topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • Sunday December 15, 2024, 6:16 am
  • Proudly celebrating 15+ years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Author Topic: CCleaner contained malware for one month  (Read 8520 times)

Deozaan

  • Charter Member
  • Joined in 2006
  • ***
  • Points: 1
  • Posts: 9,778
    • View Profile
    • Read more about this member.
    • Donate to Member
CCleaner contained malware for one month
« on: September 19, 2017, 12:55 AM »
Around 2.27 million users of Piriform's popular CCleaner security app have been advised to update the application—a result of sophisticated hacker-hidden malware. Discovered by researchers at Cisco's Talos division, hackers are thought to have run code from a remote IP address using a backdoor.

The short of it is that v5.33 contained malware so be sure to update to v5.34 which seems to fix the problem.

4wd

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 5,644
    • View Profile
    • Donate to Member
Re: CCleaner contained malware for one month
« Reply #1 on: September 19, 2017, 01:16 AM »
TechCrunch
Although it would appear that, in this instance, the illegal payload was only successfully delivered to a small minority of users — and specifically to those using 32-bit Windows PCs.

Contro

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 3,940
    • View Profile
    • Donate to Member
Re: CCleaner contained malware for one month
« Reply #2 on: September 19, 2017, 02:17 AM »
Yesterday Antimalware bytes detects in my system CCLEANER.EXE as a virus

I remove but I didn't lost the installation of ccleaner !!!!
 :-[

mouser

  • First Author
  • Administrator
  • Joined in 2005
  • *****
  • Posts: 40,914
    • View Profile
    • Mouser's Software Zone on DonationCoder.com
    • Read more about this member.
    • Donate to Member
CCleanup: A Vast Number of Machines at Risk
« Reply #3 on: September 19, 2017, 10:24 AM »
Reported by OS News:

Talos recently observed a case where the download servers used by software vendor to distribute a legitimate software package were leveraged to deliver malware to unsuspecting victims. For a period of time, the legitimate signed version of CCleaner 5.33 being distributed by Avast also contained a multi-stage malware payload that rode on top of the installation of CCleaner.

Original article:
http://blog.talosint...ributes-malware.html

In reviewing the Version History page on the CCleaner download site, it appears that the affected version (5.33) was released on August 15, 2017. On September 12, 2017 version 5.34 was released. The version containing the malicious payload (5.33) was being distributed between these dates.

Screenshot - 9_19_2017 , 10_24_54 AM_thumb001.png

mwb1100

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 1,645
    • View Profile
    • Donate to Member
Re: CCleaner contained malware for one month
« Reply #4 on: September 19, 2017, 01:42 PM »
TechCrunch
Although it would appear that, in this instance, the illegal payload was only successfully delivered to a small minority of users — and specifically to those using 32-bit Windows PCs.

That small minority is still more than 2 million people.

A million here, a million there, and pretty soon you're talking about a lot of computers.

exjoburger

  • Supporting Member
  • Joined in 2008
  • **
  • Posts: 43
    • View Profile
    • Donate to Member
Re: CCleaner contained malware for one month
« Reply #5 on: September 19, 2017, 03:20 PM »
The way the malware was delivered on top of a legitimate software update is quite scary.

What next, malware with Windows Updates? Oh wait, Windows 10 updates... :-\

4wd

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 5,644
    • View Profile
    • Donate to Member
Re: CCleaner contained malware for one month
« Reply #6 on: September 19, 2017, 08:08 PM »
It would be interesting to know that if they still distributed the Slim build of CCleaner, (the one without the PUP inclusion), whether this would have happened with it.

Stoic Joker

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 6,649
    • View Profile
    • Donate to Member
Re: CCleaner contained malware for one month
« Reply #7 on: September 20, 2017, 07:21 AM »
It would be interesting to know that if they still distributed the Slim build of CCleaner, (the one without the PUP inclusion), whether this would have happened with it.

