What should Avast do with CCleaner backdoor?

What should Avast do to satisfy people affected by the CCleaner Trojan infection.

  • Nothing. Avast is just the owner.

    Votes: 22 25.6%
  • Provide a specific removal tool, because Talos (security experts) advise image recovery

    Votes: 48 55.8%
  • Provide a give away or discount for the Avast paid version

    Votes: 12 14.0%
  • Provide a give away or discount for the CCleaner paid version

    Votes: 22 25.6%
  • Other please specify

    Votes: 14 16.3%

  • Total voters
    86
  • Poll closed .

Windows_Security

Level 24
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 13, 2016
1,298
I am interested in your opinion on how Avast should handle the CCleaner backdoor infection aftermath?

Please enter one or more options which reflect your opinion best. Feel free to post another option.
 

DJ Panda

Level 30
Verified
Top Poster
Well-known
Aug 30, 2015
1,928
I'd hope they have a removal tool. I used CCleaner last night. I still feel like they are ok products. Going to uninstall CCleaner for now.Though to be honest its not the most enticing way to bring me back once my Emsisoft license expires in a year.
 
P

plat1098

Other: Have many meetings with legal counsel. Hand out pink slips. Break open sinsemilla stash because today was a really bad day at the office. :cool:

Oh, for its users' satisfaction. I don't know. Best thing maybe for ALL users is to maintain a calm and honest professional image. Offer a clear tutorial with a removal tool and provide refunds and/or licenses to other products in the line to all verified affected Pro users upon request. Hopefully it'll blow over and at least some of those who left will be drifting back out of loyalty.
 

Captain Awesome

Level 23
Verified
Top Poster
Well-known
May 7, 2016
1,285
Voted Nothing, ##### happens. Avast is just the owner.
Avast discover the malware and CCleaner Update their product.It is the game of malwares and every softwares.;)

A statement of Avast's
Ondřej Vlček
EVP & GM, Consumer and CTO
Guys,

I just had a chance to read this thread and I'm a bit horrified as I think that there's quite some misconception about what actually went on.

First of all, the bottom line is: to the best of our knowledge, no harm was done to any CCleaner users as the threat was removed before it had a chance to fully activate.
This is really not about downplaying the issue. This is a statement based on a pretty thorough analysis, partially shared below and partially still embargoed because of the ongoing investigation.

Now, some facts:
- Avast acquired a company (Piriform) which was in the process of being hacked. We have good evidence that the attack started at least several weeks before the acquisition.
- Immediately after we first learned about something wrong with the CCleaner product (which was on September 12, i.e. 6 days ago) we started working on it and have been working on it around the clock since then.
- The #1 priority for us was to protect the CCleaner customers and minimize the actual customer impact of the incident.
- For that reason, we first focused on fully understanding the malicious code and disconnecting the bad actors from their ability to control the backdoor, i.e. taking down the CnC servers.
- The CnC server was taken down on September 15, three days after we first learned about the incident. Given how difficult these things tend to be, we consider this a very good result and I don't see how we could have done it any better. (By that time, the secondary CnC servers (the DGA domains) were already sinkholed as well, so that technically cut the attackers off their ability to control the backdoor).

At the same time, we wanted to understand whether the second stage payload could have already activated before the threat was discovered. Now, the good thing is that about 30% of CCleaner users also run Avast security software, which allowed us to analyze behavioral, traffic and file/registry data from those machines. Based on this analysis, we can say with high confidence that to the best of our knowledge, the second stage payload never activated, i.e. the only malicious code present on customer machines was the one embedded in the ccleaner.exe binary itself. We also asked our colleagues from other security companies, but haven't heard anyone seeing anything suspicious either. And that's great news, as it means that despite the high sophistication of the attack, we managed to disarm the system before it was able to do any harm. To that end, we don't consider the advice to reformat and/or restore the affected machines to the pre-August 15 state to be based on facts (by similar logic, security companies are not usually advising customers to reformat their machines after a remote code execution vulnerability is identified on their computer, just because there was a hypothetical possibility that something might have gotten in).

