CCLEANER stuffed with malware

smuggler.ie

It's couple days old, but didn't found any treads/info here, so will share.
CCleaner convicted to be spreading malware.

[url]Https://www.theregister.co.uk/2017/09/18/tainted_ccleaner_downloads/[/url]

Xterminator

The infected version is CCleaner 5.33 & even the legit installs were infected.

Upgrading ccleaner (or removing) will resolve issue. Avast CEO says no need to wipe and reload, just update version.
For clarity it installed a backdoor on people's pc, but evidence suggests the backdoor was not used & no data has been stolen etc.

smuggler.ie

Moderator, please feel free to move to appropriate forum

yoyo

smuggler.ie wrote: »

Moderator, please feel free to move to appropriate forum

I think it's good to keep it here. I had heard of this but cheers for sharing OP!

Dravokivich

Reading the article, it seems to state there was only an issue with v5.33.6162, which has since been addressed. And that it affected a very small user base. (just noticed the lower number of affected users was for a cloud service)

degsie

Interestingly it went unnoticed by Avast who own ccleaner, took a 3rd party to point it out to them.

Johnboy1951

degsie wrote: »

Interestingly it went unnoticed by Avast who own ccleaner, took a 3rd party to point it out to them.

A little more than 'interesting' that an alleged security firm could not keep their own software clean! :rolleyes:

Digital Solitude

Twas only on 32-bit installs too.

Its clean now but Avasts buying Piriform is going to have me wary of CCleaner and Speccy

Cordell

In this day and age I can't see the need for any of this crap. You alerady have a decent antivirus embedded into Win 10, and you have your common sense - knowing and using CCleaner implies that you are already a, or at least some sort of, power user. But there is no need of programs like that that runs on elevated privileges and capable of serious f-ups.

You really _need_ to visit _that_ website or run _that_ app? You can do it safely inside a VM.

Digital Solitude

No good doing a spot of cleaning up on your VM, CCleaner isn't anti-malware anyways

Cordell

Point is, it shouldn't be any crap to clean in the first place.
And by installing this kind of software you are increasing the surface of attack.

Digital Solitude

Really? Can't say I agree with you there, I've never known a VM to keep my cache clean or remove crap from old programs or registry errors.

Good bit more to it than just avoiding dodgy downloads

fryup

does windows 10 come with its own built in cleaner?

degsie

fryup wrote: »

does windows 10 come with its own built in cleaner?

Yes, Disk Clean-up.

fryup

^^^^^^^^^^^

so why use a third party program then?

beauf

Disk Cleaner does less than CCleaner. But you have to be more careful with CC you might remove things you need.

With Windows 8 and 10 I haven't found the need to use any disk clean up anything like as often as you used to do. But I still like CC for cleaning up browsers and overwriting empty disk space.

Metric Tensor

I used CCleaner very effectively to both tidy and speed up my machine. Pretty annoyed to read this because although I'm a recent convert I found it very useful.

Thanks for the heads up OP.

beauf

I'll still use it.

It would interesting to find out how it happened.

Amalgam

I was 'infected'. I wanted to test it for the last year, so, bought a license.

Found out today my main PC has been compromised. Specific Registry entries confirm that.

HKEY_LOCAL_MACHINE\SOFTWARE\Piriform\Agomo\

Anything within that entry suggest the system was infected. Specifically: MUID and TCID entries.

My license expires today..

The software is just a glorified temp cleaner. Now I mainly use BleachBit.

Downloading Windows 10 on another PC for a reinstall. What a chore.

F-ck 'em.

Amalgam

beauf wrote: »

I'll still use it.

It would interesting to find out how it happened.

Why would you still use it, ffs. Have a read of the following to realise how serious and widespread of a problem this is.

https://www.howtogeek.com/326742/ccleaner-was-hacked-what-you-need-to-know/

https://blog.malwarebytes.com/security-world/2017/09/infected-ccleaner-downloads-from-official-servers/

Piriform have been taken over by Avast, so, double the reason to avoid..

beauf

Because I've used it for probably 15yrs+ and never had a problem, and still don't have an infected machine. Even if I did, there is no payload, and an update clears it anyway.

Amalgam wrote: »

...The software is just a glorified temp cleaner. Now I mainly use ...BleachBit...

Yes they are both temp cleaners.

gctest50

Secondary payload fun :

The 32-bit code is activated through a patched version of VirtCDRDrv32.dll (part of WinZip ),
while the 64-bit uses EFACli64.dll – part of a Symantec product.


"only 18 machines affected" lol :


.

beauf

Seems very specific.

What was clear to both Avast and Cisco was that this was a sophisticated targeted attack on the tech industry. Showing just how the attackers were carefully selecting their targets, more than 700,000 computers of the 2.3 million infected reported back to the hackers' server over few days the researchers were able to gather data, Cisco found. But just over 20 machines were hit with the second-stage attack, in which "reconnaissance information" about infected computers, such as IP address and software active on the machine, were sent to the attackers.

Miike

gctest50 wrote: »

Secondary payload fun :

The 32-bit code is activated through a patched version of VirtCDRDrv32.dll (part of WinZip ),
while the 64-bit uses EFACli64.dll – part of a Symantec product.


"only 18 machines affected" lol :


.

Does this mean the information that it only affected 32bit systems is false?

beauf

I think that was the early reports of the story.

Seems now that they were only targeting specific companies.

jca

So between the jigs and the reels you'd be as well off turfing it out and just using the windows cleanup tool, am I correct in assuming that?

Amalgam

jca wrote: »

So between the jigs and the reels you'd be as well off turfing it out and just using the windows cleanup tool, am I correct in assuming that?

Yes, it basically groups together five or six features already available to you in Windows.

I wouldn't call it anti malware either, people calling it that are misleading others. MalwareBytes would be a better option.

You didn't have to be part of a specific business to be infected, just a paying customer of the 'Pro' software. I was a paying customer. A parting gift from Piriform..

jca

Amalgam wrote: »

Yes, it basically groups together five or six features already available to you in Windows.

I wouldn't call it anti malware either, people calling it that are misleading others. MalwareBytes would be a better option.

You didn't have to be part of a specific business to be infected, just a paying customer of the 'Pro' software. I was a paying customer. A parting gift from Piriform..

I only ever used the free version but it's gone now from anything I own.

degsie

Sure they messed up, but you can bet all future releases will be scrutinised beyond belief to ensure they are safe.

beauf

Amalgam wrote: »

...Piriform have been taken over by Avast, so, double the reason to avoid..

Why? What your beef with Avast.

Digital Solitude

beauf wrote: »

Why? What your beef with Avast.

Last time I used it it was very resource heavy with constant popups, had to be forced to not run at boot too iirc.

And that stupid bing noise and the announcement that it had been updated, wrecked my head with some practises that I don't agree with.