Discussion in 'other security issues & news' started by stapp, Sep 18, 2017.
Technical info of suspicious server activity here
.... and once a company lands in the hands of a security company.... all bells and alarms start to go off ....
Time to protect yourself !!!!! You are in DANGER !!!!! Protect yourself ASAP !!!
Cisco's Talos Intelligence Group Blog:
CCleanup: A Vast Number of Machines at Risk
"Affected systems need to be restored to a state before August 15, 2017 or reinstalled."
Luckily it seems that additional payload was not downloaded. I can't image what would happen if 100s of millions of computers got infected by some kind of crypto malware.
The Cisco Talos report does not seem to mention that only 32-bit Windows was affected ...
Is there some way of determining if one has been affected?
I have a 64bit Win 10 machine but I rather have run ESET scanning with a clean result.
You can check for this registry key presence: HKLM\SOFTWARE\Piriform\Agomo
Thanks! Luckily nothing found.
The press release is a bit too much of nothing to see here, we've got in under control. Fact is the altered installer was only discovered by outsiders and there is no guarantee more installers were altered in another way not similar to this. Secondly, they still haven't determined how this happened and since the altered installer was digitally signed by a valid Piriform certificate, the attackers had to have deep access to the developers systems. And possibly they still have access.
child company of a security company getting compromised like this, heads are gonna roll..
the fears of many people about signed malware just came true, thinking of disabling "trust signed programs" in KIS.
Uninstalled from all machines... permanently.
I have extracted the portable version (ccsetup533.zip) (and installer) which i have downloaded on the 15th August and it includes the affected file. Exactly the hash which was mentioned in the blog (#4) ("Indicators of Compromise (IOCS)")
There are 8 detections on VT now
Disturbing is, that the file is digitally signed ...
I didn't like the new flat look of the '5' series of CCleaner so I'm still on ver 4.19 - sometimes it pays to stay put with what you like.
The installer is one for 32-bit and 64-bit, so how to be sure that 64-bit is safe ? And over the registry key check, while other measures to use to check the system ? Is a good av scan enough ? Better to use also an antirootkit as PcHunter or PowerTool I think.
Just a little bit more info here....
I stopped using CCleaner a while ago. Looks like I made the right move.
I got this key in my Windows 8.1 x86
No clean system backup in this case.
Not planning to reinstall anything. My installation has many tweaks, spent great amount of time on it.
i have to check my system
i will never use ccleaner again!
are we sure only if we have this key HKLM\SOFTWARE\Piriform\Agomo ,the computer is inflected?
Craig Williams writes:
My actual version is 5.34.6207 64-bit, but previously I had the 5.33 v. ( 64-bit ). I have not that key and the scan with PcHunter and PowerTool was negative. But I'd like to be more sure. Anyway, I reinstalled recently, and the only disk system before August 15 2017 is primordial .
Separate names with a comma.