Security Notification for CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 for 32-bit Windows users

Discussion in 'other security issues & news' started by stapp, Sep 18, 2017.

  1. Robin A.

    Robin A. Registered Member

    Joined:
    Feb 25, 2006
    Posts:
    2,546
    Best solution, as is usually the case, is to restore a backup image created before August 15.
     
    Last edited: Sep 18, 2017
  2. elapsed

    elapsed Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    7,076
    This is probably the funniest thing I've read this year.

    If you're on Windows 10, you should NOT be using any form of "cleaner" or "speed up" or any of that nonsense AT ALL.

    If you want to run a cleaner, click start, type "cleanup" and launch the built in disk cleanup utility.

    I continually find it amusing that paranoid people are so eager to add more software (more avenues of infection) instead of focusing on having as little as possible. So naive.

    If you want to stay safe online, trust less software, not more. Also anything you can do in your sandboxed browser is better than installing software for.
     
    Last edited: Sep 18, 2017
  3. Robin A.

    Robin A. Registered Member

    Joined:
    Feb 25, 2006
    Posts:
    2,546
    Disk cleanup is very slow in some computers. It´s possible to configure a basic cleanup directly from: Windows + I > Storage > Storage sensor...
     
  4. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,031
    Location:
    Mexico
    So it seems, I agree. After scanning my HDD by Eset's and Immunet's scanners, no malicious file was found. Just that reg key which I deleted manually.

    I officially consider my laptop clean (99% sure) unless something comes up in the next few days. :)
     
  5. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,400
    Location:
    U.S.A.
    Again, I state the following. This only applies if you were infected. You should know that by now since most of the AV's, Malwarebytes, etc. have a sig. for the CCleaner malware.

    If you were infected, the likelihood is high that the malware installed a backdoor. Detecting a backdoor is next to impossible to detect other than by constant and detailed network monitoring. Additionally the backdoor can remain dormant for days, weeks, months, and in some instances years. Positive backdoor detection can only be had by an actual sample of the installed code so a signature can be developed. Hence Cisco's recommendation to restore from pre-Aug. 15 restore point or reinstall the OS. I would opt for a Win 8/10 repair installation over a system restore point. Obviously, the best solution would be a restore from an image backup. It always has been and always will be established security procedure to reinstall or restore from image backup if a backdoor installation is suspected.

    -EDIT- And it has been confirmed at least one backdoor was set by the malware to enable its "mapping" activities that proceeded once the malware was initially installed:
    https://www.scmagazine.com/ccleaner-used-to-spread-backdoor-to-2-million-plus-users/article/689544/
     
    Last edited: Sep 18, 2017
  6. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,031
    Location:
    Mexico
    Good advice, yet I have no backup image. Let's see what researchers say later on in time.
     
  7. Tom111

    Tom111 Registered Member

    Joined:
    Jun 26, 2014
    Posts:
    57
    But then again, how do you know if you are really infected? Just by looking if you have that key created in the registry?

    And who knows, maybe the 64 bit version is also affected. Nobody even knows for sure right now.
     
    Last edited: Sep 18, 2017
  8. Trooper

    Trooper Registered Member

    Joined:
    Jan 26, 2005
    Posts:
    4,932
    Macrium Reflect FTW!
     
  9. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    9,284
    Location:
    Among the gum trees
    No sign of that Registry Key here and MB 3 scans clean. I see people are having trouble installing the latest CCleaner if they have MB running in real-time.

    MBAM3 prevented upgrade to CCleaner
     
  10. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,031
    Location:
    Mexico
  11. plat1098

    plat1098 Guest

    Don't laff, Malwarebytes apparently was one of the very few that originally detected this:

    https://malwaretips.com/threads/mal...-ccleaner-installers.75499/page-2#post-672066

    That's the problem with a software you always have trusted implicitly, you might disregard any warnings.

    I uninstalled CC 64 bit anyway even though it was unaffected. It could be good as gold 'til whenever but general trust in Piriform is gone. Got Wise Disk Cleaner instead to use occasionally in lieu of Windows.
     
