Jerky McDilerino

Avast reckons CCleaner malware infected 2.27M users

Recommended Posts

Quote

Users of a free software tool designed to optimize system performance on Windows PCs and Android mobile devices got a nasty shock this morning when Piriform, the company which makes the CCleaner tool, revealed in a blog postthat certain versions of the software had been compromised by hackers — and that malicious, data-harvesting software had piggybacked on its installer program.

The affected versions of the software are CCleaner 5.33.6162 and CCleaner Cloud 1.07.3191.

The company is urging users to upgrade to version 5.34 or higher (which it says is available for download here).

So clearly some users may still have a compromised PC on their hands (Piriform says it’s moving all users of the CCleaner to the latest version of the software, while noting that users of CCleaner Cloud will have been updated automatically.)

The malware was apparently capable of harvesting various types of data from infected machines — specifically, Piriform says: the computer name, IP address, list of installed software, list of active software and list of network adapters (data it describes as “non-sensitive”) — transmitting it to a third party computer server located in the US.

“We have no indications that any other data has been sent to the server,” it writes.

“Working with US law enforcement, we caused this server to be shut down on the 15th of September before any known harm was done. It would have been an impediment to the law enforcement agency’s investigation to have gone public with this before the server was disabled and we completed our initial assessment,” it added.

A spokeswoman for security giant Avast, which acquired the UK-based company back in July, told us: “We believe that these users are safe now as our investigation indicates we were able to disarm the threat before it was able to do any harm.”

“We estimate that 2.27 million users had the affected software installed on 32-bit Windows machines,” she further added.

At the time of the acquisition, CCleaner was billed as having 130M users, including 15M on Android. So concerns had been raised about the very large potential number of affected devices.

 

Although it would appear that, in this instance, the illegal payload was only successfully delivered to a small minority of users — and specifically to those using 32-bit Windows PCs.

No people running the tool on Android devices were affected, according to Avast’s spokeswoman.

Piriform’s VP of products has gone into some technical detail regarding the hack here, writing that: “An unauthorized modification of the CCleaner.exe binary resulted in an insertion of a two-stage backdoor capable of running code received from a remote IP address on affected systems.”

He also notes the company first noticed suspicious activity on September 12, 2017, before further investigation revealed “the 5.33.6162 version of CCleaner and the 1.07.3191 version of CCleaner Cloud was illegally modified before it was released to the public”.

That means some Windows users of CCleaner could have had their machines compromised for more than a month — given the affected versions of the tool were released on August 15 and August 24 respectively.

Piriform added that it estimates these versions “may have been used by up to 3% of our users” — which would push the pool of affected users as high as 3.9M.

Avast’s CTO Ondrej Vlcek declined to speculate on the hackers’ intentions for the data being harvest by the malware — saying he could not comment on account of a law enforcement investigation currently underway.

Asked what additional measures it’s taking to guard against a similar future attack, Vlcek told us: “We are making sure the problem doesn’t happen again by moving the entire Piriform product build environment to a more robust, secure infrastructure provided by Avast.”

3

So now Avast had already acquired CCleaner, I think this is a perfect time for everyone to ditch CCleaner because of Avast, and what the heck man? Now the hacker have my ip and other system informations that can use for illegal things. What the heck man, I think my previous ccleaner is 5.33.

Share this post


Link to post
Share on other sites

There's a quick rundown of most of what's known about the infected version of CCleaner at the following link:
https://www.bleepingcomputer.com/how-to/security/ccleaner-malware-incident-what-you-need-to-know-and-how-to-remove/

Keep in mind that this only effected computers that were running 32-bit editions of Windows. The 64-bit version of CCleaner was not effected, and the malicious code would not run on 64-bit versions of Windows.

Share this post


Link to post
Share on other sites

Latest info from Avast

Quote

First of all, the bottom line is: to the best of our knowledge, no harm was done to any CCleaner users as the threat was removed before it had a chance to fully activate.

