Danger level 6
Type: Other

Cyber Villains Corrupted Ccleaner 5.33 Version

Cyber Villains Corrupted Ccleaner 5.33 Version is a compromised version of the popular CCleaner that has since been updated. The compromised version is no longer available for download, but not all versions of CCleaner are updated automatically. The Free version, for example, is not updated automatically. So if you have the 5.33.6162 version of this application with a free license, then you ought to remove it from your PC as soon as the opportunity. Nevertheless, from the very outset, we want to inform you that the backdoor that the compromised version injects into your PC has been disabled from the server side, so there is little to no risk of your computer’s security being jeopardized. Still, if you want to stay on the safe side of things, then you have to replace the corrupted version with a newer one.

The compromised version of CCleaner was released on August 15, 2017. However, it has been revealed that the compromise of this program may have started as early as July 3. The compromised version went undetected for four weeks. However, the good news is that the compromised version was discovered by cybersecurity experts (Morphisec and Cisco Talos) and the developer Piriform working with Avast fixed the issue within approximately 72 hours of discovery. Thankfully, the second stage payload was never activated. Therefore, if you have the compromised version of this application, then you can rest easy as your PC was not infected with malware.

It has been revealed that CCleaner 5.33 was illegally modified during the build process to include a backdoor. It is likely that an external or even an internal attacker compromised the build and leveraged that access to insert malware into CCleaner. The malicious code was embedded in the ccleaner.exe binary, even though the installation executable was signed using a valid digital signature issued to Piriform. While installing Cyber Villains Corrupted Ccleaner 5.33 Version, the 32-bit CCleaner binary also contained a malicious payload that featured a Domain Generation Algorithm (DGA) and hardcoded Command and Control (C2) functionality. The offending C2 server was taken down on September 15. After the server was taken down the threat was effectively eliminated because the attacker lost the ability to deliver the payload.

Within the 32-bit CCleaner v5.33, '__scrt_get_dyn_tls_init_callback' has been modified to call to the code at CC_InfectionBase(0x0040102C). Apparently, this was done to redirect code execution flow within the CCleaner binary to the malicious code. That code is responsible for decrypting data that contains the two stages of the malicious payload. They include a PIC (Position Independent Code) PE loader as well as a DLL file that effectively functions as the malware payload. The attacker tried to reduce the chances of detection of the malicious DLL by ensuring the IMAGE_DOS_HEADER was zeroed out.

The binary also creates an executable heap using HeapCreate(HEAP_CREATE_ENABLE_EXECUTE,0,0). Space is allocated to this heap where the contents of the decrypted data containing the malware is copied. The source data is erased while the data is copied to this heap. After that is done The PE loader is called, and it begins its operation. Then, the binary erases the memory regions that contained the PE loader and the DLL file. Furthermore, it frees the previously allocated memory, deletes the heap and continues on with normal CCleaner operations. The PE loader locates the DLL file within memory. It maps the DLL into executable memory and calls the DLLEntryPoint to start the execution of the DLL and the CCleaner binary continues to function as normal. Once this occurs the malware begins its full execution.

Cyber Villains Corrupted Ccleaner 5.33 Version was being hosted directly on CCleaner's download server. However, only two smaller distribution products that include the 32-bit and cloud versions, for Windows were compromised, and the actual number of users affected by this incident was 2.27M. Because the compromised versions with automatic updates were updated, there are now only 730,000 users that still use the affected version (5.33.6162). The recently released version 5.34 and versions prior to 5.33.6162 do not have the backdoor component. CCleaner 5.33.6162 users are receiving a notification that advises them to perform an update.

Therefore, if you have Cyber Villains Corrupted Ccleaner 5.33 Version on your PC, then you ought to remove it even though it no longer poses a threat to your PC and install the newest version of the product, especially if you use the free version which does not have automatic updates. Also, you should consider getting an antimalware application such as SpyHunter to detect and inform you about malware and compromised applications on your PC, and also remove them. The corruption of CCleaner was an unfortunate incident, and we believe that the developers will make sure that it does not happen again.

Download Spyware Removal Tool to Remove* Cyber Villains Corrupted Ccleaner 5.33 Version
  • Quick & tested solution for Cyber Villains Corrupted Ccleaner 5.33 Version removal.
  • 100% Free Scan for Windows

Post comment — WE NEED YOUR OPINION!

Please enter security code:
This is a captcha-picture. It is used to prevent mass-access by robots.