Welcome Guest ( Log In | Register )

Outline · [ Standard ] · Linear+

 Avast acquires Piriform, maker of CCleaner

views
     
TSperfectgrowwell
post Sep 1 2017, 05:06 PM, updated 7y ago

Getting Started
**
Junior Member
178 posts

Joined: Nov 2015
From: Muar
Avast acquires Piriform, maker of CCleaner
Adding 130 million users to Avast’s performance optimization installed base
Redwood City, California, July 19, 2017 – Avast, the global leader in digital security products, today announced that it has acquired Piriform, the leading provider of device performance optimization software. Founded and based in London, UK, Piriform’s flagship product, CCleaner, speeds up PCs and smartphones by intelligently removing junk and improving the performance of computers and phones.
CCleaner is a leading brand in the market, used by 130 million people, including 15 million Android users. CCleaner has an extensive and extremely loyal community of tech-savvy users, who need to speed up and optimize their PC and Android experience. Avast will maintain the CCleaner brand of products along with Avast’s existing performance optimization products, Avast Cleanup and AVG Tune Up. With the addition of CCleaner, Avast has dramatically expanded its product offerings in the PC and smartphone optimization market reaching customers around the world who demand faster performance.
“We see many commonalities between CCleaner and Avast, allowing for great new products for our user bases. Avast and CCleaner are the top two downloaded products on popular download sites. They are both known by advanced users as focused on performance, so we believe there will be a great interest from our CCleaner customers in using Avast security products and vice versa,” said Vince Steckler, CEO of Avast. “In today’s connected world, it’s all about speed and high performance, and with Piriform’s robust technology we can address this need perfectly. We look forward to working with the Piriform team to grow the business together.”
The Piriform team will be a part of the Avast consumer business unit, and report to Ondrej Vlcek, Avast CTO and EVP & GM, Consumer.
About Piriform:
Piriform are global leaders in system optimization software, founded in 2004 by Guy Saner and Lindsey Whelan. Piriform software, which makes PC, Mac and Android devices clean, safe and run fast, is used by hundreds of millions of home and business users worldwide. A Piriform product is installed more than 23 million times a month.


ABOUT Avast:
Avast (www.avast.com), the global leader in digital security products, protects over 400 million people online. Avast offers products under the Avast and AVG brands that protect people from threats on the internet and the evolving IoT threat landscape. The company’s threat detection network is among the most advanced in the world, using machine learning and artificial intelligence technologies to detect and stop threats in real time. Avast digital security products for Mobile, PC or Mac are top-ranked and certified by VB100, AV-Comparatives, AV-Test, OPSWAT, ICSA Labs, West Coast Labs and others. Avast is backed by leading global private equity firms CVC Capital Partners and Summit Partners.
Contacts:
Avast Software
Marina Ziegler
PR Director
E-mail: pr@avast.com
www.avast.com

source: Avast acquires Piriform, maker of CCleaner
pcbase
post Sep 26 2017, 07:01 AM

Regular
******
Senior Member
1,411 posts

Joined: Dec 2004
From: Batu Pahat


CCleaner malware outbreak is much worse than it first appeared
https://arstechnica.com/?post_type=post&p=1171699
TSperfectgrowwell
post Sep 27 2017, 04:37 PM

Getting Started
**
Junior Member
178 posts

Joined: Nov 2015
From: Muar
QUOTE(pcbase @ Sep 26 2017, 07:01 AM)
CCleaner malware outbreak is much worse than it first appeared
https://arstechnica.com/?post_type=post&p=1171699
*
Security Notification for CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 for 32-bit Windows users

