sky7

CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 had been compromised

Recommended Posts

CCleanup: A Vast Number of Machines at Risk
https://blogs.cisco.com/security/talos/ccleanup-a-vast-number-of-machines-at-risk

File:
https://www.virustotal.com/en/file/6f7840c77f99049d788155c1351e1560b62b8ad18ad0e9adda8218b9f432f0a9/analysis/

Malwarebytes, ClamAV and Kaspersky(cloud detection) could detect a malware.
CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 had been compromised.
If you use CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 you must update a program and scan the system with Malwarebytes (free).

 

TomFace likes this

Share this post


Link to post
Share on other sites

ESET has detected it since update 16099: Win32/CCleaner.A, Win32/CCleaner.B. At that time KAV didn't detect it at VirusTotal yet.

Karmadyota and Arik like this

Share this post


Link to post
Share on other sites

I also just had a detection this morning. Now doing an in-depth scan. Ccleaner was offering an update (for the past few days) with different verbiage saying something to the effect "important update". As I use slim, that version has not yet been released so I have not updated.

59bfe70425304_CC9_18_172.jpg.00245f0e4dd14a605344b89baffe69b1.jpg

 

Could someone please put it in simple terms for me...what is the mischievous  behavior of this malware?

(for example...Is it a data/password thief?)

59bfdb25c9bf0_Ccleaner9_18_17.jpg.dd75e72062b02b92461b5e27f659b455.jpg

Edited by TomFace

Share this post


Link to post
Share on other sites
28 minutes ago, TomFace said:

Could someone please put it in simple terms for me...what is the mischievous  behavior of this malware?

(for example...Is it a data/password thief?)

Based on the following, it could have  "mapped" your device/network.

Quote

 

What happened?

An unknown threat group compromised the CCleaner infrastructure.

The attacker added malware to the 32-bit versions of CCleaner 5.33.6162 and CCleaner Cloud 1.07.3191.

The files were available for download between August 15 and September 12.

Who is affected?

Everybody who downloaded and installed the affected versions in that timespan.

Avast estimates the number of affected machines at 2.27 million.

What does the malware do?

The malware — named Floxif — collects data from infected computers, such as computer name, a list of installed software, a list of running processes, MAC addresses for the first three network interfaces, and unique IDs to identify each computer in part.

The malware could also download and execute other malware, but Avast said it did not find evidence that attackers ever used this function.

 

https://www.bleepingcomputer.com/how-to/security/ccleaner-malware-incident-what-you-need-to-know-and-how-to-remove/

Edited by itman
Arik and TomFace like this

Share this post


Link to post
Share on other sites

@TomFace are you running 32 bit Windows? This hack is only supposed to affect 32 bit ver. of CCleaner.

Share this post


Link to post
Share on other sites

Thanks itman....as ESS found it pretty much right away (after me powering up). I'm going to hope things will be OK (knock on wood).

Don't need this on top of the Equifax breach (yes I was included in that).

Arik likes this

Share this post


Link to post
Share on other sites
5 minutes ago, itman said:

@TomFace are you running 32 bit Windows? This hack is only supposed to affect 32 bit ver. of CCleaner.

64 bit OS Win 7 Home Premium.

Edited by TomFace

Share this post


Link to post
Share on other sites

FYI - The Cisco article recommends this action which I agree with:

Quote

Affected systems need to be restored to a state before August 15, 2017 or reinstalled.

 

Share this post


Link to post
Share on other sites
10 hours ago, itman said:

FYI - The Cisco article recommends this action which I agree with:

 

Thanks itman.;)

 

Edited by TomFace

Share this post


Link to post
Share on other sites
2 hours ago, Marcos said:

ESET has detected it since update 16099: Win32/CCleaner.A, Win32/CCleaner.B. At that time KAV didn't detect it at VirusTotal yet.

hi

in short only from today ? but can detect the malware installed by ccleaner downloading from internet?

thanks

virus total -> virus total dection  , there is no eset

Glb0e82.png

16099 Sep-18-2017, 13:00 CEST (UTC/GMT +02:00)
Edited by mantra

Share this post


Link to post
Share on other sites

Has anyone written a script to automate the removal of this tool?

Share this post


Link to post
Share on other sites
4 hours ago, Trooper311 said:

Has anyone written a script to automate the removal of this tool?

For starters the "offending party" in this case, Avast, is the one responsible to developing a mitigation to this issue. Since the malware remained resident and undetected for a month, the likelihood that a backdoor was installed is high. The "bugger" is trying to find the backdoor if it remains in a dormant state. It could remain that way for days, weeks, months, or in some documented cases - years.

Trooper311 likes this

Share this post


Link to post
Share on other sites
15 hours ago, Marcos said:

ESET has detected it since update 16099: Win32/CCleaner.A, Win32/CCleaner.B. At that time KAV didn't detect it at VirusTotal yet.

Marcos

can i ask a question ?

is true that this malware infected only the 32bit version of ccleaner and not the 64bit or both?

thanks

Share this post


Link to post
Share on other sites
5 hours ago, mantra said:

is true that this malware infected only the 32bit version of ccleaner and not the 64bit or both?

As stated in the blog by Avast:

As only two smaller distribution products (the 32 bit and cloud versions, Windows only) were compromised, the actual number of users affected by this incident was 2.27M.

Share this post


Link to post
Share on other sites
2 hours ago, Marcos said:

As stated in the blog by Avast:

As only two smaller distribution products (the 32 bit and cloud versions, Windows only) were compromised, the actual number of users affected by this incident was 2.27M.

Would be helpful if Eset published an article on recommended mitigation to anyone affected this.

