Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

CCleaner Compromised

Notifications for Security Updates, as well as News and Information from across the web - mostly security minded.

Update Contributors: Members of the Malware Removal University.

Regular Members: Our Regular Members are invited to start and/or participate in all other topics. Join in and share the news that's important to you.

CCleaner Compromised

Unread postby Mr Onion » September 18th, 2017, 6:47 am

Issue Summary: Our new parent company, the security company Avast, determined on the 12th of September that the 32-bit version of our CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 products, which may have been used by up to 3% of our users, had been compromised in a sophisticated manner. Piriform CCleaner v5.33.6162 was released on the 15th of August, and a regularly scheduled update to CCleaner, without compromised code, was released on the 12th of September. CCleaner Cloud v1.07.3191 was released on the 24th of August, and updated with a version without compromised code on September 15. The compromise could cause the transmission of non-sensitive data (computer name, IP address, list of installed software, list of active software, list of network adapters) to a 3rd party computer server in the USA. We have no indications that any other data has been sent to the server.


Full Article
Mr Onion
Regular Member
 
Posts: 77
Joined: June 25th, 2013, 7:00 am
Advertisement
Register to Remove

Re: CCleaner Compromised

Unread postby NonSuch » September 18th, 2017, 5:45 pm

Thank you for posting about this recent development, Mr Onion.

CCleaner has since been moved from the compromised server to one belonging to Avast.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 28747
Joined: February 23rd, 2005, 7:08 am
Location: California

Re: CCleaner Compromised

Unread postby Mr Onion » September 19th, 2017, 4:49 am

Apparently things are very unclear (or should that be muddied) about the whats wheres whys and whos. I suspect we are not being told all (or any) of the facts.

https://www.tweakhound.com/2017/09/18/c ... ed-part-2/
Mr Onion
Regular Member
 
Posts: 77
Joined: June 25th, 2013, 7:00 am

Re: CCleaner Compromised

Unread postby Mr Onion » September 20th, 2017, 2:40 pm

New version avalable

v5.35.6210 (20 Sep 2017)
– All builds signed with new Digital Signatures

Previous Versions before Avast takeover

http://download.piriform.com/ccsetup532.exe
http://download.piriform.com/ccsetup532.zip

FROM https://www.tweakhound.com/2017/09/20/ccleaner-5-35/

##########################

If your CCleaner version is before version 5.33.6162, then you are not affected, and you should manually download the latest version now. If that version is 5.34 or later, your current version isn’t affected, but if you updated CCleaner in between August 15th and September 12th, and are on a 32-bit system, you may still have been affected. (If you’re comfortable going into the registry, you can open Registry Editor and navigate to HKLM\SOFTWARE\Piriform and see if there is a key labeled Agomo:MUID . If that key exists, it means you had the infected software on your system at one point in time.)

While nothing immediately harmful was discovered, Cisco Talos recommends restoring your system to a state before August 15, 2017 from a backup if you were affected. You should probably run an antivirus and MalwareBytes scan on your system and your backups to ensure no malware is left installed.


FROM https://www.howtogeek.com/326742/cclean ... d-to-know/
Mr Onion
Regular Member
 
Posts: 77
Joined: June 25th, 2013, 7:00 am

Re: CCleaner Compromised

Unread postby Mr Onion » September 21st, 2017, 7:19 am

Latest Update

Talos recently published a technical analysis of a backdoor which was included with version 5.33 of the CCleaner application. During our investigation we were provided an archive containing files that were stored on the C2 server. Initially, we had concerns about the legitimacy of the files. However, we were able to quickly verify that the files were very likely genuine based upon the web server configuration files and the fact that our research activity was reflected in the contents of the MySQL database included in the archived files.

In analyzing the delivery code from the C2 server, what immediately stands out is a list of organizations, including Cisco, that were specifically targeted through delivery of a second-stage loader. Based on a review of the C2 tracking database, which only covers four days in September, we can confirm that at least 20 victim machines were served specialized secondary payloads. Below is a list of domains the attackers were attempting to target.


Source

So it seems that they were after the big boys, but if I had a 32 bit machine and had the compromised CCleaner I would restore to a previous image (NOT just a restore point) or re install Windows. Better safe than sorry, you don't know what else they may be up to.
Mr Onion
Regular Member
 
Posts: 77
Joined: June 25th, 2013, 7:00 am

Re: CCleaner Compromised

Unread postby Mr Onion » September 21st, 2017, 8:00 am

Cisco and security firm Kaspersky have both pointed out that the malware element in the tainted version of CCleaner shares some code with a sophisticated hacking group known as Group 72, or Axiom, which security firm Novetta named a Chinese government operation in 2015.

Cisco concedes that code reuse alone doesn't represent a definitive link between the CCleaner attack and Axiom, not to mention China. But it also notes that one configuration file on the attackers' server was set for China's time zone—while still acknowledging that's not enough for attribution.


Source
Mr Onion
Regular Member
 
Posts: 77
Joined: June 25th, 2013, 7:00 am

Re: CCleaner Compromised

Unread postby NonSuch » September 21st, 2017, 3:00 pm

Mr Onion wrote:So it seems that they were after the big boys, but if I had a 32 bit machine and had the compromised CCleaner I would restore to a previous image (NOT just a restore point) or re install Windows. Better safe than sorry, you don't know what else they may be up to.

Correct! Any computer that had a Windows 32-bit version of CCleaner v5.33.6162 installed needs to be wiped or re-imaged. Personally, I would opt for wiping the drive and reinstalling Windows.

More info: http://thehackernews.com/2017/09/cclean ... o08hxi.yb0

It should also be noted that 32 bit machines have not been manufactured in ages. My old Windows XP machine was a 64 bit machine, but it was running the 32 bit version of Windows XP Pro simply because I had custom 32 bit business software applications that were not compatible with a 64 bit operating system. 64 bit machines running 64 bit operating systems are capable of running 32 bit software by running it under WOW64. So, it isn't safe to assume that because you have a 64 bit machine/operating system that every piece of software it's running is 64 bit. ;)
User avatar
NonSuch
Administrator
Administrator
 
Posts: 28747
Joined: February 23rd, 2005, 7:08 am
Location: California

Re: CCleaner Compromised

Unread postby Gary R » September 21st, 2017, 5:58 pm

From what I can see, there is only one installer, which is used for both 64 bit and 32 bit systems, and I understand, the same program is installed, and it's just that the malware payload does not "initiate" on 64 bit systems.

That does not mean it is not installed, so whether you've got a 32 bit system or a 64 bit system, if you've installed version 5.33, then you need to take remedial action.
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: CCleaner Compromised

Unread postby NonSuch » September 21st, 2017, 8:06 pm

Gary R wrote:From what I can see, there is only one installer, which is used for both 64 bit and 32 bit systems, and I understand, the same program is installed, and it's just that the malware payload does not "initiate" on 64 bit systems.

That does not mean it is not installed, so whether you've got a 32 bit system or a 64 bit system, if you've installed version 5.33, then you need to take remedial action.

I agree. I have 64 bit operating systems on my computers. If any of them had version 5.33 installed, it would be nuke and pave time.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 28747
Joined: February 23rd, 2005, 7:08 am
Location: California

Re: CCleaner Compromised

Unread postby Gary R » September 22nd, 2017, 12:58 am

Yes, nuke'n'pave would be my action of choice as well.
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: CCleaner Compromised

Unread postby Mr Onion » September 22nd, 2017, 5:03 am

Interestingly I have just remembered that a couple of weeks ago I was having problems with windows update on my W10 pro 64 bit PC. It was just refusing to install 2 updates. I restored to a previous image from Early July using Acronis and the updates went perfectly.

So, was it the piggybacked payload? I have no way of knowing but at least its not here now.
Mr Onion
Regular Member
 
Posts: 77
Joined: June 25th, 2013, 7:00 am
Advertisement
Register to Remove


Return to News Desk



Who is online

Users browsing this forum: No registered users and 19 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware