Security Notification for CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 for 32-bit Windows users

https://www.welivesecurity.com/2017/09/21/cconsiderations-on-ccleaner-incident/

 

Yep, this can be seen with other applications too. Both versions (32-bit and 64-bit) are installed but the shortcut in the startmenu points to the 64-bit version (if the application is installed on a 64-bit OS).
As long as the user use the shortcut, it will execute the 64-bit version.

 

I strongly suspect that the CCleaner setup program only installed a backdoor on x64 systems. It then used the backdoor to remotely connect to map the target and download additional malware as needed. The attacker then removed the original backdoor leaving no trace of the original attack. A scenario used in the WannaCry attacks.

Appears the attacker felt confident that the backdoor would not be detected in the 32 bit CCleaner installer which was the case since it wasn't discovered till mid-Aug.. Additionally most malware code has been and still is 32 bit code. Coding a x64 backdoor is trivial since all it is doing is establishing a remote connection.

Since the attacker had access to Piriform servers, he also could modify the CCleaner download stored there to remove the x64 backdoor code from setup program after the initial attack began.

 

You don't find it amusing that users would just trust that their 64bit version is safe from a company that just broke all trust?

 

...and...

Hahahahahaha.

"But but, I trusted that the 64bit version was safe!!"

Like I said before: Swallow your mistake, format, and think twice before installing pointless software.

 

I regards to the second payload delivery:

https://www.bleepingcomputer.com/ne...ed-out-in-order-to-target-big-tech-companies/

Again and in plain English if you were infected, you need to do either a system image restore or reinstall your OS.

 

That is of course speculation. Since attacker can do whatever they want (if they compromised their server) we can't be sure of anything. We can only see results of published analysis and they don't support this scenario.

 

A lot of users don't know if they were infected. System restore is good if you know when your system was clean. So far we can't know if versions before 5.33 were all clean or if any other software on their server was affected. There just isn't enough data about intrusion itself to draw any conclusions. So it only remains OS reinstall scenario. And repeat it each time one of vendors gets compromised since there is no 100% guarantee that your system is not infected (even if there is no indication of infection).

 

I know I was not infected and won't be reinstalling Windows. Some are still saying only 32 bit systems were infected and others are saying both. I have always believed it was OS version aware. I still have version 5.14 from Feb 2016 but am not going to install that.

 

Here is the latest updated blog posting from Cisco: https://blogs.cisco.com/talos. Scroll down to the bottom of the posting and click on "Read More" for the full latest technical analysis.

 

The next major Win10 update is scheduled for released for 17th of October, less than a month away. It seems like a good time to clean install Win10.

 

Indeed. That is what I plan on doing as well.

 

Ars Technica on the Second Payload:

"Backdoored CCleaner has a nasty surprise for at least 20 targeted tech firms

Microsoft, Cisco, and VMWare among those infected with additional mystery payload...

The second stage appears to use a completely different control network. The complex code is heavily obfuscated and uses anti-debugging and anti-emulation tricks to conceal its inner workings. Craig Williams, a senior technology leader and global outreach manager at Talos, said the code contains a 'fileless' third stage that's injected into computer memory without ever being written to disk, a feature that further makes analysis difficult. Researchers are in the process of reverse engineering the payload to understand precisely what it does on infected networks.

Now that it's known the CCleaner backdoor actively installed a payload that went undetected for more than a month, Williams renewed his advice that people who installed CCleaner version 5.3 reformat their hard drives. He said simply removing the stage-one infection is insufficient given the proof now available that the second stage can survive and remain stealthy...."

https://arstechnica.com/information...utbreak-is-much-worse-than-it-first-appeared/

OK. Soooooo, If you not Cisco, Microsoft, Gmail, et. al., and you installed 533 on a 64X machine are u gonna restore an image ??

 

The main point from Cisco's technical analysis is that they only know for sure that the 20 organizations were targeted. There is a high likelihood that many others were indeed affected:

 

Thanks for the time frame.

 

Your welcome. I'll I can say is have plenty of reliable image backups.

 

So one has to download the following programs and run them...

RKill
Malwarebytes Anti-Malware
Zemana AntiMalware
AdwCleaner
HitmanPro

... then scan for outdated vulnerable programs with Secunia PSI. By the time I did all that I could of
reinstalled the OS.

If this CCleaner breach happened to me I would do a restore from an image backup which takes
less than 5 minutes and be done with it.

 

No. Partly because my Macrium GFS scheme isn't working properly and removed my pre-Aug 15 full image.

But also I have found no evidence of stage 1 or stage 2 infection. Whatever info may have been extracted from my machines is already out there, maybe beyond the 'sinkholed' servers, in the 'never forget' internet.

And it seems these guys weren't really targeting the little guy, but selected mainly tech firms, but also some banks and .gov domains.

With my level of customisation, I couldn't be bothered to do a clean install. I'll accept the risk.

But with increasing prevalence of these supply chain attacks, my future strategy is leaning towards a bare bones image of the updated OS, and then as little software installed as possible a la @guest.

Bit boring really, because I like to try out stuff. And hang out here.

 

With the amount of pointless software you use, as can be seen in your signature, it's a safe bet that your machine is not trustworthy whatsoever, CCleaner or not. There are far too many points of entry on your machine.

But make sure you do your daily prayers of faith, that should keep the baddies away. That's what I'm picking up from your response: "I'm hoping for the best".

I'd highly recommend it, and that is indeed a good opportunity.

 

Avast Threat Labs analysis of CCleaner incident
22 September 2017
https://blog.avast.com/avast-threat-labs-analysis-of-ccleaner-incident

 

Today I read this: https://forums.comodo.com/news-announcements-feedback-cis/ccleaner-contained-t120580.0.html ( I don't know if already posted here form this or another link ):

"Elements:
taskscheduler:C:\WINDOWS\System32\Tasks\CCleanerSkipUAC
file:C:\Program Files\CCleaner\CCleaner.exe
file:C:\WINDOWS\System32\Tasks\CCleanerSkipUAC
uninstall:HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\CCleaner
regkey:HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{5DCE4767-2B66-466F-B3D1-6F1EBE9F939E}
regkey:HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\CCleanerSkipUAC
regkey:HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\CCleaner "

I checked in my system and I found only:
C:\WINDOWS\System32\Tasks\CCleanerSkipUAC
regkey:HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\CCleanerSkipUAC

What it means ?

 

Thanks Peter. Mine are 36 years in enterprise application development, the last six at IBM, but it's OT really .

 

The scheduled task SkipUAC key has always been present and one reason among others I long ago stopped using crap cleaner.

The other scheduled task reg. key is suspect. Perhaps people using the latest ver. can confirm if the key exists for that.

You can check scheduled task status using Autoruns and can also remove them from there.