Quote

Now, some facts:
- Avast acquired a company (Piriform) which was in the process of being hacked. We have good evidence that the attack started at least several weeks before the acquisition.

https://forum.avast.com/index.php?topic=208612.msg1421249#msg1421249

Share this post


Link to post
Share on other sites
On 9/19/2017 at 12:04 AM, GT500 said:

There's a quick rundown of most of what's known about the infected version of CCleaner at the following link:
https://www.bleepingcomputer.com/how-to/security/ccleaner-malware-incident-what-you-need-to-know-and-how-to-remove/

Keep in mind that this only effected computers that were running 32-bit editions of Windows. The 64-bit version of CCleaner was not effected, and the malicious code would not run on 64-bit versions of Windows.

 

On 9/19/2017 at 12:36 AM, stapp said:

 If it affect 32 bit system, than there is a possibility that it will affect 64 bit system as well. I still wouldn't trust Avast say update your CCleaner to latest V5.4 or V5.5 now to remove the malware. How can one software update remove the actual malware itself? It will remove the hijack program, but the malware is still remain on the system. In addition, this is discover a month after V5.3 release and the security got compromised by professional hackers not one of those script kiddo. We still don't know how many system IP and information those professional hackers stored and what they are going to do it. Probably use it for illegal stuff, sell it on the underground, or more crazy stuff.   

Not very surprise at all, that this is the second time Avast got involved with this incident. The first one is their forum got hacked, and now this. 

 

Share this post


Link to post
Share on other sites
Guest Tempus

If one is unsure if malware is still running on the system then just grab your Backup and recovery software and restore the system by using a secure  drive image(before the compromised version). With other words a good thought through backup software/ policy will save the day/your sysytem anytime. Sorry guys i just saw my chance to draw the attention to an important part of security,  which is often forgotten by many users. Your security software can't always save the day...except Emsisoft of course :D;)

Regards

Tempus

Share this post


Link to post
Share on other sites
13 hours ago, Tempus said:

If one is unsure if malware is still running on the system then just grab your Backup and recovery software and restore the system by using a secure  drive image(before the compromised version). With other words a good thought through backup software/ policy will save the day/your sysytem anytime. Sorry guys i just saw my chance to draw the attention to an important part of security,  which is often forgotten by many users. Your security software can't always save the day...except Emsisoft of course :D;)

Regards

Tempus

I already did backup before August 15 which Avast suggested. As of right now, I updated to the latest V5.5 with the new certificate, and hope this one will not get compromised again. Bad thing is antivirus did not detect CCleaner V5.3 as a threat before this incident spread to the public. Now, when you upload V5.3 installer to VirusTotal, more than 40 engines detected as a threat.  

Share this post


Link to post
Share on other sites
21 hours ago, Jerky McDilerino said:

If it affect 32 bit system, than there is a possibility that it will affect 64 bit system as well.

According to the analysis done by Cisco's Talos team, the malicious code was not only not present in the 64-bit version of CCleaner, but wouldn't execute on 64-bit editions of Windows even if you ran the 32-bit version of CCleaner on a 64-bit OS.

 

21 hours ago, Jerky McDilerino said:

How can one software update remove the actual malware itself?

Because the malicious code was in the CCleaner executable, so either removing it or replacing it with a clean copy is all that is needed to get rid of the infection.

That being said, Cisco's Talos team has identified a second-stage payload was indeed installed on at least 20 computers. It appeared to specifically target corporate systems, however the data from the C&C server from before September 12th was missing (presumably deleted to keep it out of the hands of researchers), so they don't know what happened before September 12th. The scope could have been far larger, and there could have been far more targets than what has thus far been discovered.

 

Obviously, if you had the effected version of CCleaner installed, then take the common precautions of changing passwords just in case.

Share this post


Link to post
Share on other sites
4 hours ago, GT500 said:

According to the analysis done by Cisco's Talos team, the malicious code was not only not present in the 64-bit version of CCleaner, but wouldn't execute on 64-bit editions of Windows even if you ran the 32-bit version of CCleaner on a 64-bit OS.

 

Because the malicious code was in the CCleaner executable, so either removing it or replacing it with a clean copy is all that is needed to get rid of the infection.

That being said, Cisco's Talos team has identified a second-stage payload was indeed installed on at least 20 computers. It appeared to specifically target corporate systems, however the data from the C&C server from before September 12th was missing (presumably deleted to keep it out of the hands of researchers), so they don't know what happened before September 12th. The scope could have been far larger, and there could have been far more targets than what has thus far been discovered.

 

Obviously, if you had the effected version of CCleaner installed, then take the common precautions of changing passwords just in case.

