Jump to content

NonConvergentWaveform

Experienced Members
  • Posts

    54
  • Joined

  • Last visited

Everything posted by NonConvergentWaveform

  1. Seems probable. Then again the info came from a server under the attacker's control. I'd be interested in what the attacker was doing at piriform all the time he had control, and if it is normal to compile another copy of ccleaner again only 16 minutes later. The files I am asking about were built, digitally signed, packaged into an installer, and digitally signed again at piriform. Somehow the attacker tampered with that process. I was asking for more info about the normal build process too. Someone should know about one or both of those procedures. I'm not sure what you are asking... "download and hash the file twice" -- if you hash a file twice (and nothing goes majorly wrong with your computer) it should be the same every time. "I'd rather see where your info comes from first, honestly." -- What info specifically? If you ask a specific question I can give a specific answer.
  2. There seems to be a lot of missing information. I asked here why there are two infected builds made just minutes apart. No answer. This blog post mentions files one would think are innocent (not tampered) as indicators of compromise (IOCs). I just want to get correct and accurate answers so that others who are asking (directly and indirectly) can be given full and complete answers. Instead we have to resort to educated guesses (some of which were thankfully confirmed) and lingering uncertainty.
  3. Tampered with in the recent ccleaner malware issue. Aka infected. There were several versions of ccleaner released that were infected, most had an installer. Example: CCleaner setup v5.33.0.6162 contains among other things: ccleaner (32-bit) ccleaner (64-bit) ccleaner (32-bit) = tampered (file has been tampered with by the bad guys) ccleaner (64-bit) = untampered (file is as intended by the author) CCleaner setup v5.33.0.6162 = associated with tampered file (contains ccleaner 32-bit v5.33.0.6162) I'm trying to determine which files were actually tampered with and which files were not tampered with and also any installer which contained such a tampered with file(s).
  4. Can you classify this files into: tampered untampered associated(packaged in the same installer, etc..) with tampered file, but not in itself tampered Also the default file name. SHA256 hash of files I am asking about: A013538E96CD5D71DD5642D7FDCE053BB63D3134962E2305F47CE4932A0E54AF 276936C38BD8AE2F26AAB14ABFF115EA04F33F262A04609D77B0874965EF7012 BD1C9D48C3D8A199A33D0B11795FF7346EDF9D0305A666CAA5323D7F43BDCFE9 C92ACB88D618C55E865AB29CAAFB991E0A131A676773EF2DA71DC03CC6B8953E 04BED8E35483D50A25AD8CF203E6F157E0F2FE39A762F5FBACD672A3495D6A11 0564718B3778D91EFD7A9972E11852E29F88103A10CB8862C285B924BC412013 1A4A5123D7B2C534CB3E3168F7032CF9EBF38B9A2A97226D0FDB7933CF6030FF 2FE8CFEEB601F779209925F83C6248FB4F3BFB3113AC43A3B2633EC9494DCEE0 4F8F49E4FC71142036F5788219595308266F06A6A737AC942048B15D8880364A E338C420D9EDC219B45A81FE0CCF077EF8D62A4BA8330A327C183E4069954CE1 3C0BC541EC149E29AFB24720ABC4916906F6A0FA89A83F5CB23AED8F7F1146C3 7BC0EAF33627B1A9E4FF9F6DD1FA9CA655A98363B69441EFD3D4ED503317804D 36B36EE9515E0A60629D2C722B006B33E543DCE1C8C2611053E0651A0BFDB2E9 6F7840C77F99049D788155C1351E1560B62B8AD18AD0E9ADDA8218B9F432F0A9 A3E619CD619AB8E557C7D1C18FC7EA56EC3DFD13889E3A9919345B78336EFDB2 0D4F12F4790D2DFEF2D6F3B3BE74062AAD3214CB619071306E98A813A334D7B8 9C205EC7DA1FF84D5AA0A96A0A77B092239C2BB94BCB05DB41680A9A718A01EB BEA487B2B0370189677850A9D3F41BA308D0DBD2504CED1E8957308C43AE4913
  5. So, what is hxxps://www.beetleforum.net and what does it have to do with piriform?
  6. It comes back to a company called "Fastly" in San Francisco, CA. They are listed only by a PO Box. Their allocation is named "SKYCA-3". Never heard of them. https://whois.arin.net/rest/net/NET-151-101-0-0-1/pft?s=151.101.112.64
  7. I could almost read some of the file you attached... List the contents of c:\Users\ One way to do that (from command prompt): dir /a c:\Users\
  8. What is the name of the icon? Maybe it is not a shortcut but some sort of special file (like the recycle bin on the desktop that isn't really on the desktop).
  9. If you are on a windows 64-bit be sure to check the 32-bit registry as if a 32-bit program wrote to: HKEY_LOCAL_MACHINE\SOFTWARE\Piriform\Agomo and you checked it with regedit it would actually end up here: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Piriform\Agomo
  10. Looks like someone independently discovered and fixed the mistake without mentioning it in this thread.
  11. Which post? The one asking for seemingly very relevant info? Or do you mean the post I quoted? (who's only content strangely explains that it shouldn't have existed in the first place...)
  12. I don't see this mistake, could you post a link? CCleaner64.exe - 64-bit CCleaner executable MD5: e6f5ad3fd6d0f64ec88357fc481a71ab SHA256: 06b27f68366f8d25a599c3ad8b1d23f18158f4edddee3174a22d3698089a8bc3
  13. This appears to be Windows XP, which does not have UAC. Post a screenshot of the error? (please use PNG or JPG, not BMP)
