Discussion in 'other software & services' started by anon, Nov 25, 2014.
+1, not from pre-Aug 15 anyway (Macrium GFS schedule issue). Also thanks @cruelsister.
CCleanerSkipUAC is a valid function of CCleaner - ofc its wants to gain admin rights to do its job. and in fact CCleaner x64 was also affected, not only x86.
regular people act as normal until impact. then they get paniced. after a while it will get "regular" again.
last days i had a computer here which did not have any backup - crashed after windows update with no reason and system drive were messed up. we had to recover and install from scratch. glad that user is only lite email/browsing/office and personal data was laid on drive D - there was no much loss. but now we have a clean backup, i did major issue here - drivers. win7 all fine, but windows 10 has trouble with a turned video cam - either a win10 app compatible driver and upside down or proper image and not win10 compatible.
BK- Nothing would detect this one, except bymonitoring outbound connections via a Monitor and understanding what occurs. Stuff like this one are nastier than one can imagine, and remediation like doing a re-imaging of the system is like closing the barn door when the horses are already running wild.
Thank you. You mean that to restore a previous system image doesn't delete the backdoor ? Or it depends by which sector are overwritten from the image ?
I think it may delete the backdoor but your info has already been stolen.
She has a further comment here: https://malwaretips.com/threads/wha...nd-other-software-programs.75645/#post-673862
BK- Paul is correct. Note that the true beauty (or Horror, depending on your perspective) is the built in delay (sleep) function. When the malicious Ccleaner is originally installed everything is Unicorns and Rainbows initially. Even an Outbound firewall will only alert to a legitimate (ping) connection to Piriform. And if that connection is accepted (why would you not?) you are screwed as everything subsequent to that will be allowed.
The issue is that in about 10 minutes the reg entries will be dropped which will result in the connection to the malware C&C. As a person would have already OK's outbound connections for CCleaner when everything was legitimate, the additional malicious connection will proceed without issue. Further, the delayed reg entry creation wouldn't be monitored either, as one would have already acknowledged CCleaner as being safe.
But please understand that this malware is high quality and targeted. It's not meant to be an info stealer for the likes of you and me, but instead a backdoor to upload malware to somewhere specific. For instance, if I wanted to penetrate American Express, I would have knowledge of what security solution AE had, and already beta tested malware against that protection and found it to be undetectable. Thus a simple matter of uploading that malware and owning a multi-billion dollar organization.
But to the matter of restoring an image for the home user- this suggestion is being made by those with no Fxxxxxg idea of what is going on, for whatever the malware was built to do it would have already done.
CS. Thank you, you explanation is very clear. I'm not very afraid, it's basically an occasion to understand - or to revise - my security knowledge. So, during CCleaner installing my fw indeed give to me an alert for a ping connection to Piriform: as usual i do, I allowed once, and after the installation I blocked CCleaner on the fw, as always I do with my application except my security softwares ( but never cloud, neither for them ). So, hypothetically, if I was - not so easy, I'm a common home user - a target of the malware authors, their backdoor couldn't to connect outbound, or it could using svchost.exe for example ?
Of course I have no ******* idea of what is going on, and I don´t care either. When things are so confusing and the "experts" don´t agree (delete this or that Registry key, etc.), my default action is to restore an image and move on. It takes 3.5 minutes in my case (slow system, USB external disk, no SSD). Windows 10 updated itself in about 20 minutes. I did this on day one, when the problem was reported. And, BTW, I installed the new CCleaner version, see no reason to stop using it right now.
As for the damage already done if some info was stolen, it´s a somewhat irrelevant argument, since nothing can be done about it. Besides that, who says the malware can only operate once, the "experts"?
Blackie- Excellent question! if during the installation process you block CCleaner from the ping, not only will you not get the connection request to Blackhat Central but you won't even get the registry drop (another reason why I keep Pleading for folks to use an Outbound alerting Firewall and to use it properly!).
Robin- remember that this could be used to upload a zero-day script to a system (it's not by any means an info stealer by itself!). That only has to be done once.
On my system, apps like CCleaner don't have outbound access. And anti-executable/white-listing would block any malware from running that's downloaded to disk. If the payload is in-memory only, HIPS should be able to block abnormal behavior like code injection and read/write access to certain files/folders.
Rasheed- If you prevented CCleaner from running at all obviously you will be protected (but here you never would have installed it anyway). But if you allowed it you are screwed. There is no code injection or any other abnormal activity other than a legitimate process connecting out.
I suppose you are talking about ccleaner.exe process calling out, right?
If so, I had since before that exe blocked by my firewall.
Still it dropped in the registry the following subkeys without values:
I believe Floxif prepared the registry to drop more stuff as soon it could get its outbound connection.
X- Blocking the things (Ping, connection to Piriform, etc) during installation will stop all malicious stuff. Just blocking CCLeaner AFTER installation will still block the connection to the malware C&C but will not block the creation of the reg entries as you point out.
@cruelsister Saw your YouTube earlier today about CCleaner. Excellent stuff. I do wish you would talk though.
is a valid path, not created by ccleaner - or ccleaner has been infected since 2012.
\agomo not created by portable
Of course it is. I always use portable version since... wait, 5 or 6 months back?
Remember, Floxif code is embedded in ccleaner.exe.
Believe this is correct. The CCleaner installer would be needed to give the permissions needed to create the rest of the backdoor components. However, does not the portable ver. create reg. keys such as the UAC bypass key CCleaner uses?
How can you explain my case? I'm using portable one.
I edited my posting since I do believe the portable ver. does create reg. keys.
According to Piriform
Since it's not a case of infected installer but infected main binary it's only logical that all releases were affected (since they use same binary for all releases).
One thing @cruelsister video clearly shows is the "delay timing" feature of the malware. This was obviously to bypass heuristic, behavior, and sandbox analysis. The only way this could have been detected is if you had a firewall rule that only allowed connections to known Piriform server IP addresses.
I'm not following you, who's talking about not running an infected CCleaner? In this particular case, the attack could have been easily stopped by simply blocking CCleaner from connecting out. I never auto-update apps, so there is no need for most apps to connect out. It can collect all the info it wants, or try to download another payload (disk-based or in-memory) but it won't work if network access is blocked.
Now let's say the payload is somehow downloaded (firewall bypass), then it still can be blocked from running with anti-executable. If the payload would have been in-memory ransomware, then the only thing that could block it is anti-ransomware wit behavioral monitoring, as offered by HMPA, AppCheck and RansomOff. But the key is not blindly trusting apps and their child processes.
Just been looking at FileHippo and guess what's top of the pops!
Separate names with a comma.