CCleaner v5

Discussion in 'other software & services' started by anon, Nov 25, 2014.

  1. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    3,818
    Location:
    Under a bushel ...
    +1, not from pre-Aug 15 anyway (Macrium GFS schedule issue). Also thanks @cruelsister.
     
    Last edited: Sep 23, 2017
  2. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    3,153
    CCleanerSkipUAC is a valid function of CCleaner - ofc its wants to gain admin rights to do its job. and in fact CCleaner x64 was also affected, not only x86.
    regular people act as normal until impact. then they get paniced. after a while it will get "regular" again.

    /offtopic
    last days i had a computer here which did not have any backup - crashed after windows update with no reason and system drive were messed up. we had to recover and install from scratch. glad that user is only lite email/browsing/office and personal data was laid on drive D - there was no much loss. but now we have a clean backup, i did ;) major issue here - drivers. win7 all fine, but windows 10 has trouble with a turned video cam - either a win10 app compatible driver and upside down or proper image and not win10 compatible.
     
  3. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    1,427
    Location:
    Paris
    BK- Nothing would detect this one, except bymonitoring outbound connections via a Monitor and understanding what occurs. Stuff like this one are nastier than one can imagine, and remediation like doing a re-imaging of the system is like closing the barn door when the horses are already running wild.
     
  4. blacknight

    blacknight Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    2,992
    Location:
    Europe, UE citizen
    Thank you. You mean that to restore a previous system image doesn't delete the backdoor ? Or it depends by which sector are overwritten from the image ?
     
  5. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    3,818
    Location:
    Under a bushel ...
  6. anon

    anon Registered Member

    Joined:
    Dec 27, 2012
    Posts:
    6,114
    https://forum.piriform.com/index.php?showtopic=48869&page=4#entry286566
     
  7. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    1,427
    Location:
    Paris
    BK- Paul is correct. Note that the true beauty (or Horror, depending on your perspective) is the built in delay (sleep) function. When the malicious Ccleaner is originally installed everything is Unicorns and Rainbows initially. Even an Outbound firewall will only alert to a legitimate (ping) connection to Piriform. And if that connection is accepted (why would you not?) you are screwed as everything subsequent to that will be allowed.

    The issue is that in about 10 minutes the reg entries will be dropped which will result in the connection to the malware C&C. As a person would have already OK's outbound connections for CCleaner when everything was legitimate, the additional malicious connection will proceed without issue. Further, the delayed reg entry creation wouldn't be monitored either, as one would have already acknowledged CCleaner as being safe.

    But please understand that this malware is high quality and targeted. It's not meant to be an info stealer for the likes of you and me, but instead a backdoor to upload malware to somewhere specific. For instance, if I wanted to penetrate American Express, I would have knowledge of what security solution AE had, and already beta tested malware against that protection and found it to be undetectable. Thus a simple matter of uploading that malware and owning a multi-billion dollar organization.

    But to the matter of restoring an image for the home user- this suggestion is being made by those with no Fxxxxxg idea of what is going on, for whatever the malware was built to do it would have already done.
     
  8. blacknight

    blacknight Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    2,992
    Location:
    Europe, UE citizen
    CS. Thank you, you explanation is very clear. I'm not very afraid, it's basically an occasion to understand - or to revise - my security knowledge. So, during CCleaner installing my fw indeed give to me an alert for a ping connection to Piriform: as usual i do, I allowed once, and after the installation I blocked CCleaner on the fw, as always I do with my application except my security softwares ( but never cloud, neither for them ). So, hypothetically, if I was - not so easy, I'm a common home user :D - a target of the malware authors, their backdoor couldn't to connect outbound, or it could using svchost.exe for example ?
     
  9. Robin A.

    Robin A. Registered Member

    Joined:
    Feb 25, 2006
    Posts:
    2,546
    Of course I have no ******* idea of what is going on, and I don´t care either. When things are so confusing and the "experts" don´t agree (delete this or that Registry key, etc.), my default action is to restore an image and move on. It takes 3.5 minutes in my case (slow system, USB external disk, no SSD). Windows 10 updated itself in about 20 minutes. I did this on day one, when the problem was reported. And, BTW, I installed the new CCleaner version, see no reason to stop using it right now.

    As for the damage already done if some info was stolen, it´s a somewhat irrelevant argument, since nothing can be done about it. Besides that, who says the malware can only operate once, the "experts"?
     
  10. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    1,427
    Location:
    Paris
    Blackie- Excellent question! if during the installation process you block CCleaner from the ping, not only will you not get the connection request to Blackhat Central but you won't even get the registry drop (another reason why I keep Pleading for folks to use an Outbound alerting Firewall and to use it properly!).

    Robin- remember that this could be used to upload a zero-day script to a system (it's not by any means an info stealer by itself!). That only has to be done once.
     
  11. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    12,480
    Location:
    The Netherlands
    On my system, apps like CCleaner don't have outbound access. And anti-executable/white-listing would block any malware from running that's downloaded to disk. If the payload is in-memory only, HIPS should be able to block abnormal behavior like code injection and read/write access to certain files/folders.
     
  12. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    1,427
    Location:
    Paris
    Rasheed- If you prevented CCleaner from running at all obviously you will be protected (but here you never would have installed it anyway). But if you allowed it you are screwed. There is no code injection or any other abnormal activity other than a legitimate process connecting out.
     
  13. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    3,671
    Location:
    Mexico
    I suppose you are talking about ccleaner.exe process calling out, right?
    If so, I had since before that exe blocked by my firewall.

    Still it dropped in the registry the following subkeys without values:
    Code:
    x86
    HKEY_LOCAL_MACHINE\Software\Piriform\Agomo
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf
    
    x64
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf
    
    I believe Floxif prepared the registry to drop more stuff as soon it could get its outbound connection.
     
    Last edited: Sep 23, 2017
  14. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    1,427
    Location:
    Paris
    X- Blocking the things (Ping, connection to Piriform, etc) during installation will stop all malicious stuff. Just blocking CCLeaner AFTER installation will still block the connection to the malware C&C but will not block the creation of the reg entries as you point out.
     
  15. Trooper

    Trooper Registered Member

    Joined:
    Jan 26, 2005
    Posts:
    4,254
    @cruelsister Saw your YouTube earlier today about CCleaner. Excellent stuff. I do wish you would talk though. :)
     
  16. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    3,153
    is a valid path, not created by ccleaner - or ccleaner has been infected since 2012.
    \agomo not created by portable
     
  17. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    3,671
    Location:
    Mexico
    Of course it is. I always use portable version since... wait, 5 or 6 months back?
    Remember, Floxif code is embedded in ccleaner.exe.
     
  18. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,903
    Location:
    U.S.A.
    Believe this is correct. The CCleaner installer would be needed to give the permissions needed to create the rest of the backdoor components. However, does not the portable ver. create reg. keys such as the UAC bypass key CCleaner uses?
     
  19. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    3,671
    Location:
    Mexico
    How can you explain my case? I'm using portable one.
     
  20. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,903
    Location:
    U.S.A.
    I edited my posting since I do believe the portable ver. does create reg. keys.
     
  21. stapp

    stapp Global Moderator

    Joined:
    Jan 12, 2006
    Posts:
    13,343
    Location:
    UK
  22. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    12,896
    Location:
    Here
    Since it's not a case of infected installer but infected main binary it's only logical that all releases were affected (since they use same binary for all releases).
     
    Last edited: Sep 24, 2017
  23. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,903
    Location:
    U.S.A.
    One thing @cruelsister video clearly shows is the "delay timing" feature of the malware. This was obviously to bypass heuristic, behavior, and sandbox analysis. The only way this could have been detected is if you had a firewall rule that only allowed connections to known Piriform server IP addresses.
     
  24. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    12,480
    Location:
    The Netherlands
    I'm not following you, who's talking about not running an infected CCleaner? In this particular case, the attack could have been easily stopped by simply blocking CCleaner from connecting out. I never auto-update apps, so there is no need for most apps to connect out. It can collect all the info it wants, or try to download another payload (disk-based or in-memory) but it won't work if network access is blocked.

    Now let's say the payload is somehow downloaded (firewall bypass), then it still can be blocked from running with anti-executable. If the payload would have been in-memory ransomware, then the only thing that could block it is anti-ransomware wit behavioral monitoring, as offered by HMPA, AppCheck and RansomOff. But the key is not blindly trusting apps and their child processes.
     
  25. Cache

    Cache Registered Member

    Joined:
    May 20, 2016
    Posts:
    429
    Just been looking at FileHippo and guess what's top of the pops!

    Ccleaner.PNG
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.