Hackers compromised free CCleaner software

[Holmes]

Please update the title of the thread it says ccleaner only its ccleaner free and ccleaner cloud versions and did someone say the tech version is compromised to?  I think someone said that can we get a confirmation on that.

[Recruit]

4 minutes ago, BALTAGY said:

This is the hash that should be detected you will find it here>>

 

The funny thing is that ESET had a problem with the Google Toolbar not with the malware itself....

[BALTAGY]

Just now, Recruit said:

 

The funny thing is that ESET had a problem with the Google Toolbar not with the malware itself....

It's PUP but if you see the virus total the new detect in 16099 is Win32/CCleaner.A - Win32/CCleaner.B  not the toolbar

[GlacialMan]

They are referring to CCleaner.exe (v5.33.6162)
http://www.piriform.com/news/blog/2017/9/18/security-notification-for-ccleaner-v5336162-and-ccleaner-cloud-v1073191-for-32-bit-windows-users

The executable files are the same for all versions, the branding.dll file is necessary to identify the license (ex. Technician) and the CCleaner.dat file is necessary to identify the owner of the license (ex. GlacialMan). So, according to me, also who is using a non-free edition is affected by the problem. The hash comparition is the only one solution to know who is affected and what versions (ex. Portable and Installer) are affected.

[straycat19]

7 hours ago, 0bin said:

@straycat19 How you mitigated this incident?

Could you share your experience.

Thank you.

 

We don't use nor allow the use of CCleaner so there was nothing for us to mitigate.  We use proprietary software to clean our systems and powershell scripts.  Also note that this apparently applied only to the 32bit freeware version which I would never run, not even on my home systems.  I once did have a licensed version for testing but that was several years ago.  The only reason I read this article is because I know one friend who owns a gas station and has a personal computer in the office who likes to run this, so I read up on it so I can check his system.  Sometimes published articles in security alerts like this one don't cross my desk because it doesn't pertain to us. Which is why I always appreciated the security posts on Nsane, it was one place I could get a good overview.

[sam3971]

I can confirm that the 64bit version does not have this issue. Installed the same version in a w7 VPN and did not have the " HKLM\SOFTWARE\Piriform\Agomo" key at all. Lol, used it once on my end for an office issue

[steven36]

3 hours ago, straycat19 said:

 We use proprietary software to clean our systems and powershell scripts.

CC Cleaner is proprietary software it's never been open source  ..The open source one is Bleach Bit ..

[steven36]

6 hours ago, BALTAGY said:

It's PUP but if you see the virus total the new detect in 16099 is Win32/CCleaner.A - Win32/CCleaner.B  not the toolbar

You cant go by virustotal noways sometimes there signatures are wrong  and not really updated  even if they say they are ..I had that happen a lot running a AV in realtime  were a antivirus would detect something not  on  there or still show a false positive  when removed .That's  just like if you set NOD32  up not too detect PUP  it want detect it and any experience user already knows CC Cleaner has PUP in the standard  installer and experience user don't even need pup protection they are careful  about what they install i even block all  offline installers with my Firewall so they never touch the internet too download 3rd party programs. For 30 days no AVs detected the real malware but that was fast  because state hackers malware goes for years before it gets found .

 

Avast Global Moderator said this  about it.

 

Quote

Guys,

I just had a chance to read this thread and I'm a bit horrified as I think that there's quite some misconception about what actually went on.

First of all, the bottom line is: to the best of our knowledge, no harm was done to any CCleaner users as the threat was removed before it had a chance to fully activate.
This is really not about downplaying the issue. This is a statement based on a pretty thorough analysis, partially shared below and partially still embargoed because of the ongoing investigation.

Now, some facts:
- Avast acquired a company (Piriform) which was in the process of being hacked. We have good evidence that the attack started at least several weeks before the acquisition.
- Immediately after we first learned about something wrong with the CCleaner product (which was on September 12, i.e. 6 days ago) we started working on it and have been working on it around the clock since then.
- The #1 priority for us was to protect the CCleaner customers and minimize the actual customer impact of the incident.
- For that reason, we first focused on fully understanding the malicious code and disconnecting the bad actors from their ability to control the backdoor, i.e. taking down the CnC servers.
- The CnC server was taken down on September 15, three days after we first learned about the incident. Given how difficult these things tend to be, we consider this a very good result and I don't see how we could have done it any better. (By that time, the secondary CnC servers (the DGA domains) were already sinkholed as well, so that technically cut the attackers off their ability to control the backdoor).

