![]() Talos and Avast/Piri may be driven by different interests as well. The media coverage and reports are not fully consistent in the way the tlel the story. This is my understanding of the status quo, basing on the linked two texts and three additional German website reports. The botnet and the guys running it, are still there. Only that server has been shut down that has spread the initially infested CCleaner version. The question may be to what degree the detonation of this software still could lead to your computer turned into a zombie that gets abused in a botnet. But if you run into a frequences equal to that of the transmitter, and the receiver on that bomb picks it up, however small the random chance for this event may be - the bomb goes off nevertheless. The guy controlling the remote transmitter to detonate it, has been taken out. That is as if you hold a bomb in your hand with a fuse that gets remote controlled via radio signal. BUT: if you had been infected by the verison before, then the additonal malware that was downloaded by that intruder obviously still resides on your system. Now if you upgrade to a later version of CCleaner, this new version no longer has this parasytical software attached to it, and replaces the corrupted CCleaner version that was previously installed. Which leaves the remains of the botnet-integrating software on peoples system, just that it has not received the activation commands. However, the corrupted servers were taken out before the downloaded "warhead" could be activated. This was to be done via additional software that was downloaded by the parasite on top of the CCleaner package. The attacking software scanned teh system and extracted data on the system infected, in preparation of turning it into a zombie platform for a botnet out there. 4 weeks translates probably into several million people who downloaded this thing. This version dropped onto people'S system when they upgraded to the new version of CCleaner in the roughly 4 weeks when this version was distributed without Piri being informed about what went on. Somebody managed to attach a dirty package to of a valid new CCleaner version that was distributed via an official Piri server that got compromised as well by somebody. Piriform CCleaner v was released on the 15th of August, and a regularly scheduled update to CCleaner, without compromised code, was released on the 12th of September. Issue Summary: Our new parent company, the security company Avast, determined on the 12th of September that the 32-bit version of our CCleaner v and CCleaner Cloud v products, which may have been used by up to 3% of our users, had been compromised in a sophisticated manner. We apologize and are taking extra measures to ensure this does not happen again. We encourage all users of the 32-bit version of CCleaner v to download v5.34 here: download. ![]() No other Piriform or CCleaner products were affected. This compromise only affected customers with the 32-bit version of the v of CCleaner and the v of CCleaner Cloud. We resolved this quickly and believe no harm was done to any of our users. We recently determined that older versions of our Piriform CCleaner v and CCleaner Cloud v had been compromised. Note that the critical version of CCleaner was distributed for almost a full month. ![]() The additonal downloaded malware, the warhead, is still there. Their systems probably got scanned and data was extracted. Which means that affected people have downloaded-for-sure, but non-activated malware on their machines now. But if Piri is right, then this malware never got activated, they switched off the rogue server fast. The malware scanned the infested systems, extracted data and downloaded additional malware, which was probbaöly the intended "warhead" to detonate. ![]() I believe I understood it like this: a completely infested version of CCleaner was spread via a manipulated servers of theirs, and so the malware must have reached millions and millionsn of users, see the link for affected version and date. Of cpourse, Piri has its own reputation to protect here, Talos is a neutral third party. Talos says it potentially could be an immense number of users, Piri says the threat was tackled before it could do damage. Note that Talos (first link) disagrees with Piri (second link) on the ammount of damage done. The only way to deal with a bug and be certain, is to nuke the whole system from orbit. A system that got compromised, must still be considered to be compromised after any "cleanings", "repairs", or whatever. My cold-hearted advise if you are affected: system reinstall. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |