What I don't understand is that the second play load checks for 32bit or 64bit and gets either a 32bit or 64bit dll. But on a 64bit system, the 64bit ccleaner isn't infected just the ccleaner.exe. (32bit version). I'm also wondering if the virus is active only when ccleaner is running in the system tray and if the first and second payload is even able to drop if ccleaner on a 32bit machine isn't running in the system tray and that feature is turned off. As this is the first feature of ccleaner I turn off upon installation. I'm also wondering if it even goes through with the 2nd payload if the IP address it collects from the user in stage 1 doesn't match a large tech company.
Also in this case, the payload would bypass the FW only during CCleaner installing downloading with it, then if you block every connections it couldn't do nothing. And I wonder if an HIPS - in Paranoid Mode naturally - should block the payload copying info from the system, because - whatever the payload is or pretend to be - it would be a new activity, and then monitored by the HIPS.
Yes exactly. If outbound access was blocked, it was game over. Even if the disk-based payload was downloaded, it would be blocked from running with anti-exe. If the payload was in-memory, you only needed to restrict CCleaner. This means block it from getting read/write access to important folders, block key/screen logging, and block it from injecting code, for example.
CCleaner 5.36 Note the changes above in this build. Builds page here (no slim build yet) https://www.piriform.com/ccleaner/builds
Hashes available for all 5.36 versions https://forum.piriform.com/index.php?showtopic=49067#entry287835 The Emergency Updater info applies to both the Free and Paid versions
Added new executable: "CCUpdate.exe" Added new Windows Scheduled Task: "CCleaner Update Are these entries supposed to be in startup? I dont have them anywhere?? or in my task manager? Windows XP Pro
CCleaner seems to be becoming more and more connected with each new version. Now there is an emergency updater? Yet another vector that needs to be watched. What's wrong with the regular updater? Heh the updater needs and update. And why so many changes anyways? Can't they get it right the first time?
I feel the same, do you really think we need an "Emergency Updater" after this debacle? I actually see this as a new security risk, because now it might forcefully download rogue versions LOL. I will stick with older versions, unless you can disable this crap.
Sic ccleaner on itself. I feel the the ccleaner franchise is beginning to lose focus. Why do they have to update it so frequently anyways? They've been working on it for over a decade and still can't get it right?
Partly it's because apps ( browsers and similar) are updated and they need to change CCleaner to adopt to those changes.
Don't mind me asking, if I understand you correctly, CCleaner without the CCU emergency updater it is a risk. Thanks.
The portable version does not have this, for those that are concerned about this. They at least seem to have fixed an apparent crash, which I hadn't quite figured out, when closing Firefox (in Sandboxie)? Maybe the 'session' data cleaning.