At the same time, we wanted to understand whether the second stage payload could have already activated before the threat was discovered. Now, the good thing is that about 30% of CCleaner users also run Avast security software, which allowed us to analyze behavioral, traffic and file/registry data from those machines.  Based on this analysis, we can say with high confidence that to the best of our knowledge, the second stage payload never activated, i.e. the only malicious code present on customer machines was the one embedded in the ccleaner.exe binary itself. We also asked our colleagues from other security companies, but haven't heard anyone seeing anything suspicious either. And that's great news, as it means that despite the high sophistication of the attack, we managed to disarm the system before it was able to do any harm. To that end, we don't consider the advice to reformat and/or restore the affected machines to the pre-August 15 state to be based on facts (by similar logic, security companies are not usually advising customers to reformat their machines after a remote code execution vulnerability is identified on their computer, just because there was a hypothetical possibility that something might have gotten in).

BTW, I have to say I was quite disappointed by the approach taken by the Cisco Talos team who appears to be trying to use information about this incident to drive marketing activities and piggyback on the case to increase the visibility of their upcoming product. And, I should probably also say that it wasn't Cisco who first notified us about the problem. The threat was first discovered and reported to us by researchers in a security company called Morphisec (thank you!). The threat was real, but to the best of our knowledge, it was fortunately mitigated before it could do any harm.

We plan to be issuing more communication about this as we go. This is a very unfortunate incident and of course, it's in our highest interest to properly investigate the issue and make sure it never happens again. Unfortunately, as you can imagine, the security measures in small companies are usually not up to the standard and that's a big lesson for us in terms of what to look for in case of future acquisitions.

Thanks,
Vlk

 

https://forum.avast.com/index.php?topic=208612.msg1421249#msg1421249

 

 

[steven36]

Morphisec Discovers CCleaner Backdoor Saving Millions of Avast Users

 

 

As widely reported today, the Avast-owned security application CCleaner was illegally modified by hackers to establish a backdoor to the hackers’ server. According to Avast, some 2.27 million users were running the weaponized version 5.33 of CCleaner. In addition, the CCleaner’s cloud version 1.07 was affected. Morphisec was first to uncover the CCleaner Backdoor saving millions of Avast user. 

 

Morphisec first identified and prevented malicious CCleaner.exe installations on August 20 and 21, 2017 at customer sites. Some customers shared their logs of the prevented attacks with Morphisec on September 11, 2017.Morphisec started to investigate the prevention logs right away.

Although the executables were signed by the original Piriform company – which was purchased by Avast in July - version 5.33 of CCleaner exhibited internal code injection behavior and reflective DLL loading directly into memory.

 

“Morphisec’s unique Moving Target Defense cyber security solution first stopped the malicious file at one of our customers in Singapore. First of all, we were satisfied to see that we prevented the attack and how our Endpoint Threat Prevention solution keeps our customers safe,” remarks Michael Gorelik VP R&D at Morphisec.

Immediately after the first investigation, Morphisec notified all its customers and were the first to contact Avast, reporting its findings to help Avast identify the issue. The updated version of CCleaner 5.34 - which was released at September 12, 2017 -  did not include any malicious code.

“A backdoor transplanted into a security product through its production chain presents a new unseen threat level which poses a great risk and shakes customers’ trust. As such, we immediately, as part of our responsible disclosure policy, contacted Avast and shared all the information required for them to resolve the issue promptly. Customers safety is our top concern,” Gorelik emphasizes.

 

Today, after it was made public that our findings are the same as the one from Avast, we can now provide a short abstract of our technical investigation in the responsible way we like to take.

Technical Abstract:

First, we identified that the TLS initialization of callback functions was probably altered by a modification of the visual studio runtime file:

 

 

Such modifications can be done by someone with access to the machine that compiles the code. This makes the code injection very useful and stealth. Moreover, this code is executed before any of the original CCleaner code is executed and the executable is automatically signed by the build machine.