Cisco already publically stated restore prior to Aug. 15 or reinstall. I agree. Avast in my opinion is spreading FUD by their statement that the second stage of the backdoor never activated therefore no actual malware payload was downloaded.

My statement is a backdoor is a backdoor. Once activated not only can the original hacker use it but so can anyone else. Case in point was the EternalBlue set backdoor and later delivered malware that used that backdoor and closed it so no one else could use it.

There are currently a lot of users, based on posted comments in the security forums, who believe they are now safe since security solutions are detecting and removing the original backdoor. The reality of the situation is no one knows for sure what system modification occurred through use of the backdoor in the month or more it was resident on one's device.

Edited by itman

Share this post


Link to post
Share on other sites
3 hours ago, Marcos said:

As stated in the blog by Avast:

As only two smaller distribution products (the 32 bit and cloud versions, Windows only) were compromised, the actual number of users affected by this incident was 2.27M.

hi

i have read it but i would like to know what Eset knows about it , at least some advises ,or confirm that only 32bit os system affected

i trust about eset , i will never take in consideration to buy avast or use ccleaner or other products like recuva

can we have a confirmation from Eset ?

thanks

Share this post


Link to post
Share on other sites

Since the software was created by Piriform , its really down to them to release any type of advice as to what to do "After" installing the offending product.

They have already released this .........

https://www.piriform.com/news/blog/2017/9/18/security-notification-for-ccleaner-v5336162-and-ccleaner-cloud-v1073191-for-32-bit-windows-users

Share this post


Link to post
Share on other sites

Interestingly I had an issue upgrading to 5.4 it kept saying something like "Error opening file for writing C:\ProgramFilesCcleaner\Ccleaner64.exe." I also had to restart the computer because it wouldn't let me delete the download as I didn't have any permissions and it wouldn't let me create any even though it was on my Administrator account. After rebooting the latest version seemed installed now and I could delete the download.

One thing this incident does show is how important having an antivirus is. Many people claim they can be safe and not need an antivirus simply by visiting safe websites, using software from trusted sources etc. but this shows that even trusted sources can become infected.

Share this post


Link to post
Share on other sites

Well I'm quite disappointed with ESET and all the antivirus in general, because nobody detected this problem, until the same people of Periform made it public.

I wonder what confidence we can have in our security software when it does not check that the behavior of the programs is expected and only relies blindly on the certificates.

The problem was active since August 15, and it was not until September 18 that ESET detected it and it was not even for an investigation of its own.

And now it turns out that its only recommendation is to format the device, so ESET is not able to protect us from the back door that may or may not have left this Trojan.

Share this post


Link to post
Share on other sites
6 minutes ago, Hijin25 said:

Well I'm quite disappointed with ESET and all the antivirus in general, because nobody detected this problem, until the same people of Periform made it public.

I wonder what confidence we can have in our security software when it does not check that the behavior of the programs is expected and only relies blindly on the certificates.

The problem was active since August 15, and it was not until September 18 that ESET detected it and it was not even for an investigation of its own.

And now it turns out that its only recommendation is to format the device, so ESET is not able to protect us from the back door that may or may not have left this Trojan.

hi

me too

Share this post


Link to post
Share on other sites
36 minutes ago, Hijin25 said:

Well I'm quite disappointed with ESET and all the antivirus in general, because nobody detected this problem, until the same people of Periform made it public.

I wonder what confidence we can have in our security software when it does not check that the behavior of the programs is expected and only relies blindly on the certificates.

The problem was active since August 15, and it was not until September 18 that ESET detected it and it was not even for an investigation of its own.

And now it turns out that its only recommendation is to format the device, so ESET is not able to protect us from the back door that may or may not have left this Trojan.

I read a second piece of malware was launched but not activated. Maybe the behaviour seemed originally normal

Share this post


Link to post
Share on other sites

According to information from Piriform, since August 20 the people of Morphisec's security, detected the behavior anomalo, only did not make it public, therefore the problem was perceptible from the early days.

I could understand that zero day did not recognize the threat, but please, was active almost a month and no one else noticed, or who knows how many months they would have taken to do so.

And as for my second approach, do you have to format the computer because ESET will not be able to protect us from possible sequels?

Share this post


Link to post
Share on other sites

The code was modified "internally" before even being released to the public, so that puts it in another category altogether.
Had the original installer been modified after release then the outcome would have been different.

How people expect ESET, Microsoft, Kaspersky ......... etc to be accountable for internal security issues at other companies is beyond me.

No company has the capability to reverse engineer or scrutinise the source code of every piece of software that is written and offered online.

There's a very big difference in what's technically possible and what peoples expectations are of security products.
 

Arik likes this

Share this post


Link to post
Share on other sites
45 minutes ago, Hijin25 said:

I could understand that zero day did not recognize the threat, but please, was active almost a month and no one else noticed, or who knows how many months they would have taken to do so.

The backdoor was a validity signed executable in a trusted software update download.  No one detected the malware prior to its discovery in mid-Aug and subsequent public disclosure earlier this week.

This is "point proof" that the Next Gen/AI algorithms are also totally ineffective against this.

One way this could have been user detected was through aggressive outbound network monitoring. By "aggressive" I mean that CCleaner would be only allowed to connect its known update servers and nothing else. This is also "iffy" since the CCleaner updater most likely created a new process most like likely in its own directory and used that process to perform the remote communication. Even if you were monitoring all outbound communication, you most likely would have allowed it since the process was running from the CCleaner directory. 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


  • Recently Browsing   0 members

    No registered users viewing this page.