I did a full scan with Emsisoft, Malwarebytes, and Bitdefender Free AV after updating to 5.4 from 5.33 infected version, and so far doesn't detect anything. In addition, I do have a backup of v5.2 on Aug 7, so I use that to restore my backup to that stage, and did a scan again with more than 7 different on demand scanners, and so far doesn't detect anything serious beside Dr.Web detected Iobit Uninstaller as PUP on my system which I installed Iobit Uninstaller on my own, so i can roll that out. 

 

 

Share this post


Link to post
Share on other sites

You should be OK then. Once the infected copy of CCleaner is gone, the infection is gone. So far there's no evidence that a second-stage payload was ever delivered to non-corporate victims.

Share this post


Link to post
Share on other sites
3 hours ago, GT500 said:

You should be OK then. Once the infected copy of CCleaner is gone, the infection is gone. So far there's no evidence that a second-stage payload was ever delivered to non-corporate victims.

I know man, but I'm worry about my IP and other information that these hackers harvested going to do with it. I have a very good common sense security man, and I manage to get infected :(. CCleaner supposed to clean our computer junks and optimized it, not adding malware and backdoor onto our system. I believe CCleaner V5.4 will be the last version that I will install and run till my trust for CCleaner restore. I was like shock, scared, and angry when I read a new about CCleaner got compromised and hacker hid malware into it. Yet, they still haven't provide these infected users with a removal tool to remove the malware. Not all of us are tech savy that can manual deleting malware via CMD, Registery Editor, etc..... 

Share this post


Link to post
Share on other sites

> I know man, but I'm worry about my IP and other information that these hackers harvested going to do with it

IP - do you mean IP address, or intellectual property?               Your IP address is known to every website you browse...

There's no evidence that anything has been harvested off your machine.

 

> Yet, they still haven't provide these infected users with a removal tool to remove the malware.

Whether that's the case or not, if you've not been infected it's irrelevant.

Share this post


Link to post
Share on other sites
23 hours ago, Jerky McDilerino said:

I know man, but I'm worry about my IP and other information that these hackers harvested going to do with it.

Your IP address is in the logs of every website you visit. HTTP servers automatically log that, and quite a bit more, for debugging and statics purposes. Your IP address isn't generally visible to random visitors to a website, but most forum software (including ours) will show it to administrators and moderators.

 

23 hours ago, Jerky McDilerino said:

I was like shock, scared, and angry when I read a new about CCleaner got compromised and hacker hid malware into it.

That's understandable. I imagine it will take a long time for Avast to restore peoples' trust in CCleaner (if it happens at all).

 

23 hours ago, Jerky McDilerino said:

Yet, they still haven't provide these infected users with a removal tool to remove the malware.

That's because it isn't necessary. At least not for the compromised version of CCleaner (there were no other infected files associated with it, only the copy of ccleaner.exe that had the malicious code in it). I haven't seen an analysis of the second-stage payload yet, but it sounds like only large tech companies had to worry about that to begin with, so home users aren't going to need a removal tool. They can just uninstall CCleaner, or install the new version, and the infected copy of ccleaner.exe is gone.

Share this post


Link to post
Share on other sites
8 hours ago, GT500 said:

At least not for the compromised version of CCleaner (there were no other infected files associated with it, only the copy of ccleaner.exe that had the malicious code in it)

Yes, there were probably no associated infected files. But the changes in the Internet settings Floxif probably produces. In the screenshot, the result of testing by a known scanner after infection by this trojan.

 

Screenshot_59.png
Download Image

Share this post


Link to post
Share on other sites
14 hours ago, Barsuk said:

Yes, there were probably no associated infected files. But the changes in the Internet settings Floxif probably produces. In the screenshot, the result of testing by a known scanner after infection by this trojan.

I haven't read anything specifically about changes to Internet Explorer proxy settings. Regardless, if the settings are for a proxy server at localhost (127.0.0.1), then removing the infected copy of CCleaner would render it harmless. Resetting Internet Explorer settings back to default settings, or manually changing the proxy settings would resolve this without the need for additional malware scanners.

