CCleaner Malware Infects Big Tech Companies With Second Backdoor 2and-stage

[steven36]

1 hour ago, sam3971 said:

@Steven, even with the condemnation of Ccleaner, it only takes one rogue employee to have this version installed for M$ to become potentially compromised.

Well this time the tables were turned on them  even if they was compromised only some of the targets was actually infected and the researchers at Cisco and Avast are not releasing  the info too the public on witch firms were effected as a matter of privacy  and Mircosoft's shit security in there OS has caused almost everyone on the internet too be infected one time or another even if they didn't even know they was infected. Windows 10 the most secure OS on the plant  tell someone spreads a 0 day backdoor .

 

Give me a break  were all just sheep being herded off too the slaughter anything  that  uses internet  can be compromised  and the fact is Crap Cleaner uses it too check keys and for updates it don't need internet too work and many pirates had it blocked to keep activation and never received  the 1st payload it's people who used the free version and legit paid users who mostly got infected because they don't have sense enough too block programs that call home that don't need the internet to function. Next time it could be a software were needs internet and infects almost everyone  maybe it's safer too use  less popular software that not many people use.

 

I wish this was a wake up call, but it's not because all the big tech firms are  pushing everyone off into the cloud and the masses have been falling for it hook line and sinker and many programs that you can use offline are not as  popular as they once were and many people don't have sense enough to block them even if they don't need internet too close backdoors. The big tech firms are pushing out products too the billions  full of 1000s of holes in them  like Browsers , OS ,Office and the list goes on and on.  

[pc71520]

9 hours ago, Pequi said:

The hack occurred after Avast bought Piriform.

 

On 21/9/2017 at 5:15 PM, BioHazard said:

Luckily, I have stopped using it just before avast took over. 

Well, some avast fanboys are trying to convince everybody

that everything was just a coincidence...

[trufpal]

On 9/22/2017 at 9:28 AM, Holmes said:

I remember reading the attack took place two weeks before the acquisition by avast so avast had nothing to do with this breach aside from what there doing now.  I still had version 5.1 something and now Im going to update to the latest well not yet Im going to standby to make sure all is well and good first.  I dont think you should use ccleaner right now that doesnt mean dont use it in the future (unless avast screws it up).

• Piriform was acquired by Avast at July 19, 2017. (Source)

• The affected version (5.33) was released on August 15, 2017. (Source)

 

If the attack took place 2 weeks before the acquisition, then the affected would be version 5.32. Unless if those two sources I included were fabricated by their respective authors.

 

I don't put the blame entirely to Avast, but it's certainly will slightly affect my opinion about them. For the record, I've been using Avast antivirus for years until Kaspersky released their free AV recently. Tried KFA just out of curiosity and so far I like it.

[EagleEye]

So...i had installed  affected version on my computer...i uninstalled and installed the new version.

Do i need to Format my pc?

Yes or not?

[gipsy]

@EagleEye

c'mon man,no need to panic so much)) if u do not trust your AV-rescan your system by

Emsisoft Emergency Kit

& keep sleepin' well.

 

[EagleEye]

5 minutes ago, gipsy said:

@EagleEye

c'mon man,no need to panic so much)) if u do not trust your AV-rescan your system by

Emsisoft Emergency Kit

& keep sleepin' well.

 

My friend, i am not in any panic...but we must know which was the damage. It is only in ccleaner files or the app can infected other files of my system?

In my pc i use Web Banking...so i must know...don't you think?

[gipsy]

@EagleEye

i can't find my old post after the forum update so i'll post one more time.

http://anywhere.webrootcloudav.com/zerol/wsabarclayscen.exe

it's official link to 314 days Webroot  Cloud AV,great for online banking.if something wrong with your system-it will show immediatelly.

previously delete your currient AV & clean registry & hidden folders.

[hacker7]

6 minutes ago, EagleEye said:

My friend, i am not in any panic...but we must know which was the damage. It is only in ccleaner files or the app can infected other files of my system?

In my pc i use Web Banking...so i must know...don't you think?

ًWhy did you say that.?

Now they know about you and they will came for your web Banking.!!

[EagleEye]

8 minutes ago, 0bin said:

You have the Agomo key? If yes delete it. HKLM\SOFTWARE\Piriform\Agomo.

Unless you are some of the company this people were after, the second stage payload didn't download at all.

 

Check also this:

 

Talos Group found evidence that the attack was more sophisticated, as it targeted a specific list of domains with a second payload.