From what I've read, probably yes. This was a sophisticated supply chain hack (of Piriform and Avast servers) that repackaged the update with a valid digital signature. So unless the slim was a no install 'portable' version...it could have also easily been exploited.

rgdot

  • Supporting Member
  • Joined in 2009
  • **
  • Posts: 2,193
    • View Profile
    • Donate to Member
Re: CCleaner contained malware for one month
« Reply #8 on: September 20, 2017, 10:51 PM »
Second payload!? ...how in the world can an 'updated' exe/new version be open to this  :(

https://www.ghacks.n...-payload-discovered/

Piriform was quick to state that users could resolve the issue by updating to the new malware-free version of CCleaner.

A new report suggests that this may not be enough.

Talos Group found evidence that the attack was more sophisticated, as it targeted a specific list of domains with a second payload.


4wd

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 5,644
    • View Profile
    • Donate to Member
Re: CCleaner contained malware for one month
« Reply #9 on: September 21, 2017, 12:08 AM »
It would be interesting to know that if they still distributed the Slim build of CCleaner, (the one without the PUP inclusion), whether this would have happened with it.

From what I've read, probably yes. This was a sophisticated supply chain hack (of Piriform and Avast servers) that repackaged the update with a valid digital signature. So unless the slim was a no install 'portable' version...it could have also easily been exploited.

Interesting to note that the Slim build has reappeared on their downloads page ... it wasn't there two days ago when I downloaded the last version.

Also interestingly, ccleaner64.exe (v5.35) now wants access to the internet despite having the update check disabled, (and anything else that has to do with network access).

This didn't happen in previous versions and doesn't necessarily inspire confidence.
« Last Edit: September 21, 2017, 12:30 AM by 4wd »

Matthew_

  • Participant
  • Joined in 2017
  • *
  • Posts: 3
    • View Profile
    • Donate to Member
Re: CCleaner contained malware for one month
« Reply #10 on: September 21, 2017, 03:47 AM »
 >:(
I trusted it and sticked to it, bt I just want to say WTF to the developer NOW.
 :down:

Deozaan

  • Charter Member
  • Joined in 2006
  • ***
  • Points: 1
  • Posts: 9,778
    • View Profile
    • Read more about this member.
    • Donate to Member
Re: CCleaner contained malware for one month
« Reply #11 on: September 22, 2017, 06:11 AM »
Looks like simply installing the new version isn't enough to wipe out the malware.

The recent CCleaner malware outbreak is much worse than it initially appeared, according to newly unearthed evidence. That evidence shows that the CCleaner malware infected at least 20 computers from a carefully selected list of high-profile technology companies with a mysterious payload.

[...]

From September 12 to September 16, the highly advanced second stage was reserved for computers inside 20 companies or Web properties, including Cisco, Microsoft, Gmail, VMware, Akamai, Sony, and Samsung. The 20 computers that installed the payload were from eight of those targeted organizations, Avast said, without identifying which ones. Again, because the data covers only a small fraction of the time the backdoor was active, both Avast and Talos believe the true number of targets and victims was much bigger.

[...]

Now that it's known the CCleaner backdoor actively installed a payload that went undetected for more than a month, Williams renewed his advice that people who installed CCleaner version 5.3 reformat their hard drives. He said simply removing the stage-one infection is insufficient given the proof now available that the second stage can survive and remain stealthy.

Read more details here:

https://arstechnica....n-it-first-appeared/
« Last Edit: September 22, 2017, 06:27 AM by Deozaan »

4wd

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 5,644
    • View Profile
    • Donate to Member
Re: CCleaner contained malware for one month
« Reply #12 on: September 22, 2017, 07:57 AM »
OK, this is getting annoying, CCleaner 5.35.0.6210 is persisting in its attempts to access the internet:

Whois
Whois lookup for: 151.101.80.64
#
# The following results may also be obtained via:
# https://whois.arin.net/rest/nets;q=151.101.80.64?showDetails=true&showARIN=false&showNonArinTopLevelNet=false&ext=netref2
#

