Jump to content

CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 had been compromised


sky7

Recommended Posts

Detailed analysis on this malware here: https://malwr.com/analysis/NzA4NDVlYmYyZDE4NGEzZWFlNDVmYTMzMTE4MGIzYzQ/#

Notable is it modified all the major browsers. So regardless of whatever mitigation one choses, you need to change all your passwords and like security mechanisms if infected.

Bleepingcomputer.com has a cleaning guide for it here: https://www.bleepingcomputer.com/virus-removal/remove-floxif-ccleaner-trojan

I still stick with the image restore or reinstall recommendation.

Edited by itman
Link to comment
Share on other sites

Now the question is, should I format my pc if I had a 64 bit system, or really only affect 32 bit systems?

And second, by the disinfection guide they mention, ESET does not eliminate the threat completely by itself, right?

Link to comment
Share on other sites

  • Most Valued Members
3 hours ago, sky7 said:

CCleaner Malware second payload discovered

https://www.ghacks.net/2017/09/21/ccleaner-malware-second-payload-discovered/

This is not good. It is more sophisticated we think.

 

That article mentions a 64 bit as well as a 32 bit trojan. So did the 64 bit versions get attacked?

Link to comment
Share on other sites

5 hours ago, peteyt said:

That article mentions a 64 bit as well as a 32 bit trojan. So did the 64 bit versions get attacked?

Well, at the beginning of this thread, @TomFace noted he was infected by the primary payload and he was running Win 7 x64.

The CCleaner installer includes both 32 and 64 bit versions. My suspicions are that the infected ver. of CCleaner installed the 32 bit ver. on x64 systems. In reality, most users are clueless if a 32 or 64 bit software is installed. 32 bit software runs fine on 64 bit systems. For example, Adobe Reader is 32 bit only software.

Also, positive confirmation of a second payload targeting corps. mean any using CCleaner really need to start thinking about rebuilding their networks from scratch.

Like I keep stating if you discover a backdoor has been installed, the only known fully safe mitigation is either a system image restore or reinstalling the OS.

Edited by itman
Link to comment
Share on other sites

For starters, I personally believe 64 bit systems were infected by this 32 bit malware. It is also assumed not all x64 systems using the infected ver. of CCleaner were infected. The primary variable would be how the infected ver. was originally installed and most likely what OS ver. it was installed on.

Since Eset has now published an article on the CCleaner incident and asks in that article why the malware was only placed in the 32 bit ver., I will try to shed some light on that.

Symantec published a whitepaper on this very subject; why 32 bit malware would be installed on an x64 bit system: https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/32-bit-virus-threats-64-bit-windows-02-en.pdf . Below is an excerpt from the article:
 

Quote

Due to the extension of the file format, 32-bit Windows viruses have the potential to cause more indirect damage than usual on the 64-bit Windows platform.

This indirect damage will occur regardless of whether the virus is running locally or infecting remotely via an open share. The reason for this is the slightly different PE specification for 64-bit applications (hereafter referred to as PE+).

This difference is mostly structural in nature and, aside from the Base of data field (which has been removed from PE+), does not change the functionality of any field or structure.

These differences are specific to the PE optional header, the import lookup/address table, the export address table and the TLS directory.

-EDIT- Another possible and more likely scenario is the CCleaner setup program only installed the backdoor on x64 bit systems whereas on 32 bit systems, the hackers installed the malware imbedded in the 32 bit installer software.

This would allow for remote hacking of x64 systems to install additional malware components as needed along with extracting data from the target as needed to support those downloads. 

Edited by itman
Link to comment
Share on other sites

FYI...it's better to be safe than sorry (especially these days)...I did a system restore back to 7/5/17 from my external drive...then uninstalled the existing CCleaner that was in that back up. Maybe it's over kill, but I did the Bleeping Computer removal steps (nothing was found). Changed all my passwords. Will now put my attention to the back up external drive which I am sure has the September backup with CCleaner in it. Soooo....I think I am good. For the moment am not reinstalling CCleaner (although I'm sure it's OK ...now).

Edited by TomFace
Link to comment
Share on other sites

  • Most Valued Members
5 hours ago, itman said:

Well, at the beginning of this thread, @TomFace noted he was infected by the primary payload and he was running Win 7 x64.