Dear CCleaner customers, users and supporters,

We would like to apologize for a security incident that we have recently found in CCleaner version 5.33.6162 and CCleaner Cloud version 1.07.3191. A suspicious activity was identified on September 12th, 2017, where we saw an unknown IP address receiving data from software found in version 5.33.6162 of CCleaner, and CCleaner Cloud version 1.07.3191, on 32-bit Windows systems. Based on further analysis, we found that the 5.33.6162 version of CCleaner and the 1.07.3191 version of CCleaner Cloud was illegally modified before it was released to the public, and we started an investigation process. We also immediately contacted law enforcement units and worked with them on resolving the issue. Before delving into the technical details, let me say that the threat has now been resolved in the sense that the rogue server is down, other potential servers are out of the control of the attacker, and we’re moving all existing CCleaner v5.33.6162 users to the latest version. Users of CCleaner Cloud version 1.07.3191 have received an automatic update. In other words, to the best of our knowledge, we were able to disarm the threat before it was able to do any harm.

Technical description
An unauthorized modification of the CCleaner.exe binary resulted in an insertion of a two-stage backdoor capable of running code received from a remote IP address on affected systems.

The suspicious code was hidden in the application’s initialization code called CRT (Common Runtime) that is normally inserted during compilation by the compiler. This code modification was executed by the following function calls (functions marked by red represent the CRT modifications):



This modification performed the following actions before the main application’s code:

It decrypted and unpacked hardcoded shellcode (10 kB large) - simple XOR-based cipher was used for this.
The result (16 kB in size) was a DLL (dynamic link library) with a missing MZ header.
This DLL was subsequently loaded and executed in an independent thread.
Afterwards, a normal execution of CRT code and main CCleaner continued, resulting in the thread with payload running in the background.
Illustration of patched CRT code (see the added call to a payload-decryption routine in the modified version):



The code executed within that thread was heavily obfuscated to make its analysis harder (encrypted strings, indirect API calls, etc.). The suspicious code was performing the following actions:

It stored certain information in the Windows registry key HKLM\SOFTWARE\Piriform\Agomo:
MUID: randomly generated number identifying a particular system. Possibly also to be used as communication encryption key.
TCID: timer value used for checking whether to perform certain actions (communication, etc.)
NID: IP address of secondary CnC server
Besides that, it collected the following information about the local system:
Name of the computer
List of installed software, including Windows updates
List of running processes
MAC addresses of first three network adapters
Additional information whether the process is running with administrator privileges, whether it is a 64-bit system, etc.
All of the collected information was encrypted and encoded by base64 with a custom alphabet.
The encoded information was subsequently submitted to an external IP address 216.126.x.x (this address was hardcoded in the payload, and we have intentionally masked its last two octets here) via a HTTPS POST request. There was also a [fake] reference to “Host: speccy.piriform.com” in communication.
The code then read a reply from the same IP address, providing it with the functionality to download a second stage payload from the aforementioned IP address. The second stage payload is received as a custom base64-encoded string, further encrypted by the same xor-based encryption algorithm as all the strings in the first stage code. We have not detected an execution of the second stage payload and believe that its activation is highly unlikely.
In case the IP address becomes unreachable, a backup in the form of DGA (domain name generator) activates and is used to redirect communication to a different location. Fortunately, these generated domains are not under the control of the attacker and do not pose any risk.
At this stage, we don’t want to speculate how the unauthorized code appeared in the CCleaner software, where the attack originated from, how long it was being prepared and who stood behind it. The investigation is still ongoing. We want to thank the Avast Threat Labs for their help and assistance with this analysis.

Again, we would like to apologize for any inconvenience this incident could have caused to our clients; we are taking detailed steps internally so that this does not happen again, and to ensure your security while using any of our Piriform products. Users of our cloud version have received an automated update. For all other users, if you have not already done so, we encourage you to update your CCleaner software to version 5.34 or higher. Download CCleaner here to get the latest version.

Thank you,

Paul Yung
VP Products

source: https://www.piriform.com/news/blog/2017/9/1...t-windows-users


1kokies
post Oct 9 2017, 02:43 AM

On my way
****
Senior Member
532 posts

Joined: Aug 2011


Good know of the acquire

 

Change to:
| Lo-Fi Version
0.0131sec    0.42    5 queries    GZIP Disabled
Time is now: 29th March 2024 - 09:38 AM