Security Notification for CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 for 32-bit Windows users

Discussion in 'other security issues & news' started by stapp, Sep 18, 2017.

  1. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,381
    Location:
    Slovenia
    https://www.welivesecurity.com/2017/09/21/cconsiderations-on-ccleaner-incident/
     
  2. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    39,273
    Yep, this can be seen with other applications too. Both versions (32-bit and 64-bit) are installed but the shortcut in the startmenu points to the 64-bit version (if the application is installed on a 64-bit OS).
    As long as the user use the shortcut, it will execute the 64-bit version.
     
  3. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,394
    Location:
    U.S.A.
    I strongly suspect that the CCleaner setup program only installed a backdoor on x64 systems. It then used the backdoor to remotely connect to map the target and download additional malware as needed. The attacker then removed the original backdoor leaving no trace of the original attack. A scenario used in the WannaCry attacks.

    Appears the attacker felt confident that the backdoor would not be detected in the 32 bit CCleaner installer which was the case since it wasn't discovered till mid-Aug.. Additionally most malware code has been and still is 32 bit code. Coding a x64 backdoor is trivial since all it is doing is establishing a remote connection.

    Since the attacker had access to Piriform servers, he also could modify the CCleaner download stored there to remove the x64 backdoor code from setup program after the initial attack began.
     
  4. elapsed

    elapsed Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    7,076
    You don't find it amusing that users would just trust that their 64bit version is safe from a company that just broke all trust?
     
  5. elapsed

    elapsed Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    7,076
    ...and...

    Hahahahahaha.

    "But but, I trusted that the 64bit version was safe!!"

    Like I said before: Swallow your mistake, format, and think twice before installing pointless software.
     
  6. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,394
    Location:
    U.S.A.
    I regards to the second payload delivery:
    https://www.bleepingcomputer.com/ne...ed-out-in-order-to-target-big-tech-companies/

    Again and in plain English if you were infected, you need to do either a system image restore or reinstall your OS.
     
  7. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,381
    Location:
    Slovenia
    That is of course speculation. Since attacker can do whatever they want (if they compromised their server) we can't be sure of anything. We can only see results of published analysis and they don't support this scenario.
     
  8. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,381
    Location:
    Slovenia
    A lot of users don't know if they were infected. System restore is good if you know when your system was clean. So far we can't know if versions before 5.33 were all clean or if any other software on their server was affected. There just isn't enough data about intrusion itself to draw any conclusions. So it only remains OS reinstall scenario. And repeat it each time one of vendors gets compromised since there is no 100% guarantee that your system is not infected (even if there is no indication of infection).
     
  9. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499
    I know I was not infected and won't be reinstalling Windows. Some are still saying only 32 bit systems were infected and others are saying both. I have always believed it was OS version aware. I still have version 5.14 from Feb 2016 but am not going to install that.
     
  10. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,394
    Location:
    U.S.A.
    Here is the latest updated blog posting from Cisco: https://blogs.cisco.com/talos. Scroll down to the bottom of the posting and click on "Read More" for the full latest technical analysis.
     
  11. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    8,899
    Location:
    Among the gum trees
    The next major Win10 update is scheduled for released for 17th of October, less than a month away. It seems like a good time to clean install Win10.
     
  12. Trooper

    Trooper Registered Member

    Joined:
    Jan 26, 2005
    Posts:
    4,797
    Indeed. That is what I plan on doing as well.
     
  13. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    5,598
    Location:
    DC Metro Area
    Ars Technica on the Second Payload:

    "Backdoored CCleaner has a nasty surprise for at least 20 targeted tech firms

    Microsoft, Cisco, and VMWare among those infected with additional mystery payload...

    The second stage appears to use a completely different control network. The complex code is heavily obfuscated and uses anti-debugging and anti-emulation tricks to conceal its inner workings. Craig Williams, a senior technology leader and global outreach manager at Talos, said the code contains a 'fileless' third stage that's injected into computer memory without ever being written to disk, a feature that further makes analysis difficult. Researchers are in the process of reverse engineering the payload to understand precisely what it does on infected networks.

