Security Notification for CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 for 32-bit Windows users

Discussion in 'other security issues & news' started by stapp, Sep 18, 2017.

  1. stapp

    stapp Global Moderator

    Joined:
    Jan 12, 2006
    Posts:
    18,801
    Location:
    UK
    I am not a Twitter user either :)
    The info pops up when you click on the link.
     
  2. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,430
    Location:
    U.S.A.
    It is understandable that people are in a "state of denial" over this. Again, read the Cisco blog posting on what the malware does. Next, realize this malware has been sitting on your device for a month and your "worst fears" have been manifested. Then do what Cisco recommends which I posted previously.
     
  3. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,648
    Location:
    Slovenia, EU
    So far there is not much info. Cisco report shows that malware included in that version collects some data and sends it to some servers that were apparently taken down. There was no additional malware downloaded and run and no autorun entries added to system. So malware runs only that time when Ccleaner (older version) is running. As soon as Ccleaner is updated, infection is more or less gone. At least that's how I read their analysis.
    I will wait for some more information.
     
  4. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    5,755
    Location:
    DC Metro Area
    While practically speaking that is correct cuz action has been taken to defeat the malware's communicating with its server, technically speaking it is not correct. It appears that the now ineffective backdoor would still remain:

    https://www.wilderssecurity.com/thr...-bit-windows-users.396778/page-2#post-2706896

    https://www.wilderssecurity.com/thr...-bit-windows-users.396778/page-2#post-2706889

    Virus Bulletin:

    "Malicious CCleaner update points to a major weakness in our infrastructure...

    ...it remains important for infected users to follow the advice from Cisco: reinstall machines or roll back to a previous version."

    https://www.virusbulletin.com/blog/...ate-points-major-weakness-our-infrastructure/
     
    Last edited: Sep 18, 2017
  5. mantra

    mantra Registered Member

    Joined:
    Jan 25, 2005
    Posts:
    5,881
    hi
    eset detects only the old version of ccleaner , nothing else
    i guess malwarebyte is good start at least scans registry and all the files
     
  6. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,648
    Location:
    Slovenia, EU
    You mean a DLL file that no process will load after updating CCleaner or something else?
     
  7. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    5,755
    Location:
    DC Metro Area
  8. XIII

    XIII Registered Member

    Joined:
    Jan 12, 2009
    Posts:
    1,163
    Does 5.34 indeed remove the key that indicated the 5.33 infection?

    If true, how can you still discover whether your system was infected, if you already upgraded to 5.34 before this news was released?
     
  9. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    4,102
    OK, misunderstanding by me, sorry stapp.
     
  10. stapp

    stapp Global Moderator

    Joined:
    Jan 12, 2006
    Posts:
    18,801
    Location:
    UK
    No problem FanJ :)
     
  11. Tom111

    Tom111 Registered Member

    Joined:
    Jun 26, 2014
    Posts:
    57
    I would really like to know this as well.
     
  12. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,648
    Location:
    Slovenia, EU
    I've tested it in VM and installing 5.34 over 5.33 doesn't remove that key. So it will probably be present on systems that got infected.
     
  13. emmjay

    emmjay Registered Member

    Joined:
    Jan 26, 2010
    Posts:
    1,413
    Location:
    Triassic
    Yes it does. One x.32 system at my home had Ccleaner 5.33.6162 installed and MBAM 3.1.2 found the trojan this morning. On installing 5.34 the registry key had been corrected. Ran another MBAM scan after that and it ran clean. I am still debating as to whether I should also go to a restore to be safe - according to Avast there is no other payload to be worried about.
     
  14. digmor crusher

    digmor crusher Registered Member

    Joined:
    Jul 6, 2012
    Posts:
    1,011
    Location:
    Canada
    I am running 5.34 and do not have that key, can't say if it was present in previous version.
     
  15. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,648
    Location:
    Slovenia, EU
    I installed 5.33, waited 10 minutes and got a key. Then I updated to 5.34 (installed it over the top of previous version) and key is still there:

    upload_2017-9-18_21-14-25.png
     
  16. Tom111

    Tom111 Registered Member

    Joined:
    Jun 26, 2014
    Posts:
    57
    So, Minimalist says no, but emmjay says yes. :confused:
     
  17. plat1098

    plat1098 Guest

  18. Tom111

    Tom111 Registered Member

    Joined:
    Jun 26, 2014
    Posts:
    57
    By the running the 32 bit version, right?
     
  19. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,648
    Location:
    Slovenia, EU
    Yes it's 32 bit OS so only 32 bit version was installed.
     
  20. emmjay

    emmjay Registered Member

    Joined:
    Jan 26, 2010
    Posts:
    1,413
    Location:
    Triassic
    According to Bleeping Computer, the malware also quit execution if the user was not using an administrator account. May be the reason why users are experiencing different results.
     
  21. ProTruckDriver

    ProTruckDriver Registered Member

    Joined:
    Sep 18, 2008
    Posts:
    1,342
    Location:
    USN Retired 1969 ~ 1992
    Yep, same here. Uninstalling ALL Software from Piriform permanently.
     
  22. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    42,809
    Yes, the key is still there:
    Additionally the execution is delayed for at least 600 seconds, to evade analysys.
     
  23. Theblackstar

    Theblackstar Registered Member

    Joined:
    Mar 27, 2016
    Posts:
    36
    Location:
    Italia
  24. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,092
    Location:
    Mexico
    Did two offline scans (attaching the hdd to another pc), one using Eset's online scanner and Immunet:
    No file or threat found.

    The reg key I deleted it loading the hive.
     
  25. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,092
    Location:
    Mexico
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.