released to the public, and we started an investigation process. We also immediately contacted law enforcement units and worked with them on resolving the issue. Before delving into the technical details, let me say that the threat has now been resolved in the sense that the rogue server is down, other potential servers are out of the control of the attacker, and we’re moving all existing CCleaner v5.33.6162 users to the latest version. Users of CCleaner Cloud version 1.07.3191 have received an automatic update. In other words, to the best of our knowledge, we were able to disarm the threat before it was able to do any harm.


Technical description
An unauthorized modification of the CCleaner.exe binary resulted in an insertion of a two-stage backdoor capable of running code received from a remote IP address on affected systems.

The suspicious code was hidden in the application’s initialization code called CRT (Common Runtime) that is normally inserted during compilation by the compiler. This code modification was executed by the following function calls (functions marked by red represent the CRT modifications):