    Now that it's known the CCleaner backdoor actively installed a payload that went undetected for more than a month, Williams renewed his advice that people who installed CCleaner version 5.3 reformat their hard drives. He said simply removing the stage-one infection is insufficient given the proof now available that the second stage can survive and remain stealthy...."

    https://arstechnica.com/information...utbreak-is-much-worse-than-it-first-appeared/

    OK. Soooooo, If you not Cisco, Microsoft, Gmail, et. al., and you installed 533 on a 64X machine are u gonna restore an image ??
     
    Last edited: Sep 21, 2017
  14. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,394
    Location:
    U.S.A.
    The main point from Cisco's technical analysis is that they only know for sure that the 20 organizations were targeted. There is a high likelihood that many others were indeed affected:
     
  15. KeyPer4Life

    KeyPer4Life Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    1,239
    Thanks for the time frame.
     
  16. KeyPer4Life

    KeyPer4Life Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    1,239
    Your welcome. I'll I can say is have plenty of reliable image backups.
     
  17. KeyPer4Life

    KeyPer4Life Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    1,239

    So one has to download the following programs and run them...

    RKill
    Malwarebytes Anti-Malware
    Zemana AntiMalware
    AdwCleaner
    HitmanPro

    ... then scan for outdated vulnerable programs with Secunia PSI. By the time I did all that I could of
    reinstalled the OS. :D

    If this CCleaner breach happened to me I would do a restore from an image backup which takes
    less than 5 minutes and be done with it.
     
  18. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,373
    Location:
    Under a bushel ...
    No. Partly because my Macrium GFS scheme isn't working properly and removed my pre-Aug 15 full image.

    But also I have found no evidence of stage 1 or stage 2 infection. Whatever info may have been extracted from my machines is already out there, maybe beyond the 'sinkholed' servers, in the 'never forget' internet.

    And it seems these guys weren't really targeting the little guy, but selected mainly tech firms, but also some banks and .gov domains.

    With my level of customisation, I couldn't be bothered to do a clean install. I'll accept the risk.

    But with increasing prevalence of these supply chain attacks, my future strategy is leaning towards a bare bones image of the updated OS, and then as little software installed as possible a la @guest.

    Bit boring really, because I like to try out stuff. :isay: And hang out here.
     
  19. elapsed

    elapsed Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    7,076
    With the amount of pointless software you use, as can be seen in your signature, it's a safe bet that your machine is not trustworthy whatsoever, CCleaner or not. There are far too many points of entry on your machine.

    But make sure you do your daily prayers of faith, that should keep the baddies away. That's what I'm picking up from your response: "I'm hoping for the best".

    I'd highly recommend it, and that is indeed a good opportunity.
     
  20. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,373
    Location:
    Under a bushel ...
    :rolleyes:
     
  21. anon

    anon Registered Member

    Joined:
    Dec 27, 2012
    Posts:
    6,746
    Avast Threat Labs analysis of CCleaner incident
    22 September 2017
    https://blog.avast.com/avast-threat-labs-analysis-of-ccleaner-incident
     
  22. blacknight

    blacknight Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    3,081
    Location:
    Europe, UE citizen
    Today I read this: https://forums.comodo.com/news-announcements-feedback-cis/ccleaner-contained-t120580.0.html ( I don't know if already posted here form this or another link ):

    "Elements:
    taskscheduler:C:\WINDOWS\System32\Tasks\CCleanerSkipUAC
    file:C:\Program Files\CCleaner\CCleaner.exe
    file:C:\WINDOWS\System32\Tasks\CCleanerSkipUAC
    uninstall:HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\CCleaner
    regkey:HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{5DCE4767-2B66-466F-B3D1-6F1EBE9F939E}
    regkey:HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\CCleanerSkipUAC
    regkey:HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\CCleaner "


    I checked in my system and I found only:
    C:\WINDOWS\System32\Tasks\CCleanerSkipUAC
    regkey:HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\CCleanerSkipUAC

    What it means ?
     
  23. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    I'd love to know what your qualifications are to tell another user they are running pointless software?
     
  24. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,373
    Location:
    Under a bushel ...
    Thanks Peter. Mine are 36 years in enterprise application development, the last six at IBM, but it's OT really :).
     
  25. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,394
    Location:
    U.S.A.
    The scheduled task SkipUAC key has always been present and one reason among others I long ago stopped using crap cleaner.

    The other scheduled task reg. key is suspect. Perhaps people using the latest ver. can confirm if the key exists for that.

    You can check scheduled task status using Autoruns and can also remove them from there.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.