Malware in the anti-malware disguise
CCleaner, a widely-known and popular tool for cleaning computers from adware and other sorts of malware and maintaining the optimized processes, failed to escape the assault of cyber felons. All users, who downloaded 5.33 version between August 15 and September 12, risked getting entangled by Floxif malware.
Over 2 million users in the US, Russia, and West Europe were likely to have been affected due to significant popularity of the software in these countries and area. While only 32-bit systems were affected, all users are recommended to update the software to the latest edition.
What does Floxif virus do?
IT researchers have discovered that the Floxif virus collects data about victim‘s technical specifications and transmits it to the remote Command and Control server. Cisco Talos researchers, who have identified the corrupted version, also revealed that the malware makes requests to the specific 220.127.116.11 IP address.
In the beginning, the corrupted version did not trigger any suspicion as it was written by the valid digital signature. Thus, the malware was delivered as the supposed 5.33 version published by Piriform (the original developer of the threat; now owned by Avast).
Additionally, the infection embedded in the software waited for 601 seconds before the execution. This was done to escape sandboxing. Interestingly, the Floxif virus executed itself only in the system with administrative rights.
After downloading and running the update process, the malware locates and replaces the existent CBkdr.dll with the identical but corrupted variant. Besides tracking the information and then transmitting it to the server, the infection did not exhibit any other behavior.
Cyber security specialists suspect how the malware managed to get past Avast anti-malware detection system. Some speculate that the offender might have communicated with the insider who had access to the software development.
Is it safe to download CCleaner now?
While the installers of 5.33 version are still available, the malware has been successfully eliminated. Avast already published 5.34 version on September 13.
Though ordinary users did not have any chance to prevent this invasion as the tool posed to legitimate version, they might find the following advice useful:
- keep a couple of different malware prevention and elimination tools
- download them from the official sites and install the latest version as soon as it is published