Security Notification for CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 for 32-bit Windows users

Best solution, as is usually the case, is to restore a backup image created before August 15.

 

This is probably the funniest thing I've read this year.

If you're on Windows 10, you should NOT be using any form of "cleaner" or "speed up" or any of that nonsense AT ALL.

If you want to run a cleaner, click start, type "cleanup" and launch the built in disk cleanup utility.

I continually find it amusing that paranoid people are so eager to add more software (more avenues of infection) instead of focusing on having as little as possible. So naive.

If you want to stay safe online, trust less software, not more. Also anything you can do in your sandboxed browser is better than installing software for.

 

Disk cleanup is very slow in some computers. It´s possible to configure a basic cleanup directly from: Windows + I > Storage > Storage sensor...

 

So it seems, I agree. After scanning my HDD by Eset's and Immunet's scanners, no malicious file was found. Just that reg key which I deleted manually.

I officially consider my laptop clean (99% sure) unless something comes up in the next few days.

 

Again, I state the following. This only applies if you were infected. You should know that by now since most of the AV's, Malwarebytes, etc. have a sig. for the CCleaner malware.

If you were infected, the likelihood is high that the malware installed a backdoor. Detecting a backdoor is next to impossible to detect other than by constant and detailed network monitoring. Additionally the backdoor can remain dormant for days, weeks, months, and in some instances years. Positive backdoor detection can only be had by an actual sample of the installed code so a signature can be developed. Hence Cisco's recommendation to restore from pre-Aug. 15 restore point or reinstall the OS. I would opt for a Win 8/10 repair installation over a system restore point. Obviously, the best solution would be a restore from an image backup. It always has been and always will be established security procedure to reinstall or restore from image backup if a backdoor installation is suspected.

-EDIT- And it has been confirmed at least one backdoor was set by the malware to enable its "mapping" activities that proceeded once the malware was initially installed:

https://www.scmagazine.com/ccleaner-used-to-spread-backdoor-to-2-million-plus-users/article/689544/

 

Good advice, yet I have no backup image. Let's see what researchers say later on in time.

 

But then again, how do you know if you are really infected? Just by looking if you have that key created in the registry?

And who knows, maybe the 64 bit version is also affected. Nobody even knows for sure right now.

 

Macrium Reflect FTW!

 

No sign of that Registry Key here and MB 3 scans clean. I see people are having trouble installing the latest CCleaner if they have MB running in real-time.

MBAM3 prevented upgrade to CCleaner

 

Don't laff, Malwarebytes apparently was one of the very few that originally detected this:

https://malwaretips.com/threads/mal...-ccleaner-installers.75499/page-2#post-672066

That's the problem with a software you always have trusted implicitly, you might disregard any warnings.

I uninstalled CC 64 bit anyway even though it was unaffected. It could be good as gold 'til whenever but general trust in Piriform is gone. Got Wise Disk Cleaner instead to use occasionally in lieu of Windows.

 

The hacking could happened to anyone, even the best ones. I still trusting in Piriform although some new measures should be put in place to guarantee a new security level to customers/users.

 

It took more than this to move on from Piriform. Speccy suddenly couldn't detect 2 of 4 components on two machines and I still had 3 months left on subscription. Really regretful about this, CC was a keeper 'til now.

 

According to Eset, the sig they developed for the malware is this, "Win32/CCleaner.A, Win32/CCleaner.B", which is not what is shown on the MB link to VT you posted. What is shown on VT is the detection for the Google Toolbar in the CCleaner installer; i.e PUA.

I do know the person who posted on the Eset forum that he was infected, noted it was advanced memory scanning that detected the malware at boot time. Might be the malware in the CCleaner installer is packed, encrypted, and obfuscated which means it can't be detected until the malware is loaded into memory. In other words, after CCleaner is installed. Most likely, the malware was downloaded and installed after the backdoor was set. All the CCleaner installer did was set the backdoor.

-EDIT- Also based on what is currently posted on VT, what the products are currently detecting is the backdoor set by the CCleaner installer. Fine but useless to anyone with resultant malicious system changes that could have been done previously through the backdoor.

 

I got lucky, I am still using version 5.32.6129 in W10 64 bits and version 5.27 in my W7 32 bits. I wouldn't know what to do if I had installed the infected version, I feel for you guys who installed it.

Bo

 

Checked the registry on my 64 bit version and I don't have the key in my registry. Now to find a program to replace it with......

 

Ccleaner is a specifically smart target and for that reason I do not think the intent was mischief. Due to this I relented later today and decided to restore to a July 2017 backup image on my infected system. Some time spent now will hopefully save me a great deal of potential torment later.

 

FYI From Vlk of Avast.

Because both 32b and 64b binaries are present on the HDD... but the payload doesn't activate on 64-bit.
You can check the existence of the registry key HKLM\SOFTWARE\Piriform\Agomo -- if it exists, the backdoor activated, otherwise it didn't.

Thanks
Vlk

 

1. if CCleaner executable from program files folder is gone (CCleaner.exe) then backdoor is gone (it was embedded in their main executable).

So far there is no evidence about some additional backdoor, so everything else is at the moment pure speculation.

EDIT: you can also check for registry key and see if backdoor was even triggered on your system.

 

You're welcome.

 

Oh boy. Windows-The wonderful portal for backdoors courtesy your local crap cleaner.

 

Yeah because only Windows is vulnerable to back doors.

The lolz just keep on coming from this thread, 10/10.

ROFL. "I know I've been using this totally useless software, but I'll just keep using it despite being a direct threat to me".

 

I'm not dropping CCleaner... yet.

It's not the first software to be infected and I'm sure it won't be the last.