NonConvergentWaveform
-
Posts
54 -
Joined
-
Last visited
Posts posted by NonConvergentWaveform
-
-
Hi all,
The only version affected is the 32-bit binary of CCleaner v5.33.6162. It was the application that was the issue, not the installer. If you’re using a 64-bit version of CCleaner, then you’re unaffected although we recommend updating to the latest version. There is also no effect to the Mac or Android versions.
At this time, we won’t be releasing a detection tool as the issue was in CCleaner itself, so uninstalling or updating the software removes the risk. You can download directly for free from here: www.piriform.com/ccleaner/download/standard
For those interested, the MD5 hash of the affected CCleaner.exe is: ef694b89ad7addb9a16bb6f26f1efaf7
Thanks - Tom
After installing CC V 5.35 I ran a Malwarebytes scan and it found 2 Floxit trojans in 2 registry keys named Agoma. I removed them quick then ran another scan to make sure it got rid of those.
So it seems even though the new version may remove the threat, version 5.33 leaves behind at least 2 active Trojans.
It found those on a quick scan--there may be more when I run a deep scan.
Anyone that had version 5.33 installed should really run a Malwarebytes scan like now.
MD5: ef694b89ad7addb9a16bb6f26f1efaf7
=
CCleaner.exe (32-bit 5.33.6162)
SHA-256: 6F7840C77F99049D788155C1351E1560B62B8AD18AD0E9ADDA8218B9F432F0A9
Signing date
8/3/2017 10:42 AM
By "2 active Trojans" you mean 2 left over registry traces? That hardly counts. What counts is the stage/phase 2 download that the attacker only did on some machines (targeted attack) that no-one is talking about or has an good sample of. No idea what it does or if it exists.
-
The second version should be .6163 and that was released as soon as the backdoor was discovered
No, it can't be. Check the version number.
Also the clean version wasn't digitally signed and released 16 minutes later on 8/3/2017.
-
You don't have to reinstall your windows. The trojan was embedded in the ccleaner.exe as soon as you upgrade to ccleaner 5.35 the trojan is gone. Also the recipient server, to which data was being sent, has been shutdown.
Thirdly your usernames and passwords were not at risk in this attack.
Can you/piriform clarify why there is a second build of "5.33.6162" signed 16 minutes later? Why was this second copy created? What is changed? Is it typical to build and sign a second copy of the software (and installer) at ever? (or not to change the build number?)
ccsetup533.exe
SHA-256
1A4A5123D7B2C534CB3E3168F7032CF9EBF38B9A2A97226D0FDB7933CF6030FF
Signing date
8/3/2017 10:43 AM
CCleaner.exe (32-bit 5.33.6162)
SHA-256
6F7840C77F99049D788155C1351E1560B62B8AD18AD0E9ADDA8218B9F432F0A9
Signing date
8/3/2017 10:42 AM
ccsetup533.exe
SHA-256
276936C38BD8AE2F26AAB14ABFF115EA04F33F262A04609D77B0874965EF7012
Signing date
8/3/2017 10:59 AM
CCleaner.exe (32-bit 5.33.6162)
SHA-256
36B36EE9515E0A60629D2C722B006B33E543DCE1C8C2611053E0651A0BFDB2E9
Signing date
8/3/2017 10:58 AM
Also since the malware (when talking to the malware server when it was up for weeks) sends a list of running software couldn't the malware authors have chosen NOT to deploy malware phase/stage 2 (or to deploy different malware) on the basis of which anti-virus (if any) was installed or any of a large number of system specific criteria?
How would you know what stage/phase 2 malware was deployed (under the control of the malware author on the basis of system data send via the trojan) if the malware author chose not to deploy it to systems with avast installed?
Was the malware server captured for examination? I understand that it is (probably) in the USA. Clues from it could be reveling/handy.
Announcement: Security Notification for CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191
in CCleaner
Posted
Traces FROM Trojans.
A burglar's footprint is FROM a burglar, but it can't steal your TV.
Don't worry about how to remove his footprint from the mud, worry about what his friend (that he invited) was doing hiding in your house for the last month.