The CCleaner installer includes both 32 and 64 bit versions. My suspicions are that the infected ver. of CCleaner installed the 32 bit ver. on x64 systems. In reality, most users are clueless if a 32 or 64 bit software is installed. 32 bit software runs fine on 64 bit systems. For example, Adobe Reader is 32 bit only software.

Also, positive confirmation of a second payload targeting corps. mean any using CCleaner really need to start thinking about rebuilding their networks from scratch.

Like I keep stating if you discover a backdoor has been installed, the only known fully safe mitigation is either a system image restore or reinstalling the OS.

Not sure when my last backup was Sadly it's been a while. Should eset find it now if I am infected. I've not seen any warnings 

Link to comment
Share on other sites

43 minutes ago, peteyt said:

Not sure when my last backup was Sadly it's been a while. Should eset find it now if I am infected. I've not seen any warnings 

I had more recent restore points....but I cleaned house recently....lesson learned.:(

Edited by TomFace
Link to comment
Share on other sites

Some interesting thing I saw today..

I gathered two malicious CCleaner samples and tested both ESET and Cylance. I tested their old snapshot with no internet (Sept.15, before the news reveals the truth) and the latest snapshot (both connected to the internet).

So without any surprise, ESET and Cylance both failed to detect the malicious CCleaner in the old snapshot.. 

Latest ESET detected both samples without surprise. But interestingly, the latest Cylance only detected one of the two samples.

What is more surprising is that, after I slightly modified the MD5 of the Cylance originally detected sample (by simply appending some zeroes at the end of the PE), Cylance no longer detect it. So this means their "unsafe" verdict is purely based on the hash blacklisting, at least on this CCleaner incidence

This is a really awkward result for the next-gen solution perhaps, and perhaps this is the Achilles' Heel of statistics-based engine. When something malicious is embedded inside a benign software, it is likely to blind these engines. In addition, modifying the detection model to fit a minority sample is also hard.

Using automated behavioral detection of CCleaner is also hard because the benign version also exhibits many suspicious activities. I start to see the difficulty of detecting this particular piece of malware here.

 

Edited by 0xDEADBEEF
Link to comment
Share on other sites

9 hours ago, 0xDEADBEEF said:

What is more surprising is that, after I slightly modified the MD5 of the Cylance originally detected sample (by simply appending some zeroes at the end of the PE), Cylance no longer detect it. So this means their "unsafe" verdict is purely based on the hash blacklisting, at least on this CCleaner incidence

Same observation was made by others in the security forums where past testing of Cylance was performed. That is that, they are not only using blacklisting but also signatures in their detection processing. Most by now have correctly deduced that Cylance is "smoke and mirrors" protection.

The bottom line is that backdoor detection via behavior analysis from a trusted app is virtually impossible to detect. Establishing a remote connection is normal behavior for most applications to support auto updating for example.

Edited by itman
Link to comment
Share on other sites

  • Most Valued Members

One thing that has confused me is that Avast/Piriform has not released any tools. Surely a standalone tool to detect all traces and remove them would make a lot of customers feel safer

Link to comment
Share on other sites

19 minutes ago, peteyt said:

One thing that has confused me is that Avast/Piriform has not released any tools. Surely a standalone tool to detect all traces and remove them would make a lot of customers feel safer

See comment #118 at  https://forum.piriform.com/index.php?showtopic=48869&page=6

May be all about $$$....nothing would surprise me these days.

Edited by TomFace
Link to comment
Share on other sites

1 hour ago, peteyt said:

One thing that has confused me is that Avast/Piriform has not released any tools. Surely a standalone tool to detect all traces and remove them would make a lot of customers feel safer

Their stance is installing the infected version will remove the primary backdoor since it was imbedded within the software. Their original stance was they could find no evidence that nothing was downloaded through the backdoor. That is until later a second backdoor was discovered. They explained this one away by stating that second backdoor only targeted corp. users.

All the above of course is "baloney" since the Malr analysis I posted previously in this tread showed all the major browsers had their settings modified. That alone indicates a very high likelihood that additional malware downloads and system modification activities were indeed performed through the initial backdoor.

They are not going to admit publically anything other that said to date due to legal liability and the like. This is primary reason that they haven't publically stated that the only way to fully known your system is clean is to so an image restore prior to Aug. 15 or reinstall your OS. Pretty damn irresponsible in my opinion.

Link to comment
Share on other sites

I will format my pc, following its recommendation, but I must support many work files. Do you think there is a risk of translating the infection to the external hard drive where will I store the information?

