Security Notification for CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 for 32-bit Windows users

Discussion in 'other security issues & news' started by stapp, Sep 18, 2017.

  1. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,418
    Location:
    Under a bushel ...
    OK. Reported on MB3 forum.

    But it seems resolved now. If I quarantine those keys, it asks me to log in to CCleaner Cloud again after reboot. And then same HKLM\SOFTWARE\WOW6432NODE\PIRIFORM\AGOMO appears again.

    But if I then do MB3 scan again, it is not picked up. So it looks like previous one was bad, but new key is OK.

    Edit: MB Support confirms: Ok, we should be good. I verified myself with latest version of the Ccleaner Cloud and the value TCID is indeed not created under that key.
     
    Last edited: Sep 19, 2017
  2. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    123,357
    Location:
    Texas
    Several posts removed to keep the thread focused on the subject.
     
  3. elapsed

    elapsed Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    7,076
    You also removed the original post containing actual advice in your haste to purge.
     
  4. StillBorn

    StillBorn Registered Member

    Joined:
    Nov 19, 2014
    Posts:
    188
    Says the patient after an appendectomy, "Hey, Doc, any chance I could get that left kidney back?" lmao :D
     
  5. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,399
    Location:
    U.S.A.
    Cisco has updated their original blog posting as follows:
    I am also posting an excerpt from the original posting:
    As far as Avast's below statement in regards to the second stage payload activating as noted below, I consider it irrelevant based as on above traffic analysis done by Cisco. It is quite obvious to me that significant traffic from infected devices was occurring to/from the malware C&C servers by the initial backdoor that was installed :
     
    Last edited: Sep 19, 2017
  6. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,399
    Location:
    U.S.A.
    Avast Clarifies Details Surrounding CCleaner Malware Incident
    https://www.bleepingcomputer.com/ne...etails-surrounding-ccleaner-malware-incident/
     
  7. focus

    focus Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    484
    Location:
    USA
    A new build today. Changelog: "All builds signed with new Digital Signatures."
     
  8. KeyPer4Life

    KeyPer4Life Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    1,240
    Software Has a Serious Supply-Chain Security Problem

    Three times in the last three months, hackers have exploited the digital supply chain to
    plant tainted code that hides in software companies' own systems of installation and
    updates, hijacking those trusted channels to stealthily spread their malicious code.

    https://www.wired.com/story/ccleaner-malware-supply-chain-software-security/
     
  9. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,031
    Location:
    Mexico
    @KeyPer4Life

    Thanks for the infos. Exactly, I agree with that article. I wonder who's next in the line, Google? Microsoft? :cautious:
     
  10. Trooper

    Trooper Registered Member

    Joined:
    Jan 26, 2005
    Posts:
    4,932
  11. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,399
    Location:
    U.S.A.
  12. KeyPer4Life

    KeyPer4Life Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    1,240
    Security Now Podcast has Steve Gibson discussing the CCleaner breach and what it means.
    Haven't watched it yet to see what he has to say.

    https://twit.tv/shows/security-now (episode 629)
     
  13. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,031
    Location:
    Mexico
    My machine was infected and since they made the infection public I only found one trace: Agomo reg key

    Thanks to @itman for that guide @bleepingcomputer, I followed the two first steps only:

    1. Run rKill (Cherry red lines are tweaks I did since I installed Windows in my lappy, so they do not count):
    Code:
    Rkill 2.9.1 by Lawrence Abrams (Grinler)
    http://www.bleepingcomputer.com/
    Copyright 2008-2017 BleepingComputer.com
    More Information about Rkill can be found at this link:
     http://www.bleepingcomputer.com/forums/topic308364.html
    
    Program started at: 09/20/2017 08:12:39 PM in x86 mode.
    Windows Version: Windows 8.1 Enterprise
    
    Checking for Windows services to stop:
    
     * No malware services found to stop.
    
    Checking for processes to terminate:
    
     * No malware processes found to kill.
    
    Checking Registry for malware related settings:
    
     * No issues found in the Registry.
    
    Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
    
    Performing miscellaneous checks:
    
     * Windows Defender Disabled
    
       [HKLM\SOFTWARE\Policies\Microsoft\Windows Defender]
       "DisableAntiSpyware" = dword:00000001
    
     * Windows Firewall Disabled
    
       [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
       "EnableFirewall" = dword:00000000
    
    Searching for Missing Digital Signatures:
    
     * No issues found.
    
