Hackers Hid Backdoor In CCleaner Security App With 2 Billion Downloads -- 2.3 Million Infected

What do you guy`s make of this?

https://www.forbes.com/sites/thomas...rity-app-infected-with-backdoor/#70425893316a

John.

 

Phew..!

still on version 5.32 here -.-

 

You and me both, seems we dodged the bullet there. Now i have a real reason to be lazy and not update any of my programmes.

 

Well… that's a little annoying

 

@Phoenix Uninstall CCleaner now and re-install the new version.

 

Also it affected only the 32bit version, or so they claim.

 

Since x64 can run x86 apps thanks WinSxS. I wouldn't trust it and update to latest one ASAP. I have a copy of slim version of CCleaner in hand in case Avast messes CCleaner.

 

5.33.6162 Is affected which was released on Aug 15 and if 32Bit exe is executed during the installation process you might be compromised, Check under HKLM\SOFTWARE\Piriform\Agomo if this "Agomo" is present under it with 2 keys MUID and TCID you are effected. The only way is to update the installation or try to install a virus removal tool.

I was running the effected version 64Bit one tho, thankfully that Registry entry doesn't exist. Updated to the .34, CCleaner itself asked for the update, No restore point or backup, didn't observe any activity on GPU or CPU idling...So hopefully I'm good.

 

Whew laddy **** me huh?

Version 5.33.6162 illegally modified and I got it. I don't know if I had the 32bit version since I quickly uninstalled it using Revo uninstaller but I didn't see Agomo in my Reg.

 

I thought i would upload v533 to Virus Total, I checked 531 and 532 but 533 was in a league of it`s own.

See the results below.

https://www.virustotal.com/#/file/1...cf9ebf38b9a2a97226d0fdb7933cf6030ff/detection

John.

 

I don't have the Priform Registry entry which you mentioned to start off with. Maybe because I am always running the portable version.

Also, my NOD32's HTTP Scanner didn't ever warn me about any malicious connections but I redownloaded it just in case to have the latest clean version

 

I have Avast Premier and it says the V533 files is clean? Waste of money or what.

John.

 

It says like perhaps because of the Certificate that is digitally signed by the Symantec corp for Piriform (Bought by Avast recently) valid until 10/10/2018, the whole development and delivery channel of their software infrastructure seems compromised, A very skillful hack & Nasty one. Better I uninstall the .34 too for the time being with revo, Though the malware ran only on the 32Bit systems for botnet.

 

Anyone have a idea why they they targeted 32bit systems?

 

Fortunately it was only the 32 bit version that was infected, and not the 64 bit version I use and recommend, and I missed that infected version completely. I've updated to the current 5.34 64 bit edition.

Here is the apology, non-technical and technical explanation by Piriform:

Security Notification for CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 for 32-bit Windows users
https://www.piriform.com/news/blog/...eaner-cloud-v1073191-for-32-bit-windows-users

"PAUL YUNG - VP, Products

Dear CCleaner customers, users and supporters,

We would like to apologize for a security incident that we have recently found in CCleaner version 5.33.6162 and CCleaner Cloud version 1.07.3191. A suspicious activity was identified on September 12th, 2017, where we saw an unknown IP address receiving data from software found in version 5.33.6162 of CCleaner, and CCleaner Cloud version 1.07.3191, on 32-bit Windows systems. Based on further analysis, we found that the 5.33.6162 version of CCleaner and the 1.07.3191 version of CCleaner Cloud was illegally modified before it was released to the public, and we started an investigation process.

We also immediately contacted law enforcement units and worked with them on resolving the issue. Before delving into the technical details, let me say that the threat has now been resolved in the sense that the rogue server is down, other potential servers are out of the control of the attacker, and we’re moving all existing CCleaner v5.33.6162 users to the latest version. Users of CCleaner Cloud version 1.07.3191 have received an automatic update.

In other words, to the best of our knowledge, we were able to disarm the threat before it was able to do any harm."

Further technical info is included, worth checking out...

"Again, we would like to apologize for any inconvenience this incident could have caused to our clients; we are taking detailed steps internally so that this does not happen again, and to ensure your security while using any of our Piriform products. Users of our cloud version have received an automated update.

For all other users, if you have not already done so, we encourage you to update your CCleaner software to version 5.34 or higher, the latest version is available for download here. "

 

CCleaner Malware second payload discovered-Ghacks.net

 

The Talos article is worth reading in detail:

CCleaner Command and Control Causes Concern
http://blog.talosintelligence.com/2017/09/ccleaner-c2-concern.html

Another report on the overall situation:

THE CCLEANER MALWARE FIASCO TARGETED AT LEAST 20 SPECIFIC TECH FIRMS
https://www.wired.com/story/ccleaner-malware-targeted-tech-firms/

Spoiler: Details...