Link to comment
Share on other sites

  • Most Valued Members
5 hours ago, mantra said:

Hi

but Eset could release an deep analysis about 64bit  and 32 bit operation system

is so hard for them?

 

What do you mean? Eset should detect it. Avast should be doing more seen as they own ccleaner

Edited by peteyt
Link to comment
Share on other sites

8 hours ago, mantra said:

Hi

but Eset could release an deep analysis about 64bit  and 32 bit operation system

is so hard for them?

 

No need for Eset to do so since Cisco already has and is actively analyzing the incident and posting its findings as they are discovered.

Here is a link to the detailed analysis of the original backdoor found: http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html#more .

Here is a link to the detailed analysis of the second backdoor found: http://blog.talosintelligence.com/2017/09/ccleaner-c2-concern.html#more

Link to comment
Share on other sites

  • Most Valued Members
On 22/09/2017 at 11:13 PM, TomFace said:

See comment #118 at  https://forum.piriform.com/index.php?showtopic=48869&page=6

May be all about $$$....nothing would surprise me these days.

I've heard some other people believing it was an Avast Insider to and I suppose it is a coincidence as Avast just recently purchased Piriform. However I always thought Avast was a respected AV/Company, and used by many professionals just like Eset. I know Avast bought AVG which didn't have as good reputation in the end. 

So who knows. If this was Avast, which I hope not, I do hope they get caught. But I suppose it will be mainly Avast running the investigation.

Link to comment
Share on other sites

In my opinion, a nation state or proxy of one was involved in this attack. It is logical to assume not all existing Piriform employees were happy over the upcoming Avast merger. Suspect the attacker actively sought out Piriform employees; especially those in IT development with the knowledge and credentials needed to give him access to the CCleaner code. The attacker could have entered remotely and made the modifications or had someone internally replace the legit code with the hacked version. In merger situations tensions are running high due to uncertainly which leads to things like I am not going to be as vigilant as I should be since I am probably going to adversely impacted no matter what I do. There are a number of QC checks that must be done when it comes to distributing commercial software. Just one procedure lapse, could have resulted in the hacked version being implanted and distributed.

Edited by itman
Link to comment
Share on other sites

When I look around the thread concerning this (on the CCleaner forum) it's my opinion that some folks are getting tired of the questions and inquiries that CCleaner users are posing. I felt a bit insulted :angry: at some of the responding posts (like it won't affect you so get over it...).

Again it's just my opinion. :mellow:

I'm not sure if I will re-install CCleaner...ever.:unsure:

Edited by TomFace
Link to comment
Share on other sites

  • Most Valued Members
17 minutes ago, TomFace said:

When I look around the thread concerning this (on the CCleaner forum) it's my opinion that some folks are getting tired of the questions and inquiries that CCleaner users are posing. I felt a bit insulted :angry: at some of the responding posts (like it won't affect you so get over it...).

Again it's just my opinion. :mellow:

I'm not sure if I will re-install CCleaner...ever.:unsure:

No doubt the code will get reworked again and released under a different product not under any avast/avg naming.

Sad fact of the matter is that i doubt that this is the only product that's been affected by a similar type of exploit. Money talks and people anywhere can be bought. Everyone has a price :unsure:

Link to comment
Share on other sites

  • Most Valued Members
10 hours ago, TomFace said:

When I look around the thread concerning this (on the CCleaner forum) it's my opinion that some folks are getting tired of the questions and inquiries that CCleaner users are posing. I felt a bit insulted :angry: at some of the responding posts (like it won't affect you so get over it...).

Again it's just my opinion. :mellow:

I'm not sure if I will re-install CCleaner...ever.:unsure:

I have installed the new version for now. If it turns out Avast did it themselves probably will get rid of it. I do have Glary cleaner installed as well 

Link to comment
Share on other sites

There is an interesting posting on Gibson Research here: https://www.grc.com/x/news.exe?group=grc.security.software&xrelated=131017&cmd_last=+Prev+

Poster states that by installing the 64 bit 5.33 ver. in a VM, the malware was detected. He doesn't clarify whether the 32 or 64 bit ver. of 5.33 was installed which would have been helpful. I suspect what the 5.33 installer did on x64 OS vers. was install the infected 32 bit. ver..

So statements about only the 32 bit ver. of CCleaner being infected are indeed misleading.

Edited by itman
Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...