BTW, I have to say I was quite disappointed by the approach taken by the Cisco Talos team who appears to be trying to use information about this incident to drive marketing activities and piggyback on the case to increase the visibility of their upcoming product. And, I should probably also say that it wasn't Cisco who first notified us about the problem. The threat was first discovered and reported to us by researchers in a security company called Morphisec (thank you!). The threat was real, but to the best of our knowledge, it was fortunately mitigated before it could do any harm.

We plan to be issuing more communication about this as we go. This is a very unfortunate incident and of course, it's in our highest interest to properly investigate the issue and make sure it never happens again. Unfortunately, as you can imagine, the security measures in small companies are usually not up to the standard and that's a big lesson for us in terms of what to look for in case of future acquisitions.

Thanks,
Vlk
 
Last edited:

ispx

Level 13
Verified
Well-known
Jun 21, 2017
616
i voted others. avast should completely distance itself from this controversy. this is the beginning of the end for piriform.

it does not speak very well when an AV vendor who protects users from virus has a sister concern that is doling out malware to users.

It doesn't seem like anything that has had too much of an impact

so you think. you will not report a burglary till you know what was stolen, as simple as that.
 

Captain Awesome

Level 23
Verified
Top Poster
Well-known
May 7, 2016
1,285
i voted others. avast should completely distance itself from this controversy.
Yes.Avast also think so maybe.
Unfortunately, as you can imagine, the security measures in small companies are usually not up to the standard and that's a big lesson for us in terms of what to look for in case of future acquisitions.
:)
 
P

plat1098

i voted others. avast should completely distance itself from this controversy. this is the beginning of the end for piriform.

Can Avast reasonably do that now, short of selling Piriform? Avast was also bundled with CCleaner's full installer in the recent past so they're kind of stuck together for the time being. Like I said: a calm professional face to the public and plenty of closed-door meetings with legal counsel. Wouldn't surprise me if Piriform brand quietly disappeared down the road.
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
Avast should see to it that Piriform is swiftly deprived of their certificate.
It is not acceptable for Piriform to blindly stamp their certificate on a file without checking the file first. This kind of behavior nukes the entire chain of trust on which the digital world is based.
 

spaceoctopus

Level 16
Verified
Top Poster
Content Creator
Well-known
Jul 13, 2014
766
There is no Piriform anymore its just Avast:notworthy:
They bought it and they could secure that cloud or whatever it was but they didn't.
The thing in that, is that no other security company was able to discover the threat until it was revealed lately. So, it's difficult to make Avast! responsible for that.
 

jerzy601

Level 20
Verified
Top Poster
Well-known
Jun 20, 2011
997
Not much can be done just to upgrade to a new version or uninstall CCleaner from some time this softened up and I uninstalled it and did not use it.
There is a lot of this kind of software that you can replace with other softwares.
There are many programs on the market.
CCleaner is not such a miracle that it can not be replaced.
And what they bought it was just money was thrown into the mud.
 

Node

Level 3
Verified
Aug 6, 2017
100
i voted others. avast should completely distance itself from this controversy. this is the beginning of the end for piriform.

it does not speak very well when an AV vendor who protects users from virus has a sister concern that is doling out malware to users.



so you think. you will not report a burglary till you know what was stolen, as simple as that.

You're comparing someone breaking into a home vs. a simple malware infection that is easily ridden via updating the program. What else should they do? Give you a cookie?
 

L S

Level 5
Verified
Well-known
Jul 16, 2014
215
I voted Other ! ....
-------------------------->
First Delete the "Agomo" from Registry Editor :
2017-09-18 18_32_56-Registry Editor.png


Then Update to new version CCleaner v. 5.34
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 

Captain Awesome

Level 23
Verified
Top Poster
Well-known
May 7, 2016
1,285
I voted Other ! ....
-------------------------->
First Delete the "Agomo" from Registry Editor :
View attachment 167541

Then Update to new version CCleaner v. 5.34
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Thanks@L S(y)
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top