---

• singtel.corp.root
• htcgroup.corp
• samsung-breda
• samsung
• samsung.sepm
• samsung.sk
• jp.sony.com
• am.sony.com
• gg.gauselmann.com
• vmware.com
• ger.corp.intel.com
• amr.corp.intel.com
• ntdev.corp.microsoft.com
• cisco.com
• uk.pri.o2.com
• vf-es.internal.vodafone.com
• linksys
• apo.epson.net
• msi.com.tw
• infoview2u.dvrdns.org
• dfw01.corp.akamai.com
• hq.gmail.com
• dlink.com
• test.com

https://www.ghacks.net/2017/09/21/ccleaner-malware-second-payload-discovered/

They were after big guys, didn't care about normal users at all.

The 32-bit trojan is TSMSISrv.dll, the 64-bit trojan is EFACli64.dll.

Identifying Stage 2 Payloads

The following information helps identify if a stage 2 payload has been planted on the system.

Registry Keys:

• HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\001
• HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\002
• HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\003
• HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\004
• HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\HBP

Files:

• GeeSetup_x86.dll (Hash: dc9b5e8aa6ec86db8af0a7aa897ca61db3e5f3d2e0942e319074db1aaccfdc83)
• EFACli64.dll (Hash: 128aca58be325174f0220bd7ca6030e4e206b4378796e82da460055733bb6f4f )
• TSMSISrv.dll (Hash: 07fb252d2e853a9b1b32f30ede411f2efbb9f01e4a7782db5eacf3f55cf34902 )
• DLL in Registry: f0d1f88c59a005312faad902528d60acbf9cd5a7b36093db8ca811f763e1292a
• Stage 2 Payload: dc9b5e8aa6ec86db8af0a7aa897ca61db3e5f3d2e0942e319074db1aaccfdc83

I have the WbemPerf registry key but it is Empty. There is not any kind of 001,002,003,004 and HBP registry key. 

I don't have any of these Files in my system. Maybie because i use Shandow Defender and i have my system update.

But for good...i will do right now a Format.

Not a big deal...

[knowledge-Spammer]

this ccleaner malwere is a bigger thing then people think

 

[Cerberus]

I do not have that reg key on my computer nor do I have the dll but did not expect to find it anyway.

They did update CCleaner with new digital signature I noticed for the new version.

[Cerberus]

Ah I seen something in that video knowledge posted.  The version I download is never like that installer shown in video.  Mine never had the addition software on left side plain of window on any install of ccleaner in the past or present.  Maybe specific versions of ccleaner were affected.  Not sure but I have been watching my machine for two days checking this as well and I do not have the malware installed which is very good for me.

[rpeachtree]

This seems really serious, ...If there is nothing in the registry  \HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WbemPerf...  should we delete CCleaner from the computer?   Or can we still use it?.....but is it safe to use....I just updated mine to 5.35.6210 maybe this was a bad idea.

[steven36]

4 hours ago, rpeachtree said:

This seems really serious, ...If there is nothing in the registry  \HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WbemPerf...  should we delete CCleaner from the computer?   Or can we still use it?.....but is it safe to use....I just updated mine to 5.35.6210 maybe this was a bad idea.

Before Monday that would of been a problem but most any antivirus picks it up now and will clean the infection out of you're system if you have it .Once antivirus get the signatures it no longer a 0day  and  they  will remove it  registry keys and all  this is what Anti-malware  is for.  Run Malwarebytes  Free or something (turn on scan for rootkits) if you don't have no realtime protection  and if it gives you the OK  you're in the clear .

 

Here is a list of witch scanners  that can detect it.

https://www.virustotal.com/en/file/6f7840c77f99049d788155c1351e1560b62b8ad18ad0e9adda8218b9f432f0a9/analysis/

As far as using the latest CC Cleaner that's up too you,  there is other cleaner programs  you can use,  but as far as we know only CCleaner v5.33.6162 (32 bit) .exe was infected.  I always  just extracted the x64 exe  out of the portable version and updated mine  i never had CCleaner v5.33.6162 (32 bit) .exe on my system  you don't need the 32 bit .exe on x64 systems  and that is because of a crappy installer that it installed both .

 

what makes cc cleaner so good is Winapp2.ini  it also will work with bleach bit and system ninja here are instructions  .

https://github.com/MoscaDotTo/Winapp2

 

If  malwarebytes anti malware says you  are infected you can use this ..Remove the Floxif CCleaner Trojan step by step  Guide from bleepingcomputer

https://www.bleepingcomputer.com/virus-removal/remove-floxif-ccleaner-trojan

But if you're running a antivirus with realtime that flags it by now you would have known and looked for help  already.

[hacker7]

12 hours ago, steven36 said:

Before Monday that would of been a problem but most any antivirus picks it up now and will clean the infection out of you're system if you have it .Once antivirus get the signatures it no longer a 0day  and  they  will remove it  registry keys and all  this is what Anti-malware  is for.  Run Malwarebytes  Free or something (turn on scan for rootkits) if you don't have no realtime protection  and if it gives you the OK  you're in the clear .