"...On Wednesday, researchers at Cisco's Talos security division revealed that they've now analyzed the hackers' "command-and-control" server to which those malicious versions of CCleaner connected.

On that server, they found evidence that the hackers had attempted to filter their collection of backdoored victim machines to find computers inside the networks of 20 tech firms, including Intel, Google, Microsoft, Akamai, Samsung, Sony, VMware, HTC, Linksys, D-Link and Cisco itself.

In about half of those cases, says Talos research manager Craig Williams, the hackers successfully found a machine they'd compromised within the company's network, and used their backdoor to infect it with another piece of malware intended to serve as a deeper foothold, one that Cisco now believes was likely intended for industrial espionage.

"When we found this initially, we knew it had infected a lot of companies," says Williams. "Now we know this was being used as a dragnet to target these 20 companies worldwide...to get footholds in companies that have valuable things to steal, including Cisco unfortunately."

Talos EP 13:A Vast CCleanup, Strutting Your Stuff, and the Ex$ploit Economy Podcast...
http://blog.talosintelligence.com/2017/09/beers-with-talos-ep-13a-vast-ccleanup.html

Earlier Talos post:

CCleanup: A Vast Number of Machines at Risk
http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html

I've checked my systems, even though I didn't have the 5.33 version 32 bit installer that was infected, and didn't find any registry traces.

CCleaner Command and Control Causes Concern
http://blog.talosintelligence.com/2017/09/ccleaner-c2-concern.html

Below are indicators of compromise associated with this attack.

Spoiler: Details...

Installer on the CC: dc9b5e8aa6ec86db8af0a7aa897ca61db3e5f3d2e0942e319074db1aaccfdc83 (GeeSetup_x86.dll)

64-bit trojanized binary: 128aca58be325174f0220bd7ca6030e4e206b4378796e82da460055733bb6f4f (EFACli64.dll)

32-bit trojanized binary: 07fb252d2e853a9b1b32f30ede411f2efbb9f01e4a7782db5eacf3f55cf34902 (TSMSISrv.dll)

DLL in registry: f0d1f88c59a005312faad902528d60acbf9cd5a7b36093db8ca811f763e1292a

Registry Keys:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\001
HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\002
HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\003
HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\004
HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\HBP

Stage 2 Payload (SHA256):

dc9b5e8aa6ec86db8af0a7aa897ca61db3e5f3d2e0942e319074db1aaccfdc83

CCleaner Malware Infects Big Tech Companies With Second Backdoor
Wednesday, September 20, 2017 Mohit Kumar
http://thehackernews.com/2017/09/ccleaner-malware-hacking.html
Removing Malicious CCleaner Version would Not Help

Spoiler: Details

"Just removing the Avast's software application from the infected machines would not be enough to get rid of the CCleaner second stage malware payload from their network, with the attackers' still-active C2 server.

So, affected companies that have had their computers infected with the malicious version of CCleaner are strongly recommended to fully restore their systems from backup versions before the installation of the tainted security program.
"These findings also support and reinforce our previous recommendation that those impacted by this supply chain attack should not simply remove the affected version of CCleaner or update to the latest version, but should restore from backups or reimage systems to ensure that they completely remove not only the backdoored version of CCleaner but also any other malware that may be resident on the system," the researchers say.

For those who are unaware, the Windows 32-bit version of CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 were affected by the malware, and affected users should update the software to version 5.34 or higher."

Piriform Notifications

Thursday, September 21, 2017
Update to the CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 Security Notification
http://www.piriform.com/news/blog/2...ccleaner-cloud-v1073191-security-notification

Security Notification for CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 for 32-bit Windows users
https://forum.piriform.com/index.php?showtopic=48868

Security Notification for CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 for 32-bit Windows users
http://www.piriform.com/news/blog/2...eaner-cloud-v1073191-for-32-bit-windows-users

CCleaner v5.35
http://www.piriform.com/news/release-announcements/2017/9/20/ccleaner-v535

Avast Notifications

Progress on CCleaner Investigation
https://blog.avast.com/progress-on-ccleaner-investigation

Update to the CCleaner 5.33.6162 Security Incident
https://blog.avast.com/update-to-the-ccleaner-5.33.6162-security-incident

 

Yees. Free download of, yeah you know

 

There are 10k's of free applications, any one of which can be infected at many points in distribution.

It's happened before, and it'll happen again. It's also happened with paid applications.