  12. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,031
    Location:
    Mexico
    The hacking could happened to anyone, even the best ones. I still trusting in Piriform although some new measures should be put in place to guarantee a new security level to customers/users.
     
    Last edited: Sep 18, 2017
  13. plat1098

    plat1098 Guest

    It took more than this to move on from Piriform. Speccy suddenly couldn't detect 2 of 4 components on two machines and I still had 3 months left on subscription. Really regretful about this, CC was a keeper 'til now.
     
  14. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,400
    Location:
    U.S.A.
    According to Eset, the sig they developed for the malware is this, "Win32/CCleaner.A, Win32/CCleaner.B", which is not what is shown on the MB link to VT you posted. What is shown on VT is the detection for the Google Toolbar in the CCleaner installer; i.e PUA.

    I do know the person who posted on the Eset forum that he was infected, noted it was advanced memory scanning that detected the malware at boot time. Might be the malware in the CCleaner installer is packed, encrypted, and obfuscated which means it can't be detected until the malware is loaded into memory. In other words, after CCleaner is installed. Most likely, the malware was downloaded and installed after the backdoor was set. All the CCleaner installer did was set the backdoor.

    -EDIT- Also based on what is currently posted on VT, what the products are currently detecting is the backdoor set by the CCleaner installer. Fine but useless to anyone with resultant malicious system changes that could have been done previously through the backdoor.
     
    Last edited: Sep 18, 2017
  15. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    5,995
    Location:
    Nicaragua
    I got lucky, I am still using version 5.32.6129 in W10 64 bits and version 5.27 in my W7 32 bits. I wouldn't know what to do if I had installed the infected version, I feel for you guys who installed it.

    Bo
     
  16. cheater87

    cheater87 Registered Member

    Joined:
    Apr 22, 2005
    Posts:
    3,255
    Location:
    Pennsylvania.
    Checked the registry on my 64 bit version and I don't have the key in my registry. Now to find a program to replace it with......
     
  17. emmjay

    emmjay Registered Member

    Joined:
    Jan 26, 2010
    Posts:
    1,413
    Location:
    Triassic
    Ccleaner is a specifically smart target and for that reason I do not think the intent was mischief. Due to this I relented later today and decided to restore to a July 2017 backup image on my infected system. Some time spent now will hopefully save me a great deal of potential torment later.
     
  18. digmor crusher

    digmor crusher Registered Member

    Joined:
    Jul 6, 2012
    Posts:
    945
    Location:
    Canada
    FYI From Vlk of Avast.

    Because both 32b and 64b binaries are present on the HDD... but the payload doesn't activate on 64-bit.
    You can check the existence of the registry key HKLM\SOFTWARE\Piriform\Agomo -- if it exists, the backdoor activated, otherwise it didn't.

    Thanks
    Vlk
     
  19. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Two questions. I had 533 on board, and first thing I did was uninstall 533 with Revo which cleaned out all the registry keys. Install 419 and check and the key reg key is not there.

    1. Does that mean the back door is gone.

    2. If it is still their would it be in a file or not.

    Pete
     
  20. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,443
    Location:
    Slovenia
    1. if CCleaner executable from program files folder is gone (CCleaner.exe) then backdoor is gone (it was embedded in their main executable).

    So far there is no evidence about some additional backdoor, so everything else is at the moment pure speculation.

    EDIT: you can also check for registry key and see if backdoor was even triggered on your system.
     
  21. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Thanks minimalist
     
  22. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,443
    Location:
    Slovenia
    You're welcome.
     
  23. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    9,777
    Location:
    U.S.A. (South)
    Oh boy. Windows-The wonderful portal for backdoors courtesy your local crap cleaner.
     
  24. elapsed

    elapsed Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    7,076
    Yeah because only Windows is vulnerable to back doors.

    The lolz just keep on coming from this thread, 10/10.

    ROFL. "I know I've been using this totally useless software, but I'll just keep using it despite being a direct threat to me".
     
  25. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    9,284
    Location:
    Among the gum trees
    I'm not dropping CCleaner... yet.

    It's not the first software to be infected and I'm sure it won't be the last.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.