 

Here is a list of witch scanners  that can detect it.

https://www.virustotal.com/en/file/6f7840c77f99049d788155c1351e1560b62b8ad18ad0e9adda8218b9f432f0a9/analysis/

As far as using the latest CC Cleaner that's up too you,  there is other cleaner programs  you can use,  but as far as we know only CCleaner v5.33.6162 (32 bit) .exe was infected.  I always  just extracted the x64 exe  out of the portable version and updated mine  i never had CCleaner v5.33.6162 (32 bit) .exe on my system  you don't need the 32 bit .exe on x64 systems  and that is because of a crappy installer that it installed both .

 

what makes cc cleaner so good is Winapp2.ini  it also will work with bleach bit and system ninja here are instructions  .

https://github.com/MoscaDotTo/Winapp2

 

If  malwarebytes anti malware says you  are infected you can use this ..Remove the Floxif CCleaner Trojan step by step  Guide from bleepingcomputer

https://www.bleepingcomputer.com/virus-removal/remove-floxif-ccleaner-trojan

But if you're running a antivirus with realtime that flags it by now you would have known and looked for help  already.

You are absulotly Right Mate.!

No reson to be paranoid now cuz almost all the AV got the signatures.

But after what happend lately with CC NO doubt they are going down!

 

[hacker7]

26 minutes ago, 0bin said:

Why? You don't like all other cleaning softwares trying to kill CCleaner? Is huge show of losers...

No it's not abt that freind!!

It's about the holl concept of business

Witch is built on The level of trust in business relationships between the company the custumers !

[Agent 86]

Ive did some back tracking and discovered that I never installed v5.33. I went from 5.32 to 5.34. 

Ive found nothing on my systems and will continue to use ccleaner for a few specific tasks. 

I dont think I will be updating it anytime soon though.

The version I have works fine for my humble needs  therefor shouldnt need updated.

I do however think this (stigma) will be hard for ccleaner to overcome and may be the beginning of its end. Too bad.

[rpeachtree]

@Agent 86  Yes agree with you, I think its time to find another cleaner, I wont be using CCleaner anymore.

[steven36]

CC Cleaner is the clear winner in  weakness found in security software in recent years.  it's not so much about  if you use CC Cleaner or not  I could care less what programs you use  or even what OS you use it is more about the fact the security sector as a whole failed us once again witch in the long run will effect everyone regardless of what they use . It seems were going back in time too the early 2000s were virus and malware is on the rampage again and you cant really trust Anti malware to keep you protected  tell after the damage is done . It's not a problem with CC Cleaner anymore it's a problem with security software in general . Here is a list  of it in recent years.

 

10 Security Product Flaw Scares

https://www.darkreading.com/vulnerabilities---threats/10-security-product-flaw-scares/d/d-id/1329942?

Quote

 

This week's news that a legitimate version of Avast's CCleaner tool was compromised to deliver malware offers a stark example of how damaging security tools can be when the bad guys' subvert them to act maliciously.

 

For several decades now, we've heard the dangers of security tools that don't properly recognize malware or malicious activities. But the last few years have flipped the script as more security researchers and black hats have discovered that many security tools can also act as a very convenient tool for compromising the enterprise.

 

 

In order to properly work, these tools usually need very high administrative privileges and typically run processes at the lowest levels of the system. This makes them a prime target for attackers.

 

In the past two years, a number of embarrassing zero-days have come to light that had the criminals, or cyber spies, licking their chops at the thought of the complete ownage that such flaws can afford them.

 

 

I heard all  this before  from the Linux Community  that you will have worse problems if you install a AV and give it root.

 

But don't stop thinking about  using security software you need some kind of real time  web protection because phishing attacks are on the rise. On windows most home users run many programs as Admin anyway many programs wont fully  work without Admin privileges  and using AV can protect you against  things once the security software get the signatures  but also you need too harden you're browser  and keep a eye on were apps  are calling too if something looks fishy  check it out. Stop trusting everything you install because even the most trusted apps can be hacked even Antivirus  can be cracked and anything that can be cracked can be hacked.

 

1.4 Million New Phishing Sites Launched Each Month

https://www.darkreading.com/threat-intelligence/14-million-new-phishing-sites-launched-each-month/d/d-id/1329955?

 

[xc0d3r]

Is CCleaner safe yo use still?

[hacker7]

18 hours ago, xc0d3r said:

Is CCleaner safe yo use still?

the question been asked before !

read the comments and u will get the answer u seeking.