All you can do is to be informed about the products you use and clear out the infection or avoid it if you aren't infected when you hear about it, and move forward with a new non-infected release.

 

Friday, September 22, 2017
CCleaner Malware Attack Was Aimed At Critical Internet Infrastructure Vendors Like Google And Microsoft-Hothardware.com

"The real target of this attack is now thought to have been major tech firms like Microsoft, Google, Samsung, Sony, Intel and others according to the Talos threat intelligence team form Cisco. Ironically, Cisco was on that list of major tech firms that the hackers now appear to have been actually aiming for. The big take away here is that many of the companies that are believed to be targets are companies that help make the internet work. Let that sink in for a bit, the CCleaner hack could be much more serious than originally thought."

 

Is this virus total toolbar safe, it can check app download links for malware before you download.

https://www.virustotal.com/en/documentation/browser-extensions/

John.

 

I use the one for Chrome. Haven't seen anything wrong with it. Or you can just use their own site www.virustotal.com

Edit. Howtogeek.com posted this on their website... How to Make Sure a File Is Safe Before Downloading It

 

Coincidentally the file they used as their example tested by VirusTotal showed 0 out of 65 engines found malware, was the ccleaner 5.33 infected file

New infections, with malware code that is undetectable is the goal of a new hack, so it's unlikely any of those detections will help until the malware is detected by human's and new detections specific to the found hack are added to the detection engines.

VirusTotal didn't find the malware in their test example "ccleaner 5.33" used as the articles example, 0 out of 65 detection engines found malware, as noted in the article:

"The “0/65” means the file was detected as malicious by 0 of VirusTotal’s 65 antivirus engines. This means it should be clean.

Of course, it’s possible that new and exotic malware may not be detected by any antivirus programs yet, so it’s always a good idea to be careful and only get software from sources you trust.

(In fact, not two days after publishing this article, our example file—CCleaner 5.33—was found to contain malware. A perfect example of how VirusTotal, while useful, isn’t perfect!)"

 

As Howtogeek.com stated... "This is no substitute for basic online security practices that can keep you safe from phishing and other threats, but it’s a way to perform a more in-depth check if you’re concerned about a file." As well all AV software will struggle in the beginning. All know this!! My golden rules... First, Never update first day... Second, If you can... Never turn on automatic Updates!! Something similar can be said about new hardware as well.

 

I still have the ccsetup533.exe file in my downloads and i just reanalysed it, and it had an infection rate of 47 or 64

https://www.virustotal.com/en/file/...2a97226d0fdb7933cf6030ff/analysis/1506102817/

John.

 

It's probably a good idea to keep a list of the detection engines that have and have not detected a problem at this point. The ones that are detecting malware have updated quickly, the others are lagging behind.

Can you please post that list?

 

Additional information regarding the recent CCleaner APT security incident
https://blog.avast.com/additional-information-regarding-the-recent-ccleaner-apt-security-incident

"New analysis from the Avast Threat Labs

We would like to update our customers and the general public on the latest findings regarding the investigation of the recent CCleaner security incident. As published in our previous blog posts (here and here), analysis of the CnC server showed that the incident was in fact an Advanced Persistent Threat (APT) attack, targeting specific high-tech and telecommunications companies. That is, despite the fact that CCleaner is a consumer product, the purpose of the attack was not to attack consumers and their data; instead, the CCleaner customers were used to gain access to corporate networks of select large enterprises.

Today, we are going to disclose new facts about the incident that we received since the last public update."

 

Oh, joy that makes me really happy...to keep using the software...I kept 2.32 version and will stay there now and keep auto update off.

 

There is no auto-update, only automatically "check" for updates available, so no worries, leave that on and you will know when new updates are available.

"To check for updates to CCleaner automatically:

1. In CCleaner, click the Options icon at left, and then click the Settings button.
2. Select Automatically check for updates to CCleaner.

Note: Function “Automatically check for updates” is set to check for new updates every 10 days. The frequency of update checks cannot be changed. You can always check for updates manually."

Also, the updates bring support for cleaning new applications. If you aren't installing new applications since version 2.32 came out (wow!), then no worries, otherwise you'll want to stay up to date.

There's also a 3rd party utility called "ccenhancer" that loads close to 1000 application entries for cleaning to the base product:

ccenhancer
https://singularlabs.com/software/ccenhancer/

" CCEnhancer is a small tool which adds support for over 1,000 new programs into the popular program CCleaner. The tool uses the winapp2.ini system built into CCleaner to easily add new rules and definitions for programs. The rules were sourced mainly from the Piriform Support Forum, with several sourced from other places around the internet."