Security Notification for CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 for 32-bit Windows users

Discussion in 'other security issues & news' started by stapp, Sep 18, 2017.

  1. stapp

    stapp Global Moderator

    Joined:
    Jan 12, 2006
    Posts:
    15,800
    Location:
    UK
    http://www.piriform.com/news/releas...eaner-cloud-v1073191-for-32-bit-windows-users

     
  2. stapp

    stapp Global Moderator

    Joined:
    Jan 12, 2006
    Posts:
    15,800
    Location:
    UK
  3. DOSawaits

    DOSawaits Registered Member

    Joined:
    Dec 11, 2008
    Posts:
    469
    Location:
    Belgium
    .... and once a company lands in the hands of a security company.... all bells and alarms start to go off ....
    Time to protect yourself !!!!! You are in DANGER !!!!! Protect yourself ASAP !!!
     
  4. Stupendous Man

    Stupendous Man Registered Member

    Joined:
    Aug 1, 2010
    Posts:
    2,199
    Location:
    the Netherlands
  5. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    13,853
    Location:
    Slovenia
    Luckily it seems that additional payload was not downloaded. I can't image what would happen if 100s of millions of computers got infected by some kind of crypto malware.
     
  6. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,236
    Location:
    Under a bushel ...
    The Cisco Talos report does not seem to mention that only 32-bit Windows was affected ...

    Is there some way of determining if one has been affected?
     
  7. pegas

    pegas Registered Member

    Joined:
    May 22, 2008
    Posts:
    2,397
    I have a 64bit Win 10 machine but I rather have run ESET scanning with a clean result.
     
  8. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    13,853
    Location:
    Slovenia
    You can check for this registry key presence: HKLM\SOFTWARE\Piriform\Agomo
     
  9. pegas

    pegas Registered Member

    Joined:
    May 22, 2008
    Posts:
    2,397
    Thanks! Luckily nothing found.
     
  10. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,236
    Location:
    Under a bushel ...
    +1
     
  11. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,442
    Location:
    Outer space
    The press release is a bit too much of nothing to see here, we've got in under control. Fact is the altered installer was only discovered by outsiders and there is no guarantee more installers were altered in another way not similar to this. Secondly, they still haven't determined how this happened and since the altered installer was digitally signed by a valid Piriform certificate, the attackers had to have deep access to the developers systems. And possibly they still have access.
     
  12. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,236
    Location:
    Under a bushel ...
    Good points.
     
  13. mekelek

    mekelek Registered Member

    Joined:
    May 5, 2017
    Posts:
    518
    Location:
    Hungary
    child company of a security company getting compromised like this, heads are gonna roll..
    the fears of many people about signed malware just came true, thinking of disabling "trust signed programs" in KIS.
     
  14. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    5,981
    Location:
    USA
    Uninstalled from all machines... permanently.
     
  15. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    36,194
    I have extracted the portable version (ccsetup533.zip) (and installer) which i have downloaded on the 15th August and it includes the affected file. Exactly the hash which was mentioned in the blog (#4) ("Indicators of Compromise (IOCS)")
    There are 8 detections on VT now :cautious:

    Disturbing is, that the file is digitally signed ...
     
  16. ghodgson

    ghodgson Registered Member

    Joined:
    Dec 20, 2003
    Posts:
    835
    Location:
    UK
    I didn't like the new flat look of the '5' series of CCleaner so I'm still on ver 4.19 - sometimes it pays to stay put with what you like.
     
  17. blacknight

    blacknight Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    3,051
    Location:
    Europe, UE citizen
    The installer is one for 32-bit and 64-bit, so how to be sure that 64-bit is safe ? And over the registry key check, while other measures to use to check the system ? Is a good av scan enough ? Better to use also an antirootkit as PcHunter or PowerTool I think.
     
  18. stapp

    stapp Global Moderator

    Joined:
    Jan 12, 2006
    Posts:
    15,800
    Location:
    UK
  19. PEllis

    PEllis Guest

    I stopped using CCleaner a while ago. Looks like I made the right move.
     
  20. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,111
    Location:
    U.S.A.
    https://www.bleepingcomputer.com/ho...dent-what-you-need-to-know-and-how-to-remove/
     
  21. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,111
    Location:
    U.S.A.
    Same here.
     
  22. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    3,792
    Location:
    Mexico
    I got this key in my Windows 8.1 x86 :mad:
    No clean system backup in this case. :cautious:

    Not planning to reinstall anything. My installation has many tweaks, spent great amount of time on it.
     
  23. mantra

    mantra Registered Member

    Joined:
    Jan 25, 2005
    Posts:
    5,676
    hi
    i have to check my system
    i will never use ccleaner again!
    are we sure only if we have this key HKLM\SOFTWARE\Piriform\Agomo ,the computer is inflected?
    thanks
     
  24. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,869
    Location:
    Italy
    Craig Williams writes:

     
  25. blacknight

    blacknight Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    3,051
    Location:
    Europe, UE citizen
    My actual version is 5.34.6207 64-bit, but previously I had the 5.33 v. ( 64-bit ). I have not that key and the scan with PcHunter and PowerTool was negative. But I'd like to be more sure. Anyway, I reinstalled recently, and the only disk system before August 15 2017 is primordial :D.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.