Jump to content
CCleaner Community Forums
Tom Piriform

Announcement: Security Notification for CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191

Recommended Posts

Well said Patryk R,    The silence from Piriform/Avast is deafening, Where is their integrity and responsibility  to their clients/customers. I too am absolutely gobsmacked at this level of non assistance ..

Most responsible suppliers/manufacturers /developers would be trying to assist their global base of users ,so as to at least be seen as co-operating.

(1) Too much non specific and generalized opinions being released by press and media  outlets. 

(2) Most previous info releases via Piriform has been  outdated and or not totally correct .

 

Piriform can no longer leave this forums moderators to answer and assist in an issue that is obviously well outside of their ability to answer.

Am i Frustrated (yes) It would seem as though Piriform previous owners have their money covering their ears ,and Avast are playing the (its not our fault ) card.

 

I too have regular backups to a seperate HD,automated as full systems ,but the time and losses to approx July August Sept data is huge,seeing as i updated CCleaner at every version release.

Share this post


Link to post
Share on other sites

Well said Patryk R,    The silence from Piriform/Avast is deafening, Where is their integrity and responsibility  to their clients/customers. I too am absolutely gobsmacked at this level of non assistance ....

 

...I too have regular backups to a seperate HD,automated as full systems ,but the time and losses to approx July August Sept data is huge,seeing as i updated CCleaner at every version release.

 

Lots of users waiting for some clarity from Piriform before making decisions on restoring/re-imaging.

 

As of now:

 

1.  the moderators seem to be saying restoring is overkill because installing 5.35 etc magicks problems away

 

2.   the youtube video***  the mods are so anxious for us to view seems to be saying re-imaging is a waste of time since we are already "owned" by the hackers. 

 

3. our best hope  seems to be that the hackers will be too busy tussling with microsoft and google etc to bother with anything they got from our systems

 

 

***  "https://www.youtube.com/watch?v=i1u0LqZLDvc&feature=youtu.be"

      It's ironic that mods on a piriform-ponsored forum are linking to a clip called "The Horrors of Ccleaner".   It has cool music

Share this post


Link to post
Share on other sites

Hi again everyone,

 

Avast have published some more information from the investigation. I'll share more information when I'm able.

 

 

Avast blog: Investigation Progress Update #3 by Avast Threat Labs team (Monday, 25 September 2017)

This third progress confirms how many and which companies were specifically targeted by the attack and present a hypothesis on the origin of the perpetrator(s). The blogpost also contains a full list of IOCs (Indicators of Compromise - in this case a list of files whose existence show that a system has at one time been compromised by this attack).

https://blog.avast.com/additional-information-regarding-the-recent-ccleaner-apt-security-incident

Share this post


Link to post
Share on other sites

I Read The news in The avast blog And It confirms that The Trojan create The Agomo Keys in registry so without Them The system was Not affected, right?

Share this post


Link to post
Share on other sites

post-80099-0-74954200-1506349042_thumb.jpgUsing Ccleaner on an HP laptop running Win 10 build 15063. On 9/25/17 IObit Malware Fighter Pro 5.2 picked up Backdoor.Agent.ABXS in the installation file ccsetup533.exe (screenshot attached).

Share this post


Link to post
Share on other sites

I Read The news in The avast blog And It confirms that The Trojan create The Agomo Keys in registry so without Them The system was Not affected, right?

Some antivirus software have been updated to remove these keys, so this is not necessarily true. However, if your antivirus solution has not flagged these keys to you before removing, then it suggests no communication from your system was made to the command and control server.

Share this post


Link to post
Share on other sites

Piriform: Can you please provide cryptographic hashes of the compromised installers and the infected CCleaner.exe binaries for versions of CCleaner 5.33.6162 and CCleaner Cloud 1.07.3191 and list them on your security notification page (https://www.piriform.com/news/blog/2017/9/18/security-notification-for-ccleaner-v5336162-and-ccleaner-cloud-v1073191-for-32-bit-windows-users). Maybe MD5, SHA1, and SHA256.

 

Hashes and other FAQs: https://piriform.zendesk.com/hc/en-us/articles/115001699371

 

Indicators of Compromise (IOCs) are in the latest Avast blogpost: https://blog.avast.com/additional-information-regarding-the-recent-ccleaner-apt-security-incident

Share this post


Link to post
Share on other sites

attachicon.gifIMF Ccl 533 message.jpgUsing Ccleaner on an HP laptop running Win 10 build 15063. On 9/25/17 IObit Malware Fighter Pro 5.2 picked up Backdoor.Agent.ABXS in the installation file ccsetup533.exe (screenshot attached).