 

Following the new TLS initiation path, we investigated the reflective injection of the DLL, which was a DLL without a FILE_DOS_HEADER.  Later on, the NT_HEADER was striped as well to evade any memory monitoring solutions. Morphisec’s research lab has witnessed such processes more and more lately.

 

The DLL by itself is a simple controller component that collects information from the computer, sends it to a C2 and is able to receive next stage code execution.

 

The DLL contained sophisticated methods rarely used by only few threat actors like code for identifying 64/32 which can run within both processes:

 

Note, that the downloaded payload has a failback option for accessing “randomly” generated domains (the month of year being used as a seed).

 

 Download of the Code from C2:

 

Malicious code execution following the payload download + the Domain generated hosts:

 

Source:

http://blog.morphisec.com/morphisec-discovers-ccleaner-backdoor

 

 

 

[Sandman]

Hi,

Do I need to worry if I ran the installer of CCleaner 5.33.6162 (which contains both x86 and x64 versions) and the x64 version got installed? I extracted the files inside the CCleaner 5.33.6162 and Malwarebytes Anti-malware quarantined only the x86 file).

[pc71520]

12 hours ago, virge said:

64-bit versions were not affected.

Kind of Relief...

 

https://www.ghacks.net/2017/09/18/ccleaner-compromised-better-check-your-pc/

 

https://www.howtogeek.com/326742/ccleaner-was-hacked-what-you-need-to-know/

 

http://www.techsupportalert.com/content/important-if-youre-ccleaner-user-you-need-read.htm

 

[steven36]

1 hour ago, Sandman said:

Hi,

Do I need to worry if I ran the installer of CCleaner 5.33.6162 (which contains both x86 and x64 versions) and the x64 version got installed? I extracted the files inside the CCleaner 5.33.6162 and Malwarebytes Anti-malware quarantined only the x86 file).

I doubt it like i posted on the 1st  page it didn't effect the x64 version  Avast shut  the servers down  they was using days ago .

 

From Avast 

Quote

Because both 32b and 64b binaries are present on the HDD... but the payload doesn't activate on 64-bit.
You can check the existence of the registry key HKLM\SOFTWARE\Piriform\Agomo  -- if it exists, the backdoor activated, otherwise it didn't.

Thanks
Vlk

If you have this registry key present  in the registry you was infected  but they closed it down before the payload ever done anything.  there  is no evidence  it caused  any harm .

If you find that key delete it and do a  malware scan and update too the latest version and you're good too go.

 

The 32 Bit version was never present on my systems because  i always  update mine with the Portable version and over write the old 64 Bit  exe like a crack  because i don't want to  fool with dl installers with pup and i deleted 32 Bit version long ago out the install folder when i installed my OS also i block all apps that don't need to be online with a firewall.

[JimmySvert]

1 hour ago, steven36 said:

The 32 Bit version was never present on my systems because  i always  update mine with the Portable version and over write the old 64 Bit  exe like a crack  because i don't want to  fool with dl installers with pup and i deleted 32 Bit version long ago out the install folder when i installed my OS also i block all apps that don't need to be online with a firewall.

 

A portable virtualized or non-virtualized app is always safe. In CCleaner's case, a non-virtualized portable (portable made with nsis and running through a PAL) would force-remove HKLM\SOFTWARE\Piriform reg entries if proper cleanup code is implemented. On the other hand a virtualized portable would run in sandbox mode anyways & could have cleanup code too.

[Radpop]

I downloaded CCleaner 5.33 Slim from Softpedia in August. Autoupdate was turned off, but yesterday CCleaner wanted to uppgrade to 5.34. I denied, but in the morning 64-bit Windows 7 was gone, no boot, install-cd required, RIP! 

 

I have dual boot and I booted to Windows 10 instead of 7. Eset found a variant of Win32/CCleaner trojan from Windows 7 partition. This malware was invisible for F-Secure in yesterday.

 

What next, is HDCleaner beta something?

 

 

 

[sirri]

LOL Avast. You failed with small company then how come you are protecting BIG customers?

 

it's in our highest interest to properly investigate the issue and make sure it never happens again. Unfortunately, as you can imagine, the security measures in small companies are usually not up to the standard and that's a big lesson for us in terms of what to look for in case of future acquisitions.