Share this post


Link to post
Share on other sites

Here's a link to news about the latest information from Avast on who was effected by the second-stage payload:
https://www.bleepingcomputer.com/news/security/avast-publishes-full-list-of-companies-affected-by-ccleaner-second-stage-malware/

For anyone who is curious, Avast has released a full list of files and registry entries related to the compromised version of CCleaner and the second-stage payload that was delivered to certain companies. You can find them at the following link under the section titled "IOCs" (and acronym for "Indicators of Compromise"):
https://blog.avast.com/additional-information-regarding-the-recent-ccleaner-apt-security-incident

Share this post


Link to post
Share on other sites
On 9/25/2017 at 5:51 PM, GT500 said:

Here's a link to news about the latest information from Avast on who was effected by the second-stage payload:
https://www.bleepingcomputer.com/news/security/avast-publishes-full-list-of-companies-affected-by-ccleaner-second-stage-malware/

For anyone who is curious, Avast has released a full list of files and registry entries related to the compromised version of CCleaner and the second-stage payload that was delivered to certain companies. You can find them at the following link under the section titled "IOCs" (and acronym for "Indicators of Compromise"):
https://blog.avast.com/additional-information-regarding-the-recent-ccleaner-apt-security-incident

So those registry we should remove? Ain't nobody got time for that. They should release a removal tool for those that are affected and infected because this is their fault not our consumer fault. Since Avast already bought Piriform, I think this is will kill Piriform for sure because more than majority people don't like Avast at all include me. Meanwhile, I already installed the V5.35 with the new certificate Piriform upgraded, so I hope this will increase security a little bit but too afraid to run it. I probably will look for other safe alternative junk cleaner like Wise Care until my trust for CCleaner return which is going to be a while. 

Now to the main question after CCleaner got compromised incident. Should we trust official publisher site at all? Antivirus haven't treat CCleaner as a threat till Piriform and Avast announce CCleaner V5.33 free and premium got compromised and hackers hid malware into it. 

 

Share this post


Link to post
Share on other sites
21 hours ago, Jerky McDilerino said:

So those registry we should remove?

They're harmless. You can remove them if you want, otherwise you will see no impact from them being there.

 

21 hours ago, Jerky McDilerino said:

Should we trust official publisher site at all?

Download portals redistributed the same infected copy of CCleaner that was on the CCleaner website, so whether you got it from the software publisher or not would have been irrelevant in this case.

I think this incident might cause security researchers and analysts to scrutinize legitimate tools a little more closely. Perhaps some software development companies may even set up automated analysis environments that can tell them if their software is doing anything unexpected.

Share this post


Link to post
Share on other sites

The slapping going on between avast,talos and other people is really what upsets me.None wants to step back and talk about facts.People saying "Avast lied about the part where they said no ccleaner has got the second payload" when avast in their latest blog stated only 40 systems (most in big tech firms) did get second payload and that too based on geological locations.

Also when I heard from a emsisoft employee in public say "Avast is going to get alot of shit for this and they totally deserve it" or something along those lines..I am terrified and disgusted.Dirty Marketing cash-in.

So you share Intel and samples among other vendors and when someone suffers setback one of your employee comes out bad mouthing trying a dirty cashing in on the event without checking facts that the avast and piriform infrastructure was different and piriform was under attack even before avast bought it.Avast never changed piriform dynamics (probably company ethics).

Honestly,I expected much better from someone who is in the squad circle.I won't take name in public but even if it is a personal opinion,being a employee of a esteemed company like emsisoft and bad mouthing other vendors is not professional by no standards.Especially when you have people like fabian and polartoffee.

We have to fight against criminals not against each other.People are forgetting morals.

Share this post


Link to post
Share on other sites
On 9/29/2017 at 3:06 PM, True Indian said:

... when someone suffers setback one of your employee comes out bad mouthing trying a dirty cashing in on the event ...

Everyone has their own opinions. We don't restrict our employees from expressing those opinions in their personal time. Obviously we try to remain professional when officially representing Emsisoft, and if you feel that one of our support personnel isn't acting professionally then feel free to let either myself or David know in a Private Message.

Personally I didn't say most of what I was thinking, simply because it would have looked like we were trying to capitalize on this unfortunate incident. As far as I'm concerned, what I think about Avast or Piriform isn't relevant to helping users who are concerned about this issue. If I have verifiable information about them that is relevant to the issue at hand, then I will present that, however anything else isn't necessary to post publicly (at least not through official Emsisoft support channels) unless someone specifically asks me for my opinion.

