Security Notification for CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 for 32-bit Windows users

Depends who issued the cert.. If it's from Let's Encrypt, forget it. Next in line are Comodo certs.. Any even Symantec certs.. are suspect.

 

And there seems to be no way to set Dropbox to update manually.

As well as some of the Google stuff?

 

Then we are facing a huge problem about distrust. So what's left?
Do you have references for your claims?

 

Elaborate your question please.

 

Like Google Drive, Google Backup and Sync, etc. - don't they update themselves automatically, in the background?

 

Yes they do in background so it's scary a MITM attack or hacked servers/binaries on those scenarios but you are assuming it's safe but I don't think so. I rather go and download the installer or portable binaries.

 

No I don't think it's safe ... I prefer to update everthing manually so I was wondering if there was a way of doing that with those Google services, but especially Dropbox.

Do you somehow stop the auto-updating for those? How?

 

For Google programs, block googleupdate.exe either using an anti-exe or appguard or firewall, hey you can even use those three. lol

To update manually I guess you've seen my posts here on Google Chrome updates, have you?

 

Thanks. Obvious, now that I know .

I looked in this thread, but can you point me to these? I am a Firefox user, but I do have Chrome on my systems.

 

https://www.wilderssecurity.com/threads/chrome-stable-channel-update.355822/page-52#post-2707812

Every new stable release I update the thread. To not pollute this thread any question regarding Google please do it there.

 

This article pre-dates the inception of the free cert. issuers like Let's Encrypt that have made this much worse:

Why You Shouldn’t Completely Trust Files Signed with Digital Certificates

https://securelist.com/why-you-shou...files-signed-with-digital-certificates/68593/

Banking Trojans like Zeus are notorious for using stolen certs. to sign their code.

Here is a recent article on MITM: https://www.ssh.com/attack/man-in-the-middle

 

@itman

Thanks for sharing this interesting information.

 

In light of this CCleaner attack, this is how a signed infected update could be deliver as noted in the previously posted Kaspersky link:

 

Also in case someone missed by posting here: https://www.wilderssecurity.com/threads/ms-signed-mimikatz-in-just-3-steps.397004/ , Casey Smith has come up with a way to Microsoft code sign, the defacto "gold standard" for code signing, Mimikatz payloads.

As such, it suffices to state that download signature is not a reliable way to verify that it is not malicious.

 

Then what way would be?

 

In regards to the CCleaner incident, it would be tough to do. If you sandboxed it, you wouldn't see the remote connection since it was delayed activity. Best method would be detailed outbound firewall monitoring of all connections. And that is not foolproof since a compromised update server could just download the malware from there.

 

I am not particularly concerned that I may have been breached in the CCleaner incident. I don't believe I was, and in that case Average Joe was not the target.

But increasingly (reading above), I fear that we are all doomed!

Even checking hashes, how can one be certain what one is checking against is right? I do a lot of downloads, mainly portable, and can't be bothered to check every one.

Anyways, I plod on.

 

Paul- This is close to the Nightmare Scenario and is a true horror. Understand (and I can't say this enough) that the Blackhats had control of both the Private Key to sign as well as the FTP credentials to upload the malicious file. Consider if this had been a browser- A person downloads a seemingly valid application (malware signed by the Blackhats) from a legitimate corporate website (to where it was uploaded by the Blackhats). No amount of monitoring would save you.

 

Will at least try to stay humble (your sig ).

 

Then why not stop installing third party apps altogether? Why use Chrome/Firefox if Edge is good enough? I've checked out the Windows disk cleaner and it's pretty basic. I think you get my point. And I'm not even a fan of CCleaner, but it's a handy tool that you use once a week/month, just like so many other apps.

My point is that it's better to use a third party "app-update" checker, this way you can block outbound access of apps that don't need the web in order to function, this measure alone will block similar attacks.

Totally forget to mention that it's also important to restrict apps from getting read/write access to important data. You can use a file/folder protection tool like Secure Folders for this. This would have also blocked this attack, especially because the goal of the malware was probably to steal important data of all of these companies.

http://www.softpedia.com/get/Security/Security-Related/Secure-Folders.shtml

 

https://threatpost.com/inside-the-ccleaner-backdoor-attack

 

Thanks for the link. Says it all.

 

Well, today I restored - for other reasons - a system image of last July, CCleaner v. is 5.30. I always blocked internet connection of all my applications, except some security software, we'll see ( may be that in a next future someone will find that also older CCleaner versions are affected ).

 

Worth noting is this comment to the Threatpost article:

Obviously, removing the infected ver. of CCleaner in this instance appears not to have eliminated the backdoor. Or contrary to reports, subsequent backdoors were installed on non-high valued targets contrary to what has been publically posted.

The problem is the detailed investigation for the most part is being done by Avast which has a vested interest to minimize the attack's impact thereby reducing its legal liability.