CCleaner Adds Data Collection Feature With No Way to Opt-Out

ccleaner software download Like many others, do you also believe that the popular system-cleaning tool CCleaner was performing well before Avast acquired the software from Piriform last year?
If yes, then pop-up advertisements in the previous CCleaner software version was not the last thing you have to deal with.
Avast has released a new version of CCleaner 5.45 that not only always runs in the background, but also collects information about your system without giving you a way to turn the feature off.
CCleaner is a popular application, available in both free and premium versions, with over 2 billion downloads that allow users to clean up their Windows, Mac, and mobile devices to optimize and enhance performance.
Last year, CCleaner made headlines when it suffered a massive supply-chain malware attack of all times, wherein hackers compromised its servers for over a month and replaced the original version of the software with the malicious one, infecting over 2.3 million users worldwide.
CCleaner Users Concern Over Active Monitoring and User Data Collection
ccleaner software download
This time the system cleaning software is in headlines due to “monitoring and data collection” features Avast added in past few months to your favorite system optimizer application.
Here’s the timeline:
CCleaner 5.43 released in May—removes the option to opt out of data-sharing feature for users of the free software version.
CCleaner 5.44 released in June—adds pop-up advertisements.
CCleaner 5.45 released in July—forces Active Monitoring and heartbeat features.
These monitoring elements of CCleaner send user data such as anonymous system usage data back to the company’s servers, as well as continuously scan systems to inform users when it comes across any junk or browser file, as first reported by Techdows.
What’s concerning is that even after turning off the Active Monitoring feature from CCleaner’s menus, it turns back ON automatically whenever users reboot their computer or close the software.
In its changelog for CCleaner 5.45, Avast notes it “added more detailed reporting for bug fixes and product improvements.”
Besides this, CCleaner now also sends a heartbeat every 12 hours which reports up-to-date usage statistics to Avast, allowing the company to faster deliver bug fixes and product improvements.
When asked about it on its forum, CCleaner said heartbeat sends only “non-personal, absolutely non-identifiable usage information to improve CCleaner.”
Though the information CCleaner gathers is entirely anonymous, users on various internet forums expressed their concerns about Avast data sharing practice, saying that the company ruined their favorite tool after acquiring it.
Moreover, CCleaner’s privacy policy also says that it can share collected information with 3rd party companies.
“We reserve the right to store and use the information collected by our software. We may publish or share that information with third parties that are not part of the Avast Group, but we will only ever do so after anonymizing the data,” CCleaner’s privacy policy says.
“We reserve the right to store and use the information collected by our software and to share such information among the Avast Group to improve our current and future products and services, to help us develop new products and services, and to better understand the behavior of our users.”
Avast Promises to Fix CCleaner Privacy Issues
In response to the users’ complaints about Active Monitoring, Avast said on its forum that the company will offer separate menu items for turning off Active Monitoring and sending anonymous usage data (heartbeat).
“We will separate out Active Monitoring (junk cleaning alerts and browser cleaning alerts), and heartbeat (anonymous usage analytics) features in the UI, and we will give you the ability to control these individually,” the company said.
“We will take this opportunity to rename the Advanced Monitoring features in CCleaner to make their functions clearer.”
Avast said the company will roll out these changes in the coming weeks. So, users are recommended to hold off on upgrading their software to version 5.45 until the new update is available to download.
For those who have already upgraded their software to version 5.45 can disable Active Monitoring by forcefully terminating CCleaner using the Task Manager or third-party process management software for a while until the next version arrives.

Hackers Found Using A New Code Injection Technique to Evade Detection

While performing in-depth analysis of various malware samples, security researchers at Cyberbit found a new code injection technique, dubbed Early Bird, being used by at least three different sophisticated malware that helped attackers evade detection.
As its name suggests, Early Bird is a “simple yet powerful” technique that allows attackers to inject malicious code into a legitimate process before its main thread starts, and thereby avoids detection by Windows hook engines used by most anti-malware products.
The Early Bird code injection technique “loads the malicious code in a very early stage of thread initialization, before many security products place their hooks—which allows the malware to perform its malicious actions without being detected,” the researchers said.
The technique is similar to the AtomBombing code injection technique that does not rely on easy-to-detect API calls, allowing malware to inject code into processes in a manner that no anti-malware tools can detect.

