CCleaner Hack and what to do about it

Discussion of non-phpBB related topics with other phpBB.com users.
Forum rules
General Discussion is a bonus forum for discussion of non-phpBB related topics with other phpBB.com users. All site rules apply.
Post Reply
User avatar
HiFiKabin
Community Team Member
Community Team Member
Posts: 2303
Joined: Wed May 14, 2014 9:10 am
Location: Swearing at the PC, UK
Name: James
Contact:

CCleaner Hack and what to do about it

Post by HiFiKabin » Wed Sep 20, 2017 6:53 pm

You may or may not know that 2 days ago CCleaner was discovered to be piggybacked with a malware load.
Issue Summary: Our new parent company, the security company Avast, determined on the 12th of September that the 32-bit version of our CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 products, which may have been used by up to 3% of our users, had been compromised in a sophisticated manner. Piriform CCleaner v5.33.6162 was released on the 15th of August, and a regularly scheduled update to CCleaner, without compromised code, was released on the 12th of September. CCleaner Cloud v1.07.3191 was released on the 24th of August, and updated with a version without compromised code on September 15. The compromise could cause the transmission of non-sensitive data (computer name, IP address, list of installed software, list of active software, list of network adapters) to a 3rd party computer server in the USA. We have no indications that any other data has been sent to the server.

Full Article

###############################

New version available

v5.35.6210 (20 Sep 2017)
– All builds signed with new Digital Signatures

Previous Versions before Avast takeover

http://download.piriform.com/ccsetup532.exe
http://download.piriform.com/ccsetup532.zip

Full Article

##########################
If your CCleaner version is before version 5.33.6162, then you are not affected, and you should manually download the latest version now. If that version is 5.34 or later, your current version isn’t affected, but if you updated CCleaner in between August 15th and September 12th, and are on a 32-bit system, you may still have been affected. (If you’re comfortable going into the registry, you can open Registry Editor and navigate to HKLM\SOFTWARE\Piriform and see if there is a key labelled Agomo:MUID . If that key exists, it means you had the infected software on your system at one point in time.)

While nothing immediately harmful was discovered, Cisco Talos recommends restoring your system to a state before August 15, 2017 from a backup if you were affected. You should probably run an antivirus and MalwareBytes scan on your system and your backups to ensure no malware is left installed.
Full Article

User avatar
HiFiKabin
Community Team Member
Community Team Member
Posts: 2303
Joined: Wed May 14, 2014 9:10 am
Location: Swearing at the PC, UK
Name: James
Contact:

Re: CCleaner Hack and what to do about it

Post by HiFiKabin » Thu Sep 21, 2017 11:18 am

Latest Update
Talos recently published a technical analysis of a backdoor which was included with version 5.33 of the CCleaner application. During our investigation we were provided an archive containing files that were stored on the C2 server. Initially, we had concerns about the legitimacy of the files. However, we were able to quickly verify that the files were very likely genuine based upon the web server configuration files and the fact that our research activity was reflected in the contents of the MySQL database included in the archived files.

In analyzing the delivery code from the C2 server, what immediately stands out is a list of organizations, including Cisco, that were specifically targeted through delivery of a second-stage loader. Based on a review of the C2 tracking database, which only covers four days in September, we can confirm that at least 20 victim machines were served specialized secondary payloads. Below is a list of domains the attackers were attempting to target.
Source

So it seems that they were after the big boys, but if I had a 32 bit machine and had the compromised CCleaner I would restore to a previous image (NOT just a restore point) or re install Windows. Better safe than sorry, you don't know what else they may be up to.

User avatar
3Di
Registered User
Posts: 11867
Joined: Mon Apr 04, 2005 11:09 pm
Location: Milano - Frankfurt
Name: Marco
Contact:

Re: CCleaner Hack and what to do about it

Post by 3Di » Thu Sep 21, 2017 11:24 am

I had a version like 5.13.blah installed (not used since ages).

The right thing CCleaner has it is you can uninstall it directly from it: done. :geek: :)

User avatar
HiFiKabin
Community Team Member
Community Team Member
Posts: 2303
Joined: Wed May 14, 2014 9:10 am
Location: Swearing at the PC, UK
Name: James
Contact:

Re: CCleaner Hack and what to do about it

Post by HiFiKabin » Thu Sep 21, 2017 12:01 pm

Cisco and security firm Kaspersky have both pointed out that the malware element in the tainted version of CCleaner shares some code with a sophisticated hacking group known as Group 72, or Axiom, which security firm Novetta named a Chinese government operation in 2015.

Cisco concedes that code reuse alone doesn't represent a definitive link between the CCleaner attack and Axiom, not to mention China. But it also notes that one configuration file on the attackers' server was set for China's time zone—while still acknowledging that's not enough for attribution.
Source

User avatar
HiFiKabin
Community Team Member
Community Team Member
Posts: 2303
Joined: Wed May 14, 2014 9:10 am
Location: Swearing at the PC, UK
Name: James
Contact:

Re: CCleaner Hack and what to do about it

Post by HiFiKabin » Thu Sep 21, 2017 12:03 pm

3Di wrote:
Thu Sep 21, 2017 11:24 am
I had a version like 5.13.blah installed (not used since ages).

The right thing CCleaner has it is you can uninstall it directly from it: done. :geek: :)
... BUT if it has deposited any dll's you may have problems in the future. To be safe

Open Registry Editor and navigate to HKLM\SOFTWARE\Piriform and see if there is a key labelled Agomo:MUID . If that key exists, it means you had the infected software on your system at one point in time.

