CCleaner v5

Discussion in 'other software & services' started by anon, Nov 25, 2014.

  1. ABaird3

    ABaird3 Registered Member

    Joined:
    Jan 27, 2016
    Posts:
    98
    I meant slim version, I had a brain freeze.
     
  2. silverfang

    silverfang Registered Member

    Joined:
    Jan 18, 2016
    Posts:
    7
    I don't know what's up with the portable version because it keeps redirecting me to the main page and then, after Xth number of tries, it randomly decides to download the file. It's the same story everytime a new version is released; tad annoying.
     
  3. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,738
    Haven't seen any PUP's for years. May be my settings...
     
  4. stapp

    stapp Global Moderator

    Joined:
    Jan 12, 2006
    Posts:
    17,735
    Location:
    UK
  5. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,419
    Location:
    Under a bushel ...
  6. plat1098

    plat1098 Guest

    Whew, dodged a bullet there w/64 bit and update to latest. :isay: This is some more bad karma for Piriform/avast!
     
  7. anon

    anon Registered Member

    Joined:
    Dec 27, 2012
    Posts:
    6,807
  8. webyourbusiness

    webyourbusiness Registered Member

    Joined:
    Nov 16, 2004
    Posts:
    2,662
    Location:
    Throughout the USA and Canada
    just because Avast bought them, does not mean they were immediately taken over and every avast business practice was adopted. We should wait and see, this was a rather sophisticated injection into the supply chain, as the infected code had been signed and released through their regular channels. We'll have to wait and see if they ever inform us how it actually happened. Law enforcement is involved according to the release. Wait and see folks, all else is just speculation, even if it is reasonable to assume certain things, we often find that our first suspicions are not entirely correct.. :D
     
  9. plat1098

    plat1098 Guest

    Re: post 583

    In conjunction with the recent avast! bundle and CC full installer, this is not good from the end user's perspective. Also, from what I've read elsewhere, avast! did not detect the Floxif malware.

    Hope it gets resolved, though and it seems it has been neutralized already. CC is a nice software but trust is shaken.
     
  10. anon

    anon Registered Member

    Joined:
    Dec 27, 2012
    Posts:
    6,807
  11. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    5,631
    Location:
    DC Metro Area
    A comment on the Talos Report page states the following. Is this true ??

    "CCleaner installs both 32/64-bit versions, but only shortcuts to 64-bit version are added on 64-bit systems."

    http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html

    Update:

    Both the 32X and 64X executables do appear to be present in the CC Cleaner Program File, sooooo did the 32X have to be executed for the malware to be installed??
     
    Last edited: Sep 18, 2017
  12. mantra

    mantra Registered Member

    Joined:
    Jan 25, 2005
    Posts:
    5,845
    hi
    have you read this?
    http://www.piriform.com/news/blog/2...eaner-cloud-v1073191-for-32-bit-windows-users

     
  13. stapp

    stapp Global Moderator

    Joined:
    Jan 12, 2006
    Posts:
    17,735
    Location:
    UK
  14. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499
    Dang made a post in the other thread and think it disappeared. Anyway I run Win 64 bit with latest insider build and during Aug 15 never saw any popups from either Appguard or Voodooshield. But When I updated to that version I am sure I had both disabled and so wondering if that is why no popups?
    Also sounds like any update after that date deleted the infection.
    It seems like there is two threads going on about this same thing.
     
  15. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    5,631
    Location:
    DC Metro Area
    Don't think so. Not if the backdoor had been installed. The update only deletes the malware that installs the backdoor, not the previously installed backdoor, if any.
     
  16. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    5,631
    Location:
    DC Metro Area
    The file was digitally signed and slipped through A/Vs and nearly all antimalware programs when it was active according to reports. Cisco's advanced anti-malware technology did throw an alert.
     
  17. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499
  18. blacknight

    blacknight Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    3,092
    Location:
    Europe, UE citizen
    So, also an HIPS could not detect the backdoor work, if at the time of Ccleaner installation the HIPS was on Training Mode or similar to allow the installation ? But anyway the firewall should detect every eventual backdoor action, if it is setted at the highest level of security.
     
  19. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    123,562
    Location:
    Texas
    New thread started for alternative programs here. Let's keep this thread for CCleaner discussions only.
     
  20. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,447
    Location:
    Slovenia
    Since there was no additional process launched HIPS probably wouldn't block it anyway. Modified exe didn't do anything that most HIPSs would warn about. And even if it did, most users would think it's legitimate action from CCleaner.
    Firewall would detect it if you previously blocked CCleaner from internet activity or if you allowed CCleaner to communicate to their servers only (on per IP basis).
    Looking from outside all backdoor (included in main binary) did was collect some data from your system (similar as regular CCleaner does) and sent it to some other server instead of Piriform's.
     
  21. blacknight

    blacknight Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    3,092
    Location:
    Europe, UE citizen
    I mean that the same HIPS wouldn't block the backdoor because it was legitimated during the training mode used for CCleaner installation.
    All my applications are blocked except my security programs; I only allowed once CCleaner to connect during his installation, then I blocked it.
     
  22. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,447
    Location:
    Slovenia
    Yes that's true, Learning mode would whitelist it. But in this case there was nothing to whitelist since installation process only extracted new binary. Backdoor was run when CCleaner was run (10 minutes after install) and at that time HIPS wouldn't be in learning mode any more.
     
  23. blacknight

    blacknight Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    3,092
    Location:
    Europe, UE citizen
    Ya, HIPS is always - except during installation process - in Paranoid Mode :D: you mean that if the backdoor ran it necessary launched some process, activity, service..... ( while during CCleaner installation the backdoor slept ), and so HIPS had to see it ?
     
    Last edited: Sep 19, 2017
  24. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,447
    Location:
    Slovenia
    In this case it was not a problem in installer itself, it was in compromised CCleaner.exe (main program binary). So installer did it's job as usual - it upgraded and replaced CCleaner components. Itself didn't do anything out of ordinary.
    After installation when CCleaner was run (and 10 minutes has passed) - that's when backdoor triggered (it was embedded in program itself). So HIPS wouldn't whitelist anything dangerous during install process. And backdoor was such in nature, that I doubt it would trigger HIPS once CCleaner is run.
     
  25. pling_man

    pling_man Registered Member

    Joined:
    Feb 11, 2010
    Posts:
    599
    Location:
    UK
    I am using v5.32.6129 (64 bit) and have never installed v5.33.
    I went to download v5.34 but there isn't a slim build available yet, so will wait for that.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.