    Checking HOSTS File:
    
     * No issues found.
    
    Program finished at: 09/20/2017 08:13:15 PM
    Execution time: 0 hours(s), 0 minute(s), and 35 seconds(s)
    

    2. Now Zemana scan...
    zemana.png


    I stopped right there cause I believe I won't find anything malicious following further steps.

    I think Piriform's statement, to delete Agomo key and upgrading to v5.35, is sufficient. Neither they or Avast have published the need of further cleaning or anything to get rid of the infection.
     
  14. plat1098

    plat1098 Guest

    I looked at it. If you want to just see the CCleaner part, it starts at 1:17:11. It didn't provide any new info for me but did give a summary lasting about 8 minutes or so. Thanks!
     
  15. anon

    anon Registered Member

    Joined:
    Dec 27, 2012
    Posts:
    6,805
    CCleaner Hack Carried Out In Order to Target Big Tech Companies
    https://www.bleepingcomputer.com/ne...ed-out-in-order-to-target-big-tech-companies/
    --------------------
    CCleaner Malware second payload discovered
    https://www.ghacks.net/2017/09/21/ccleaner-malware-second-payload-discovered/
    -----------------------
    Avast: Progress on CCleaner Investigation
    https://blog.avast.com/progress-on-ccleaner-investigation
     
    Last edited: Sep 21, 2017
  16. bberkey1

    bberkey1 Registered Member

    Joined:
    Mar 23, 2013
    Posts:
    243
    Location:
    United States
    I found the HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf in the registry, but it was empty. Any word on the key itself or is the payload specifically in the 001, 002... entries?

    I haven't run CCleaner in sometime, I think the last version I had before I uninstalled was at least 3 months old, so I hope I'm in the clear....
     
  17. roger_m

    roger_m Registered Member

    Joined:
    Jan 25, 2009
    Posts:
    8,072
    The payload is in the infected CCleaner exe file, so you have nothing to worry about.
     
  18. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    9,282
    Location:
    Among the gum trees
    Same here on my Win10 x64 machine so I'm guessing it is benign.
     
  19. roger_m

    roger_m Registered Member

    Joined:
    Jan 25, 2009
    Posts:
    8,072
    Yes it should be there. I just checked and it's there on a laptop I just did a clean install of Windows 10 on.
     
  20. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    9,282
    Location:
    Among the gum trees
    Thanks, Roger. That's good to know.
     
  21. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,418
    Location:
    Under a bushel ...
    Thanks for these links :thumb:

    I don't believe I was infected but these supply chain breaches sure are scary.

    Individuals are of little interest in these attacks but many trusted companies could have been infiltrated.

     
  22. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    123,357
    Location:
    Texas
  23. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,399
    Location:
    U.S.A.
    For starters, I personally believe 64 bit systems were infected by this 32 bit malware. I also know of one confirmed instance where this occured. It is also assumed not all 64 systems using the infected ver. of CCleaner were infected. The primary variable would be how the infected ver. was originally installed and most likely what OS ver. it was installed on.

    Symantec published a whitepaper on this very subject; why 32 bit malware would be installed on an x64 bit system: https://www.symantec.com/content/da...32-bit-virus-threats-64-bit-windows-02-en.pdf . Below is an excerpt from the article:
     
  24. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,443
    Location:
    Slovenia
    I don't think that in this case it is a question of whether 32 bit malware can infect 64 bit OS or not. With CCleaner installation on 64 bit OS 2 binaries are installed: 32 bit (CCleaner.exe) and 64 bit (CCleaner64.exe).

    upload_2017-9-21_16-46-16.png

    Apparently only 32 bit application (CCleaner.exe) had backdoor included. On 64 bit OS, user gets shortcut to CCleaner64.exe and not (problematic) CCleaner.exe. So unless they modify shortcut by themselves users of 64 bit OS wouldn't end up running backdoored version of application.
     
    Last edited: Sep 21, 2017
  25. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    6,754
    Location:
    USA
    This just keeps getting better. I hope this wasn't an inside job but if it was I hope something is done about it. If it was "just" incompetence and someone actually hacked them and pulled off all of this I obviously hope something is done about that as well but the more that comes out about this the less like it seems to me. If they were using any versioning control on their source code it should not be difficult to determine what code was changed and when and by who. In any case I expect this story to just die without any answers and with that any trust I ever had in this company.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.