Summary
This detection identifies compromised installers for the CCleaner utility program, which have been altered to include a backdoor that silently runs in the background when the affected installer is launched.
The affected files are detected by F-Secure security products with the latest database updates as Trojan.PRForm.A and Backdoor.Agent.ABXS. Instructions on how to check if your F-Secure security product is using the latest database update are available in Community: How do I know that I have the latest updates?.
Removal
Based on the settings of your F-Secure security program, it will either automatically delete, quarantine or rename the file or application, or ask you for a desired action.
Users are also recommended to update their CCleaner software to version 5.34 or higher. According to news reports, an automated update to the CCleaner Cloud version has addressed the issue for that version.
A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:
Check for the latest database updates
First, check if your F-Secure security program is using the latest updates, then try scanning the file again.
Submit a sample
After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.
Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.
Exclude a file from further scanning
If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.
Note: You need administrative rights to change the settings.
Technical Details
Supply chain compromise
On Monday, Sept 18 2017, security researchers reported that some versions of the installer for the popular free computer utility program CCleaner had been altered to include a backdoor, which was silently run when the installer was launched. The specific versions were identified as CCleaner version 5.33.6162 and CCleaner Cloud version 1.07.3191.
The affected installers were available for download from the legitimate CCleaner download servers. According to reports, they had been available since early August 2017. The installers were signed by a valid digital signature from Piriform, the company that created the software.
News reports have noted that the unauthorized insertion must have taken place before the signing during the software development or distribution process, a type of attack also known as a 'supply chain compromise'.
For more information about the incident:
- Piriform: Security Notification for CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 for 32-bit Windows users
- Talos Intelligence: CCleanup: A Vast Number of Machines at Risk
- Wired: Software Has a Serious Supply-Chain Security Problem
The backdoor's payload
When the compromised installer is run, the bundled backdoor code is launched as well and collects information from the system, including:
- Computer name
- List of installed software
- List of running processes
- MAC addresses of the first 3 network adapters
The harvested information is encrypted and sent to an external IP address. The backdoor also reportedly has the capability to download an additional payload from this server. At the time of writing, there have been no reports of any secondary payload being observed.
If the first server contacted is unreachable, the backdoor also includes a Domain Name Generator (DGA) that it can use to redirect to another command and control (C&C;) server. According to reports, these alternative servers are not under the attackers control.
Protect your devices from malware with F‑Secure Total
Protecting your devices from malicious software is essential for maintaining online security. F‑Secure Total makes this easy, helping you to secure your devices in a brilliantly simple way.
Award‑winning antivirus and malware protection
Online browsing, banking, and shopping protection
24/7 online identity and data breach monitoring
Unlimited VPN service to safeguard your privacy
Password manager with private data protection
Choose how many devices you want to protect to get started.
Free customer support
Cancel anytime
The trial does not obligate you to buy the product
After 30 days your subscription will renew automatically for one year at €69.99.
)
)
More Support
Community
Ask questions in our Community.
User guides
Check the user guide for instructions.
Contact Support
Chat with with or call an agent.
Submit a Sample
Submit a file or URL for analysis.