User avatar
3Di
Registered User
Posts: 11867
Joined: Mon Apr 04, 2005 11:09 pm
Location: Milano - Frankfurt
Name: Marco
Contact:

Re: CCleaner Hack and what to do about it

Post by 3Di » Thu Sep 21, 2017 12:25 pm

Sure thing, I did it before.
I read the whole topic and external links also if my version was very dated (.13.), thanks. ;)

User avatar
HiFiKabin
Community Team Member
Community Team Member
Posts: 2303
Joined: Wed May 14, 2014 9:10 am
Location: Swearing at the PC, UK
Name: James
Contact:

Re: CCleaner Hack and what to do about it

Post by HiFiKabin » Thu Sep 21, 2017 3:29 pm

:oops: that'll teach me not to skim read :roll:

User avatar
Mick
Support Team Member
Support Team Member
Posts: 18119
Joined: Fri Aug 29, 2008 9:49 am
Location: Cardiff

Re: CCleaner Hack and what to do about it

Post by Mick » Fri Sep 22, 2017 8:14 am

I’m not surprised this has happened, there was another cleaner/scrubber a few years ago, the name I can’t remember right now. It promised to cleanup/speed up your fixed disk and scrub it to CIA & FBI standards. It **appeared** to do just that (not the speeding up bit, that’s hogwash) as the display said everything was clean after running it for hours but the only thing it didn’t tell you was about all the malware it deposited on your drive. I doubt any of the cleaners available do much and aren’t worth the aggravation IMHO.
"The more connected we get the more alone we become" - Kyle Broflovski

There are no ‘threads’ in phpBB, they are topics.
Forza Garibaldi

User avatar
kinerity
Registered User
Posts: 1151
Joined: Mon Sep 01, 2014 1:00 am
Name: Kailey Truscott
Contact:

Re: CCleaner Hack and what to do about it

Post by kinerity » Fri Sep 22, 2017 1:10 pm

Looks like it was a targeted attack - https://www.neowin.net/news/the-ccleaner-malware-targeted-tech-firms-like-microsoft-and-google
according to new evidence, the attack may have infected the internal networks of technology giants like Google, Microsoft, and Sony. Initial findings suggest at least 18 such companies were targeted.

User avatar
thecoalman
Former Team Member
Posts: 2330
Joined: Wed Dec 22, 2004 3:52 am
Location: Pennsylvania, U.S.A.

Re: CCleaner Hack and what to do about it

Post by thecoalman » Sat Sep 23, 2017 10:00 am

Mick wrote:
Fri Sep 22, 2017 8:14 am
I’m not surprised this has happened, there was another cleaner/scrubber a few years ago, the name I can’t remember right now. It promised to cleanup/speed up your fixed disk and scrub it to CIA & FBI standards. It **appeared** to do just that (not the speeding up bit, that’s hogwash) as the display said everything was clean after running it for hours but the only thing it didn’t tell you was about all the malware it deposited on your drive. I doubt any of the cleaners available do much and aren’t worth the aggravation IMHO.
CCleaner is not a junk tool and has had an extremely good reputation for many years now, this is a very unfortunate incident for them. The company that makes it offers a few other tools that are also widely used like Recuva for file recovery of deleted files. It's most basic function is to remove unneeded files to free up disk space. It does a much better job than the built in windows functions and everything is all in one place for temp sytem files, browser files, application files etc. Everything is configurable.

Additional things it will do is "Registry cleaner" which should be avoided, disk wiping of free space, duplicate file finder, etc. The duplicate file finder is excellent tool if for example you are one these people with six gazillion duplicate image files.

User avatar
HiFiKabin
Community Team Member
Community Team Member
Posts: 2303
Joined: Wed May 14, 2014 9:10 am
Location: Swearing at the PC, UK
Name: James
Contact:

Re: CCleaner Hack and what to do about it

Post by HiFiKabin » Sat Sep 23, 2017 3:34 pm

Yes it is (was) a great tool. I hope Avast doesn't eventually bloat it with crapware

User avatar
John connor
Registered User
Posts: 1376
Joined: Fri Nov 14, 2014 5:14 pm
Location: U S Of A
Contact:

Re: CCleaner Hack and what to do about it

Post by John connor » Sun Sep 24, 2017 8:17 pm

I haven't updated Ccleaner in ages and still use 4.xx. There's really no need to update anyway. It will do the same thing, i.e try to delete temp files. I never use the registry cleaner as that is just snake oil. It's good when you are manually removing a program though and need to wipe out registry settings. But you can just use Revo Uninstall to do that. I ran Ccleaner's free space wiper and then ran Recuva and was still able to retrieve my files. There's a better program called Eraser. In addition to Ccleaner I use System Ninja which will find way more crap then Ccleaner.

The only reason why Ccleaner got a malicious payload was lack of security at their servers. They should have been monitoring their access logs at least.

User avatar
BizimPencere
Registered User
Posts: 396
Joined: Sat Aug 25, 2007 8:31 pm

Re: CCleaner Hack and what to do about it

Post by BizimPencere » Mon Oct 09, 2017 11:45 pm

Thanks for Info

Post Reply

Return to “General Discussion”

Who is online

Users browsing this forum: No registered users and 35 guests