As has been mentioned, all reputable antivirus solutions have been updated to detect CCleaner v5.33 as containing malicious code. This includes the v5.33 installer file that may still have been present on your system from the initial download.

Share this post


Link to post
Share on other sites

 

You continue to use confusing language like "all users with the 32-bit version". That's literally ALL users because the same installer is used for both 64-bit and 32-bit systems and on a 64-bit system both executable files are installed. Could we get some clarification on this? If 64-bit systems were not affected by the malware then why not? What prevented the malware from executing?

Share this post


Link to post
Share on other sites

Some antivirus software have been updated to remove these keys, so this is not necessarily true. However, if your antivirus solution has not flagged these keys to you before removing, then it suggests no communication from your system was made to the command and control server.

 

when the notice of the trojan was comunicate last monday I just have installed version 5.34, my antivirus only detected the installer that I have on Document folder. I searched the keys on the registry but there weren t and not Kis2017 or Malwearebytes detected them on my system. I have windows 10 64bit and ccleaner 64bit

Share this post


Link to post
Share on other sites

I Read The news in The avast blog And It confirms that The Trojan create The Agomo Keys in registry so without Them The system was Not affected, right?

As long as the 2nd stage virus (and any other viruses it downloaded later) didn't delete that key and/or itself before you checked.

 

 

Didn't run CCleaner v5.33.0.6162 (or CCleanerCloud v1.7.0.3191) at any point = not infected

Installed but didn't run CCleaner v5.33.0.6162 (or CCleanerCloud v1.7.0.3191) before September 16th = not infected (this assumes the installer doesn't run the main exe files at all after installing)

Installed and ran CCleaner v5.33.0.6162 before September 16th, but firewall rules denied CCleaner.exe all network access = not infected

Installed and ran CCleaner v5.33.0.6162 (or CCleanerCloud v1.7.0.3191) after September 15th = not infected (malware server disabled)

 

CCleanerCloud users (64-bit and 32-bit OSes):

Installed and ran CCleanerCloud v1.7.0.3191 before September 16th = Stage 2 possible

 

64-bit users:

Installed and ran CCleaner v5.33.0.6162 before September 16th, but did not use the skip User Account Control (UAC) feature and did not run the 32-bit main exe = not infected

Installed and ran CCleaner v5.33.0.6162 before September 16th, and did use the skip User Account Control (UAC) feature OR ran the 32-bit main exe = status unclear (see note A1)

Note A1: If the tampered 32-bit main exe file (CCleaner.exe) exits after running the untampered 64-bit main exe = not infected

Note A1_*_: If the tampered 32-bit main exe file (CCleaner.exe) persists while waiting for the 10 minute delay after passing control to the untampered 64-bit main exe = Stage 2 possible

_*_ -- There is no way (currently known) for the line above happen in any normal situation.

32-bit users:

Installed and ran CCleaner v5.33.0.6162 before September 16th = Stage 2 possible

 

 

If Stage 2 possible:

The attackers probably decided not to infect your computer. They had the option to infect you, but they passed. (this info comes from the attacker's captured server, info could have been tampered with)

 

For those few machines that were passed stage 2, this malware could have taken any action(s), including downloading more malware, stealing info, and deleting all traces of infection.

Share this post


Link to post
Share on other sites

As long as the 2nd stage virus (and any other viruses it downloaded later) didn't delete that key and/or itself before you checked.

 

 

Didn't run ccleaner v5.33.0.6162 at any point = not infected...

....

.... 

 

If Stage 2 possible:

The attackers probably decided not to infect your computer. They had the option to infect you, but they passed. (this info comes from the attacker's captured server, info could have been tampered with)

 

For those few machines that were passed stage 2, this malware could have taken any action(s), including downloading more malware, stealing info, and deleting all traces of infection.

 

 

Useful summary.  Thanks 

Share this post


Link to post
Share on other sites

64bit users

Installed and ran ccleaner v5.33.0.6162 before September 16th, and did use the skip User Account Control (UAC) feature But run only 64bit version?

 

I only use 64bit version But have The Uac feature active But don t have any Agomo Keys or Webemperf 1-4

Share this post


Link to post
Share on other sites

64bit users

Installed and ran ccleaner v5.33.0.6162 before September 16th, and did use the skip User Account Control (UAC) feature But run only 64bit version?