Share this post


Link to post
Share on other sites

 It's not about any person I know from this very forum.I can say that for sure.You guys are awesome don't get me wrong though and emsisoft is a great company too but this is something I find upsetting personally but I am not out here to pick and scratch.No names as usual just my moral code. 😊

Yes we do have verifiable info but as I said it's verifiable not merely assumed or claimed without checking facts as I done by that person.Half knowledge is dangerous especially when you have a audience.Its not even about avast as a company but about ccleaner,I don't know what they were doing,when I am asked I don't have to lie and it isn't even the first time something like this happened.Avira's website hijack,kaspersky and privacy issues with US,comodo signing malware binaries.I think some of this is being blown out of proportion by security companies and given too much hype.

I am sure Talos and some other people in the industry wouldn't come trying to roast piriform if it had never been acquired by avast.

 Also I find it too much to format a computer even if my system was profiled.What if I even format? The data was still stolen and no way to reverse that.A real extreme recommendation from Talos considering there were hardly 40 systems who got the second payload and most of them belong to tech IT firms not home users.As I said too much hype.

My end opinion is if you share Intel with each other and talk at big events,you can also help each other at rough times.The constant slapping back and fourth between Talos and avast was unfortunate and lot of us won't agree with Talos extreme recommendations.

Share this post


Link to post
Share on other sites
3 hours ago, True Indian said:

I am sure Talos and some other people in the industry wouldn't come trying to roast piriform if it had never been acquired by avast.

If there was a legitimate security concern regarding how Piriform's systems were configured (and in this case there clearly was), then I'm sure Talos would have mentioned it regardless of who was in change of Piriform. Such statements serve as a general warning to other companies that they need to maintain the security of their systems, and that when they purchase another company they should do a security audit to make sure that their new acquisition is up to their own security standards.

Also, keep in mind that the CCleaner incident wasn't the only bad security news that hit Avast recently. Malware was being served from Avast-owned IP addresses over the summer (or winter in the southern hemisphere) as well, although it now sounds like those IP addresses were part of a VPN that Avast owns, and it was a user abusing their VPN service, however that was not originally known and certainly made Avast look even worse than they already did while the whole CCleaner investigation was ongoing.

Share this post


Link to post
Share on other sites
On 10/5/2017 at 5:33 PM, GT500 said:

If there was a legitimate security concern regarding how Piriform's systems were configured (and in this case there clearly was), then I'm sure Talos would have mentioned it regardless of who was in change of Piriform. Such statements serve as a general warning to other companies that they need to maintain the security of their systems, and that when they purchase another company they should do a security audit to make sure that their new acquisition is up to their own security standards.

Also, keep in mind that the CCleaner incident wasn't the only bad security news that hit Avast recently. Malware was being served from Avast-owned IP addresses over the summer (or winter in the southern hemisphere) as well, although it now sounds like those IP addresses were part of a VPN that Avast owns, and it was a user abusing their VPN service, however that was not originally known and certainly made Avast look even worse than they already did while the whole CCleaner investigation was ongoing.

Wow, that looks really bad for Avast, and that is why I don't use their software at all. Also, when does CCleaner put bundle onto their installer? :blink: 

 

Share this post


Link to post
Share on other sites

You have no control over what a user does with your product...no it doesnt make anything worse its definately not the first and definately not the last it can happen to anyone even if emsisoft had a VPN we would have no control what a user does with it.I don't understand what sense does it make with the bypass i am sure there are other vpn products who are being abused for wrong purposes by some users.Dont forget TOR as a browser.Even that is being used for wrong purposes so do you say their company is bad or it makes them look any worse?

Its not about the gun its the person behind the gun.That symbol's meaning is upto the person who wears or uses it

Anyway,I will leave you to your thoughts.

 

Share this post


Link to post
Share on other sites
On 10/7/2017 at 12:08 AM, Jerky McDilerino said:

Also, when does CCleaner put bundle onto their installer?

think they've been bundling stuff with the installer for a few years now. I would believe it was just Google Chrome the last time I ran their installer, but I didn't pay that much attention. I just clicked the opt-out option, and continued with the install.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


  • Recently Browsing   0 members

    No registered users viewing this page.