[DKT27]

It's things like these that make me happy that I do not use this software anymore. But, this can happen to any software.

 

Still, quite concerning. I'm also worried that only technology specific news site has covered this - atleast here, whereas it should have been covered by each and every news site out there - the software is among the most used software in the world I think.

 

Also, it shows the developer's lack of care - was the computer which contained the files compromised - was it internet connected, which it should not be - was someone from the company involved in doing this.

[GlacialMan]

4 minutes ago, DKT27 said:

It's things like these that make me happy that I do not use this software anymore. But, this can happen to any software.

 

Still, quite concerning. I'm also worried that only technology specific news site has covered this - atleast here, whereas it should have been covered by each and every news site out there - the software is among the most used software in the world I think.

 

Also, it shows the developer's lack of care - was the computer which contained the files compromised - was it internet connected, which it should not be - was someone from the company involved in doing this.

 

I agree, something similar occurred also to Notepad++...

[polz]

 

direct

 

 

manual

 

534 1 detection

[JimmySvert]

It's good that ESET still detects that "innocent" & a real king of obsolete and stupid pup, google toolbar.

[Radpop]

54 minutes ago, Radpop said:

I downloaded CCleaner 5.33 Slim from Softpedia in August. Autoupdate was turned off, but yesterday CCleaner wanted to uppgrade to 5.34. I denied, but in the morning 64-bit Windows 7 was gone, no boot, install-cd required, RIP! 

 

I have dual boot and I booted to Windows 10 instead of 7. Eset found a variant of Win32/CCleaner trojan from Windows 7 partition. This malware was invisible for F-Secure in yesterday.

 

What next, is HDCleaner beta something?

 

 

 

Yesterday I was picking berries, so I didn't notice forum warnings about Ccleaner.

Eset saved my Windows 10:
18.9.2017 19.21.11;Advanced memory scanner;file;Operating memory » CCleaner.exe(8608);a variant of Win32/CCleaner.B trojan;cleaned by deleting.

 

[steven36]

2 hours ago, JimmySvert said:

A portable virtualized or non-virtualized app is always safe. In CCleaner's case, a non-virtualized portable (portable made with nsis and running through a PAL) would force-remove HKLM\SOFTWARE\Piriform reg entries if proper cleanup code is implemented. On the other hand a virtualized portable would run in sandbox mode anyways & could have cleanup code too.

It just means  the payload  would be self-contained  and you would not have too search all over the registry too find it . If a portable gets infected  and you let it connect  too the internet it will be infected tell you remove it and some portables  are not really stealth they just clean up the mess they make in the app data folder after you run it and if were real virus it could spread allover the place .  If a payload sends you a X86 Trojan it will  lock too the system  and the portable will fail too clean it up when it tires too delete app and temp folders . Then  you would need too remove it with security software  or  use some unlocker and try delete it on reboot . x86 OS is more prone too  be effected by Trojan , Rootkits and back doors. If it was a ransomware payload  then you know how that ends you would lose most of you're files or have too pay up.

 

I seen too many times shabby made portables failed too clean up  in my life  .

[virge]

CCleaner does nothing special, Windows Disk Cleanup works just fine, in many cases, CCleaner registry cleanup will do more harm than good. I'm all for good third-party utilities, but there are tons of useless crap utilities out there that people use and it can all be done with the tools that come with Windows.  

[HJSC]

5 hours ago, virge said:

CCleaner does nothing special, Windows Disk Cleanup works just fine, in many cases, CCleaner registry cleanup will do more harm than good. I'm all for good third-party utilities, but there are tons of useless crap utilities out there that people use and it can all be done with the tools that come with Windows.  

I use it more for the convenience of doing an almost complete cleaning in the system (and apps) with a single click. As for cleaning the registry there is practically no need for me, since when I do an uninstall I use Total Uninstall.

The concern is more about the ease and dimension with which these things are happening. You can not be trusted any more. And I'm already going to try to police myself more and change old habits, as I always keep the programs as up to date as possible. 

I no longer feel safer, since my favorite firewall for windows has been sold (Outpost Firewall) and I no longer use any.