NetRange:       151.101.0.0 - 151.101.255.255
CIDR:           151.101.0.0/16
NetName:        SKYCA-3
NetHandle:      NET-151-101-0-0-1
Parent:         RIPE-ERX-151 (NET-151-0-0-0-0)
NetType:        Direct Assignment
OriginAS:       
Organization:   Fastly (SKYCA-3)
RegDate:        2016-02-01
Updated:        2016-02-01
Ref:            https://whois.arin.net/rest/net/NET-151-101-0-0-1

OrgName:        Fastly
OrgId:          SKYCA-3
Address:        PO Box 78266
City:           San Francisco
StateProv:      CA
PostalCode:     94107
Country:        US
RegDate:        2011-09-16
Updated:        2017-03-30
Ref:            https://whois.arin.net/rest/org/SKYCA-3


Considering the previous versions never attempted to do it when the relevant option was turned off now makes this program suspect AFAIAC.

IainB

  • Supporting Member
  • Joined in 2008
  • **
  • Posts: 7,544
  • @Slartibartfarst
    • View Profile
    • Read more about this member.
    • Donate to Member
Re: CCleaner contained malware for one month
« Reply #13 on: September 22, 2017, 08:41 AM »
OK, this is getting annoying, CCleaner 5.35.0.6210 is persisting in its attempts to access the internet:
...
...Considering the previous versions never attempted to do it when the relevant option was turned off now makes this program suspect AFAIAC.
___________________________
I used Windows Firewall Control to block it - "Head it off at the pass"...

4wd

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 5,644
    • View Profile
    • Donate to Member
Re: CCleaner contained malware for one month
« Reply #14 on: September 22, 2017, 11:32 PM »
OK, this is getting annoying, CCleaner 5.35.0.6210 is persisting in its attempts to access the internet:
...
...Considering the previous versions never attempted to do it when the relevant option was turned off now makes this program suspect AFAIAC.
___________________________
I used Windows Firewall Control to block it - "Head it off at the pass"...

I'd rather know the cause of the problem than hide the problem.

ie. Is this still a symptom of the infection or have the programmers screwed up?

It becomes more interesting when the 32bit version isn't asking for internet access.

IainB

  • Supporting Member
  • Joined in 2008
  • **
  • Posts: 7,544
  • @Slartibartfarst
    • View Profile
    • Read more about this member.
    • Donate to Member
Re: CCleaner contained malware for one month
« Reply #15 on: September 24, 2017, 01:40 AM »
...I'd rather know the cause of the problem than hide the problem. ...
______________________________
Quite agree, but it's not a problem (for me), as I have the 64-bit CCleaner Pro licence (which version is reputedly free of the virus), and have it set to automatically check and update itself - whenever it starts up (a useful option, in my view). However, being a bit paranoid after the strange virus alert for the 32-bit version, I decided to provisionally set my firewall so that the 64-bit Pro version of CCleaner cannot receive or send stuff through the firewall, just in case.

In terms of the 32-bit version, I'm not sure that "the problem" (whatever it may be) has actually been fully defined. It thus awaits definition in no uncertain terms. I regard the belated and vague/ambiguous reporting of the matter so far, by the new owners of the software, as being deliberate and highly suspect. This arguably puts the whole product range under prudent suspicion.
Therefore, in the medium to longer term, absent any improved, independently verifiable and precise consumer information on the matter, following an audit of/by the product's new owners, it may be that it would be prudent to expunge CCleaner - i.e., because it apparently can't be independently verified as being a trusted A-1 product anymore.
Meanwhile, my "apparently-safe-but-we're-not'sure" product can't get through the firewall.

Some people (not me, you understand) might say that they smell a rat named with the TLA "NSA", but I couldn't possibly comment.

Shades

  • Member
  • Joined in 2006
  • **
  • Posts: 2,939
    • View Profile
    • Donate to Member
Re: CCleaner contained malware for one month
« Reply #16 on: September 24, 2017, 08:22 AM »
Bleachbit could be considered as an alternative for cleaning up the collected cruft from your system.