 

I only use 64bit version But have The Uac feature active But have any Agomo Keys or Webemperf 1-4

Do you mean you do have those keys or don't have?

Share this post


Link to post
Share on other sites

Not have,sorry But My Phone has italian dictionary. I don t have any of that keys And My antivirus kis2017 And malwearbytes haven t detected Them

Share this post


Link to post
Share on other sites
Not have,sorry But My Phone has italian dictionary. I don t have any of that keys And My antivirus kis2017 And malwearbytes haven t detected Them
Sounds like you are not infected (based on the information we have on the infection thus far)

Share this post


Link to post
Share on other sites

I hope that since now are not 100% targeted to help companies but also normal users, we need an AFFIRMATION by avast / piriform if removing ccleaner533 we are already safe. Although the 2nd stage of malware has not been downloaded

Share this post


Link to post
Share on other sites

I'm running v. 5.35621 64bit and just got a virus detection from my Defender. I did an update a while back and thought it was safe, guess not.

 

post-80103-0-10321700-1506373214_thumb.jpg

Share this post


Link to post
Share on other sites

I'm running v. 5.35621 64bit and just got a virus detection from my Defender. I did an update a while back and thought it was safe, guess not.

the antivirus detected the installer of the previous ccleaner to me also I detect the malwarebytes

Share this post


Link to post
Share on other sites

As long as the 2nd stage virus (and any other viruses it downloaded later) didn't delete that key and/or itself before you checked.

 

 

Didn't run ccleaner v5.33.0.6162 at any point = not infected

Installed but didn't run ccleaner v5.33.0.6162 before September 16th = not infected (this assumes the installed doesn't run the main exe files at all after installing)

Installed and ran ccleaner v5.33.0.6162 before September 16th, but firewall rules denied CCleaner.exe all network access = not infected

Installed and ran ccleaner v5.33.0.6162 after September 15th = not infected (malware server disabled)

 

64-bit users:

Installed and ran ccleaner v5.33.0.6162 before September 16th, but did not use the skip User Account Control (UAC) feature and did not run the 32-bit main exe = not infected

Installed and ran ccleaner v5.33.0.6162 before September 16th, and did use the skip User Account Control (UAC) feature OR ran the 32-bit main exe = status unclear (see note A1)

Note A1: If the tampered 32-bit main exe file (CCleaner.exe) exits after running the untampered 64-bit main exe = not infected

Note A1: If the tampered 32-bit main exe file (CCleaner.exe) persists while waiting for the 10 minute delay after passing control to the untampered 64-bit main exe = Stage 2 possible

 

32-bit users:

Installed and ran ccleaner v5.33.0.6162 before September 16th = Stage 2 possible

 

 

If Stage 2 possible:

The attackers probably decided not to infect your computer. They had the option to infect you, but they passed. (this info comes from the attacker's captured server, info could have been tampered with)

 

For those few machines that were passed stage 2, this malware could have taken any action(s), including downloading more malware, stealing info, and deleting all traces of infection.

I read an article that states a 32 bit and 64 bit trojan existed. This is what has confused me as it was stated it only affected 32 bit machines yet it says something different if a 64 bit existed. Was this 64 bit trojan for the second stage?

Share this post


Link to post
Share on other sites
I'm running v. 5.35621 64bit and just got a virus detection from my Defender. I did an update a while back and thought it was safe, guess not.

 

You have the installer for the malicious ccleaner. Look at your image closer and notice the captured file is from the downloads folder.

Share this post


Link to post
Share on other sites

Those PCMatic guys being classy again at the merest hint of blood in a competitor - CCleaner "RIDDLED With Malware". "2 Billion devices exposed" <_<

Surely this being emailed out to millions today, when the facts proving it wrong were available a week ago ("2.27 million people used the affected software" - Piriform blog, September 18, 2017) is borderline defamation?
 

Qyj5Zgt.jpg

Share this post


Link to post
Share on other sites

64bit users

Installed and ran ccleaner v5.33.0.6162 before September 16th, and did use the skip User Account Control (UAC) feature But run only 64bit version?

 

I only use 64bit version But have The Uac feature active But don t have any Agomo Keys or Webemperf 1-4

If you are on a windows 64-bit be sure to check the 32-bit registry as if a 32-bit program wrote to:

HKEY_LOCAL_MACHINE\SOFTWARE\Piriform\Agomo

and you checked it with regedit it would actually end up here:

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Piriform\Agomo

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

×
×
  • Create New...