CCleaner Hack and what to do about it

[HiFiKabin]

You may or may not know that 2 days ago CCleaner was discovered to be piggybacked with a malware load.

Issue Summary: Our new parent company, the security company Avast, determined on the 12th of September that the 32-bit version of our CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 products, which may have been used by up to 3% of our users, had been compromised in a sophisticated manner. Piriform CCleaner v5.33.6162 was released on the 15th of August, and a regularly scheduled update to CCleaner, without compromised code, was released on the 12th of September. CCleaner Cloud v1.07.3191 was released on the 24th of August, and updated with a version without compromised code on September 15. The compromise could cause the transmission of non-sensitive data (computer name, IP address, list of installed software, list of active software, list of network adapters) to a 3rd party computer server in the USA. We have no indications that any other data has been sent to the server.

Full Article

###############################

New version available

v5.35.6210 (20 Sep 2017)
– All builds signed with new Digital Signatures

Previous Versions before Avast takeover

http://download.piriform.com/ccsetup532.exe
http://download.piriform.com/ccsetup532.zip

Full Article

##########################

If your CCleaner version is before version 5.33.6162, then you are not affected, and you should manually download the latest version now. If that version is 5.34 or later, your current version isn’t affected, but if you updated CCleaner in between August 15th and September 12th, and are on a 32-bit system, you may still have been affected. (If you’re comfortable going into the registry, you can open Registry Editor and navigate to HKLM\SOFTWARE\Piriform and see if there is a key labelled Agomo:MUID . If that key exists, it means you had the infected software on your system at one point in time.)

While nothing immediately harmful was discovered, Cisco Talos recommends restoring your system to a state before August 15, 2017 from a backup if you were affected. You should probably run an antivirus and MalwareBytes scan on your system and your backups to ensure no malware is left installed.

Full Article

[HiFiKabin]

Latest Update

Talos recently published a technical analysis of a backdoor which was included with version 5.33 of the CCleaner application. During our investigation we were provided an archive containing files that were stored on the C2 server. Initially, we had concerns about the legitimacy of the files. However, we were able to quickly verify that the files were very likely genuine based upon the web server configuration files and the fact that our research activity was reflected in the contents of the MySQL database included in the archived files.

In analyzing the delivery code from the C2 server, what immediately stands out is a list of organizations, including Cisco, that were specifically targeted through delivery of a second-stage loader. Based on a review of the C2 tracking database, which only covers four days in September, we can confirm that at least 20 victim machines were served specialized secondary payloads. Below is a list of domains the attackers were attempting to target.

Source

So it seems that they were after the big boys, but if I had a 32 bit machine and had the compromised CCleaner I would restore to a previous image (NOT just a restore point) or re install Windows. Better safe than sorry, you don't know what else they may be up to.

[3Di]

I had a version like 5.13.blah installed (not used since ages).

The right thing CCleaner has it is you can uninstall it directly from it: done.

[HiFiKabin]

Cisco and security firm Kaspersky have both pointed out that the malware element in the tainted version of CCleaner shares some code with a sophisticated hacking group known as Group 72, or Axiom, which security firm Novetta named a Chinese government operation in 2015.

Cisco concedes that code reuse alone doesn't represent a definitive link between the CCleaner attack and Axiom, not to mention China. But it also notes that one configuration file on the attackers' server was set for China's time zone—while still acknowledging that's not enough for attribution.

Source

[HiFiKabin]

I had a version like 5.13.blah installed (not used since ages).

The right thing CCleaner has it is you can uninstall it directly from it: done.

... BUT if it has deposited any dll's you may have problems in the future. To be safe

Open Registry Editor and navigate to HKLM\SOFTWARE\Piriform and see if there is a key labelled Agomo:MUID . If that key exists, it means you had the infected software on your system at one point in time.

[3Di]

Sure thing, I did it before.
I read the whole topic and external links also if my version was very dated (.13.), thanks.

[HiFiKabin]

that'll teach me not to skim read

[Mick]

I’m not surprised this has happened, there was another cleaner/scrubber a few years ago, the name I can’t remember right now. It promised to cleanup/speed up your fixed disk and scrub it to CIA & FBI standards. It **appeared** to do just that (not the speeding up bit, that’s hogwash) as the display said everything was clean after running it for hours but the only thing it didn’t tell you was about all the malware it deposited on your drive. I doubt any of the cleaners available do much and aren’t worth the aggravation IMHO.

[kinerity]

Looks like it was a targeted attack - https://www.neowin.net/news/the-ccleaner-malware-targeted-tech-firms-like-microsoft-and-google

according to new evidence, the attack may have infected the internal networks of technology giants like Google, Microsoft, and Sony. Initial findings suggest at least 18 such companies were targeted.

[thecoalman]

I’m not surprised this has happened, there was another cleaner/scrubber a few years ago, the name I can’t remember right now. It promised to cleanup/speed up your fixed disk and scrub it to CIA & FBI standards. It **appeared** to do just that (not the speeding up bit, that’s hogwash) as the display said everything was clean after running it for hours but the only thing it didn’t tell you was about all the malware it deposited on your drive. I doubt any of the cleaners available do much and aren’t worth the aggravation IMHO.

CCleaner is not a junk tool and has had an extremely good reputation for many years now, this is a very unfortunate incident for them. The company that makes it offers a few other tools that are also widely used like Recuva for file recovery of deleted files. It's most basic function is to remove unneeded files to free up disk space. It does a much better job than the built in windows functions and everything is all in one place for temp sytem files, browser files, application files etc. Everything is configurable.

Additional things it will do is "Registry cleaner" which should be avoided, disk wiping of free space, duplicate file finder, etc. The duplicate file finder is excellent tool if for example you are one these people with six gazillion duplicate image files.

[HiFiKabin]

Yes it is (was) a great tool. I hope Avast doesn't eventually bloat it with crapware

[John connor]

I haven't updated Ccleaner in ages and still use 4.xx. There's really no need to update anyway. It will do the same thing, i.e try to delete temp files. I never use the registry cleaner as that is just snake oil. It's good when you are manually removing a program though and need to wipe out registry settings. But you can just use Revo Uninstall to do that. I ran Ccleaner's free space wiper and then ran Recuva and was still able to retrieve my files. There's a better program called Eraser. In addition to Ccleaner I use System Ninja which will find way more crap then Ccleaner.

The only reason why Ccleaner got a malicious payload was lack of security at their servers. They should have been monitoring their access logs at least.

[BizimPencere]

Thanks for Info