  14. As long as the 2nd stage virus (and any other viruses it downloaded later) didn't delete that key and/or itself before you checked. Didn't run CCleaner v5.33.0.6162 (or CCleanerCloud v1.7.0.3191) at any point = not infected Installed but didn't run CCleaner v5.33.0.6162 (or CCleanerCloud v1.7.0.3191) before September 16th = not infected (this assumes the installer doesn't run the main exe files at all after installing) Installed and ran CCleaner v5.33.0.6162 before September 16th, but firewall rules denied CCleaner.exe all network access = not infected Installed and ran CCleaner v5.33.0.6162 (or CCleanerCloud v1.7.0.3191) after September 15th = not infected (malware server disabled) CCleanerCloud users (64-bit and 32-bit OSes): Installed and ran CCleanerCloud v1.7.0.3191 before September 16th = Stage 2 possible 64-bit users: Installed and ran CCleaner v5.33.0.6162 before September 16th, but did not use the skip User Account Control (UAC) feature and did not run the 32-bit main exe = not infected Installed and ran CCleaner v5.33.0.6162 before September 16th, and did use the skip User Account Control (UAC) feature OR ran the 32-bit main exe = status unclear (see note A1) Note A1: If the tampered 32-bit main exe file (CCleaner.exe) exits after running the untampered 64-bit main exe = not infected Note A1_*_: If the tampered 32-bit main exe file (CCleaner.exe) persists while waiting for the 10 minute delay after passing control to the untampered 64-bit main exe = Stage 2 possible _*_ -- There is no way (currently known) for the line above happen in any normal situation. 32-bit users: Installed and ran CCleaner v5.33.0.6162 before September 16th = Stage 2 possible If Stage 2 possible: The attackers probably decided not to infect your computer. They had the option to infect you, but they passed. (this info comes from the attacker's captured server, info could have been tampered with) For those few machines that were passed stage 2, this malware could have taken any action(s), including downloading more malware, stealing info, and deleting all traces of infection.
  15. You'd have to use wireshark or a certificate testing site to see irrelevant certificates sent by the server, it's not a feature many (any?) browsers have. Also note: www.beetleforum.net = 52.70.228.38 forum.piriform.com = 52.70.228.38 Both sites are hosted on the same IP address.
  16. I'm open to non-staff input and speculation. Which ones did you encounter?
  17. Second SSL certificate (expired) being offered by the website forum.piriform.com (on port 443, standard port). Also it shares the IP address with forum.piriform.com. I figured it was some "owner's secondary interest" kind of thing.
  18. "Short answer, 'No, initialization shouldn't make the data unrecoverable' but probably won't make it any easier to recover either." Note that in this user's case the drive is showing up as 0 bytes. Maybe a controller failure, disk surface/head failure, or the firmware couldn't be read off of the platters.
  19. What is hxxps://www.beetleforum.net? Kind of an odd thing to find here at piriform...
  20. Can you clarify why there is a second build of "5.33.6162" signed 16 minutes later? Why was this second copy created? What is changed? Is it typical to build and sign a second copy of the software (and installer) ever? (or not to change the build number?) Is the malware different in version B? Does it connect to another server? Variant A: ccsetup533.exe SHA-256 1A4A5123D7B2C534CB3E3168F7032CF9EBF38B9A2A97226D0FDB7933CF6030FF Signing date 8/3/2017 10:43 AM CCleaner.exe (32-bit 5.33.6162) SHA-256 6F7840C77F99049D788155C1351E1560B62B8AD18AD0E9ADDA8218B9F432F0A9 Signing date 8/3/2017 10:42 AM Variant B: ccsetup533.exe SHA-256 276936C38BD8AE2F26AAB14ABFF115EA04F33F262A04609D77B0874965EF7012 Signing date 8/3/2017 10:59 AM CCleaner.exe (32-bit 5.33.6162) SHA-256 36B36EE9515E0A60629D2C722B006B33E543DCE1C8C2611053E0651A0BFDB2E9 Signing date 8/3/2017 10:58 AM
  21. Initialize disk overwrites the MBR (and partition table) or GPT. I don't see how erasing the list of partitions on the disk is going to help with data recovery. If the MBR (and partition table) or GPT is corrupt windows will want to make a new one and assume the disk is blank so you can use it. That's not what he wants.
  22. And where is this file? On your computer where only you have control, or somewhere else?
  23. I don't think he wants to erase or write to the disk, I think he wants his data back from the disk. Besides the drive is showing up with no media / zero size, something is way wrong.
  24. Looks like HD 0 is broken or something. Doesn't seem that the drive is functional. If you bring up the device manager and go to view->"devices by connection" and find your 2-3 hard drives what does it look like? Also for some unknown reason you have Disk 1 with an (empty) extended partition taking up most of the space. Extended partition is only necessary on MBR drives where you need MORE than 4 partitions.
  25. You can read the full article here: https://blog.avast.com/update-to-the-ccleaner-5.33.6162-security-incident Tom So what would prevent the malware server (which the infected ccleaner told what software we are running) from NOT deploying phase/stage 2 to ANY of those computers running avast?
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.