 

@Holmes

Until yesterday the Tech Edition installer was 100% clean, but out of curiosity, I decided to test the 32-bit and 64-bit executables, and to my surprise, the 32-bit version was compromised as well as the two references mentioned by Avast. Today I tested the Tech Edition installer and now 27 antivirus products recognize it as a threat. See the image below:

Spoiler

 

What I can conclude is that when Avast quoted the product CCleaner 5.33.6162 was changed by hakers, they mean that all versions of CCleaner have been changed, which includes paid vesions (Business and Tech).

[jramon2566]

fuck, my kaspersky free detected an infection in CCleaner 5.33 Pro

 

 

[BALTAGY]

CCleaner Malware second payload discovered

 

A new report by Cisco's Talos Group suggests that the CCleaner hack was more sophisticated than initially thought. The researchers found evidence of a second payload during their analysis of the malware which targeted very specific groups based on domains.

On September 18, 2017 Piriform reported that the company's infrastructure distributed a malicious version of the file cleaning software CCleaner for about a month.

The company's infrastructure was compromised, and users who downloaded version 5.33 of CCleaner from the website or used automatic updates to install it, got the infected version on their system.

We talked about methods to identify if an infected version is installed on the system. Probably the best indicator, apart from checking CCleaner's version, is to check for the existence of Registry keys under HKLM\SOFTWARE\Piriform\Agomo.

 

 

Piriform was quick to state that users could resolve the issue by updating to the new malware-free version of CCleaner.

A new report suggests that this may not be enough.

Talos Group found evidence that the attack was more sophisticated, as it targeted a specific list of domains with a second payload.

• singtel.corp.root
• htcgroup.corp
• samsung-breda
• samsung
• samsung.sepm
• samsung.sk
• jp.sony.com
• am.sony.com
• gg.gauselmann.com
• vmware.com
• ger.corp.intel.com
• amr.corp.intel.com
• ntdev.corp.microsoft.com
• cisco.com
• uk.pri.o2.com
• vf-es.internal.vodafone.com
• linksys
• apo.epson.net
• msi.com.tw
• infoview2u.dvrdns.org
• dfw01.corp.akamai.com
• hq.gmail.com
• dlink.com
• test.com

The researchers suggest that the attacker was after intellectual property based on the list of domains that belong to high profile tech companies.

Interestingly the array specified contains Cisco's domain (cisco.com) along with other high-profile technology companies. This would suggest a very focused actor after valuable intellectual property.

Talos Group suggested to restore the computer system using a backup that was created prior to the infection. The new evidence reinforces this, and the researchers suggest strongly that it may not be enough to simply update CCleaner to get rid of the malware.

These findings also support and reinforce our previous recommendation that those impacted by this supply chain attack should not simply remove the affected version of CCleaner or update to the latest version, but should restore from backups or reimage systems to ensure that they completely remove not only the backdoored version of CCleaner but also any other malware that may be resident on the system.

The stage 2 installer is GeeSetup_x86.dll. It checks the version of the operating system, and plants a 32-bit or 64-bit version of the trojan on the system based on the check.

 

The 32-bit trojan is TSMSISrv.dll, the 64-bit trojan is EFACli64.dll.

Identifying Stage 2 Payloads

The following information helps identify if a stage 2 payload has been planted on the system.

Registry Keys:

• HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\001
• HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\002
• HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\003
• HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\004
• HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\HBP

Files:

• GeeSetup_x86.dl (Hash: dc9b5e8aa6ec86db8af0a7aa897ca61db3e5f3d2e0942e319074db1aaccfdc83)
• EFACli64.dll (Hash: 128aca58be325174f0220bd7ca6030e4e206b4378796e82da460055733bb6f4f )
• TSMSISrv.dll (Hash: 07fb252d2e853a9b1b32f30ede411f2efbb9f01e4a7782db5eacf3f55cf34902 )
• DLL in Registry: f0d1f88c59a005312faad902528d60acbf9cd5a7b36093db8ca811f763e1292a
• Stage 2 Payload: dc9b5e8aa6ec86db8af0a7aa897ca61db3e5f3d2e0942e319074db1aaccfdc83

I searched these hashes in virus total and found nothing not sure if it's true or not

 

Source: ghacks