Early Bird code injection method relies on a Windows built-in APC (Asynchronous Procedure Calls) function that allows applications to execute code asynchronously in the context of a particular thread.
Here’s a brief step-by-step explanation of how an attacker can inject malicious code into a legitimate process in a way that it gets executed earlier before an anti-malware program starts scanning.
Create a suspended process of a legitimate Windows process (e.g., svchost.exe)
Allocate memory in that process (svchost.exe) and write the malicious code into the allocated memory region,
Queue an asynchronous procedure call (APC) to the main thread of that process (svchost.exe),
Since APC can execute a process only when it is in an alertable state, call NtTestAlert function to force kernel into executing the malicious code as soon as the main thread resumes.
According to the researchers, at least three following-mentioned malware were found using Early Bird code injection in the wild.
“TurnedUp” backdoor, developed by an Iranian hacking group (APT33)
A variant of “Carberp” banking malware
“DorkBot” malware
Initially discovered by FireEye in September 2017, TurnedUp is a backdoor that is capable of exfiltrating data from the target system, creating reverse shells, taking screenshots as well as gathering system information.
Dates back to 2012, DorBot is botnet malware distributed via links on social media, instant messaging apps or infected removable media and is used to steal users’ credentials for online services, including banking services, participate in distributed denial-of-service (DDoS) attacks, send spam and deliver other malware to victims’ computers.
Researchers have also provided a video demonstration, which shows the new Early Bird code injection technique in action.

About Censys





Censys is a search engine that enables researchers to ask questions about the hosts and networks that compose the Internet. Censys collects data on hosts and websites through daily ZMap and ZGrab scans of the IPv4 address space, in turn maintaining a database of how hosts and websites are configured. Researchers can interact with this data through a search interface, report builder, and SQL engine. Details on the Censys architecture and functionality are available in our research paper.



Don’t count on STARTTLS to automatically encrypt your sensitive e-mails TLS stripping and DNS attacks allow eavesdropping on protected messages


Researchers have some good and bad news about the availability of secure e-mail. Use ofSTARTTLS and three other security extensions has surged in recent months, but their failure rate remains high, in large part because of active attacks that downgrade encrypted connections to unencrypted ones.

That conclusion, reached in a recently published research paper, means that a significant chunk of e-mail continues to be transmitted in plaintext and with no mechanism for verifying that a message hasn’t been tampered with while it travels from sender to receiver. The downgrades are largely made possible by the simple mail transfer protocol used by many e-mail services. Because it wasn’t originally designed to provide message confidentiality or integrity, it relies on later-developed extensions including STARTTLS, domainkeys Identified Mail, sender policy framework, and domain-based message authentication that often don’t work as intended.

The researchers wrote:

This security patchwork—paired with opportunistic encryption that favors failing open and transmitting messages in cleartext, so as to allow incremental adoption—enables network attackers to intercept and surveil mail. In one such attack, network appliances corrupt STARTTLS connection attempts and downgrade messages to non-encrypted channels. We identify 41,405 SMTP servers in 4,714 ASes and 193 countries that cannot protect mail from passive eavesdroppers due to STARTTLS corruption on the network. We analyze the mail sent to Gmail from these hosts and find that in seven countries, more than 20% of all messages are actively prevented from being encrypted. In the most severe case, 96% of messages sent from Tunisia to Gmail are downgraded to cleartext.

The findings are based on Gmail SMTP connection logs spanning from January 2014 to April 2015 and a snapshot of SMTP server configurations from April 2015 from the Alexa top million domains. The Gmail data showed that incoming messages protected by transport layer security encryption grew 82 percent in one year, peaking to 60 percent of all inbound mail by the end of the study. Outgoing messages increased 54 percent, with 80 percent of messages protected. The improvement was largely the result of Yahoo, Outlook, and a small number of other large e-mail providers updating their servers to use STARTTLS.

Offsetting that progress was a finding that about 770,000 SMTP servers associated with the Alexa top million list still failed to properly secure their systems. Only 82 percent of them supported TLS, and of those, only 35 percent were properly configured to allow one server to cryptographically authenticate itself to another.

STARTTLS corruption

The researchers also found evidence of widespread corruption that prevents STARTTLS from working as intended. Like many security mechanisms, STARTTLS is designed to “fail open” rather than “fail closed,” meaning that when certain errors happen, servers will simply send e-mail in unencrypted form rather than failing to send the message at all. Network actors can exploit this design by sending certain types of packets that trigger a fail open error. The overall fraction of Gmail messages that were downgraded was relatively small, but in Tunisia, TLS was stripped out of 96 percent of e-mail. Other countries with high rates included Iraq, Papua New Guinea, and Nepal.

“It is important to note that the devices that are stripping TLS from SMTP connections are not inherently malicious, and many of these devices may be deployed to facilitation legitimate filtering,” the paper states. “Regardless of intent, this technique results in messages being sent in cleartext over the public Internet, enabling passive eavesdropping and other attacks.”

The researchers also found evidence that domain name system records are routinely spoofed in a way that redirects e-mail to servers controlled by attackers rather than to the intended destination. The evidence included more than 178,000 publicly available DNS servers that provided invalid IP addresses or mail records for either,,,, or

The findings suggest that even as e-mail providers continue to deploy STARTTLS, there’s no guarantee that e-mail will be encrypted as it travels from one server to another on its way to the receiver. That leaves the truly paranoid with no other option than GPG or MIME to ensure the confidentiality of the messages they send.