In an article on their website, Piriform, a company recently acquired by Avast, published the following apology.
Dear CCleaner customers, users and supporters,
We would like to apologize for a security incident that we have recently found in CCleaner version 5.33.6162 and CCleaner Cloud version 1.07.3191. A suspicious activity was identified on September 12th, 2017, where we saw an unknown IP address receiving data from software found in version 5.33.6162 of CCleaner, and CCleaner Cloud version 1.07.3191, on 32-bit Windows systems. Based on further analysis, we found that the 5.33.6162 version of CCleaner and the 1.07.3191 version of CCleaner Cloud was illegally modified before it was released to the public, and we started an investigation process. We also immediately contacted law enforcement units and worked with them on resolving the issue. Before delving into the technical details, let me say that the threat has now been resolved in the sense that the rogue server is down, other potential servers are out of the control of the attacker, and we’re moving all existing CCleaner v5.33.6162 users to the latest version. Users of CCleaner Cloud version 1.07.3191 have received an automatic update. In other words, to the best of our knowledge, we were able to disarm the threat before it was able to do any harm.
An unauthorized modification of the CCleaner.exe binary resulted in an insertion of a two-stage backdoor capable of running code received from a remote IP address on affected systems.
While more articles on this subject can be found on Spiceworks, a very commendable article about the incident was published by the The Thalos group who first discovered the breach into Avast’s servers.
If you are like me, you did not want to open an apparently random text from firstname.lastname@example.org or whatever the email@example.com that just came to your phone. So you did a quick search in your favorite search engine and this article came up.
So, nothing to worry about. It’s just your optometrist or your dentist (one of those medical professionals you recently visited) reminding you of an appointment or a prescription to pick up.
Alright, with that said, here is a little disclaimer: be careful! Some crazy dude could forge this and spoof that sender’s email address. So, do not download or open any attachment if you can help it. First call your doctor to confirm (or check your email) and see if they sent you any notification.
Great! I hope you have a some peace of mind now. I did once I was reassured and run the antivirus and all the good stuff any cautious person would wanna do.
And, oh, one more thing. If you have considered blogging on WordPress.com or Jetpack before, get it it now! They have a 30% Off promotion if you use coupon code HOLIDAY30 by December 31, 2017.
It happens sometimes that your favorite antivirus locks up your files every time your backup engine tries to access them for, well, backup. You may want to contact customer support for your specific antivirus. In my case, Bitdefender had set itself to protecting my files so much that my scheduled backup failed, failed, and failed… and failed again. So, I ask Bitdefender customer support for a quick guide on what to do. Following is what they said. It turns out to be what worked as well.
Most likely there is some interference with the backup process, adding an exclusion for the backup application process in the Antimalware > Settings section of your policy might fix the situation, I provided the steps below.
- Log in to Bitdefender Control Center.
- Go to Policies page.
- In case you already have a custom policy created, click on it in order to edit. Otherwise, click the + Add button to create a new policy.
- Go to Antimalware > Settings tab.
- Select Custom Exclusions.
- Choose Process from the Type menu.
- In the Files, folders, extensions or processes column, type the full path to the application you want to exclude from scanning.
- Choose On-access from the Modules menu and click the “+” button to add the application to the exclusions list.
- Repeat steps 4 to 8, but select ATC/IDS from the Modules menu.
- Click Save to send the policy to the target machines.
The wbadmin.exe and wbengine.exe files might be the ones for which you need to create the exclusions.
And yes, they were and they worked after I followed the steps. ‘Nough said!
I really couldn’t find a Bitdefender image with free license for reuse with modification, but I found this one about Ebola. So, let’s just learn
How the Ebola virus attacks according to the WHO