• Hey, guest user. Hope you're enjoying NeoGAF! Have you considered registering for an account? Come join us and add your take to the daily discourse.

CCleaner infected with malware

People like clean things, and hard disk space is not free so I'd rather have that browser cache and temp clean at the end of the day.
Also cleans ALL browsers and junk most your software leave with one press of a button. This is what people fail to understand, it's just too convenient.
And lets you choose what data to even delete so you can leave the stuff you use and don't want cleaned.

Each to their own, I'm not too keen to run Windows Cleanup weekly on each HDD/SSD I have and try to remember to empty the trash can when space starts to run out, when I can just have this one handy button..

I'm gonna say this simply for the non-IT geeks.

File caching and temp files and browser caches exist for a reason. To speed things up.

Tinkering with the registry by "cleaning" it has no tangible benefits and only risks (even if they are fairly minor). Microsoft's registry is like its own proprietary thing. It isn't open source.

You're only slowing yourself down by fiddling with this stuff on a weekly basis, or at best, doing nothing to speed your PC up.

The only reason you would need to do aggressive cache cleaning / temp files cleaning / etc is if you were on a very small SSD or the like that you critically need the space.

And every app you run expands your attack surface, this exact attack is an example of that.

"Cleanup" like this app is doing isn't going to speed things up.

Again, it's like the Black Viper tweaks all over again. The theory of disabling not-useful services sounds good to the uninformed, but in reality, it either does nothing (best case scenario) or it slows things down (worse case scenario) or it breaks stuff (worst case scenario).

Cleaning up temp files and such is the kind of thing you should be doing once in a blue moon. Not weekly.

And "it's too hard to remember to empty the recycle bin"? Really?
 

Sky87

Member
Tried opening CCleaner to see which version i had, instantly got quarantined by Avira, so i guess i had the infected version. Got identified as TR/RedCap.zioqa

EDIT: The 32bit binary was quarantined, the 64bit version is still in my folder. It was 5.33.6162, going to update to 5.34
EDIT2: Check registry if you believe you were hit. Check to see if you have a listing at HKEY_LOCAL_MACHINE\SOFTWARE\Piriform\Agomo. If the listing exists (Agomo) there should be two values named MUID and TCID. This means you were infected. Luckily it doesn't exist in my registry.

Source: https://www.bleepingcomputer.com/how-to/security/ccleaner-malware-incident-what-you-need-to-know-and-how-to-remove/
 
Damn, whoever got this in the signed binary knew their stuff. The malware does almost everything it can to avoid standard detection techniques.

Considering Piriform got acquired by Avast just before the malware started being distributed, I'm really curious to know whether this was a security breach exploited during the carryover or a mad developer that got laid off.
 

mrkgoo

Member
I'm gonna say this simply for the non-IT geeks.

File caching and temp files and browser caches exist for a reason. To speed things up.

Tinkering with the registry by "cleaning" it has no tangible benefits and only risks (even if they are fairly minor). Microsoft's registry is like its own proprietary thing. It isn't open source.

You're only slowing yourself down by fiddling with this stuff on a weekly basis, or at best, doing nothing to speed your PC up.

The only reason you would need to do aggressive cache cleaning / temp files cleaning / etc is if you were on a very small SSD or the like that you critically need the space.

And every app you run expands your attack surface, this exact attack is an example of that.

"Cleanup" like this app is doing isn't going to speed things up.

Again, it's like the Black Viper tweaks all over again. The theory of disabling not-useful services sounds good to the uninformed, but in reality, it either does nothing (best case scenario) or it slows things down (worse case scenario) or it breaks stuff (worst case scenario).

Cleaning up temp files and such is the kind of thing you should be doing once in a blue moon. Not weekly.

And "it's too hard to remember to empty the recycle bin"? Really?

This.

I mean what's the point of having excessive sized hard drives if it isn't being used to speed things up or otherwise make something more efficient and convenient?
 

Kudo

Member
I'm gonna say this simply for the non-IT geeks.

File caching and temp files and browser caches exist for a reason. To speed things up.

Tinkering with the registry by "cleaning" it has no tangible benefits and only risks (even if they are fairly minor). Microsoft's registry is like its own proprietary thing. It isn't open source.

You're only slowing yourself down by fiddling with this stuff on a weekly basis, or at best, doing nothing to speed your PC up.

The only reason you would need to do aggressive cache cleaning / temp files cleaning / etc is if you were on a very small SSD or the like that you critically need the space.

And every app you run expands your attack surface, this exact attack is an example of that.

"Cleanup" like this app is doing isn't going to speed things up.

Again, it's like the Black Viper tweaks all over again. The theory of disabling not-useful services sounds good to the uninformed, but in reality, it either does nothing (best case scenario) or it slows things down (worse case scenario) or it breaks stuff (worst case scenario).

Cleaning up temp files and such is the kind of thing you should be doing once in a blue moon. Not weekly.

And "it's too hard to remember to empty the recycle bin"? Really?

I work in IT, but thanks for making it clear.
And yes, I keep my desktop clean so there's no shortcut to recycle bin there, too used to CCleaner just taking care of it.
 
So some vigilante apparently got into the command + control server the malware was talking to (detailed in the original tech writeup), and handed over the files there to Talos.

Talos then posted an update with more information about what the malware actually did, and some info about how many machines were affected:

http://blog.talosintelligence.com/2017/09/ccleaner-c2-concern.html

It looks like it was a highly targeted attack; the server was set up to check if the infected machine belonged to a predefined set of organizations, and then install further malware from another server. It's very possible the set of organizations changed over time.

Over 700k machines reported to the command and control server in a recent 4 day period, and of those, only 20-30 of them were actually instructed to install further malware. It's very likely that far more machines were infected than that, since the malware was in the CCleaner install binary for a few months.
 

RR30

Member
I'm on 5.14 lol. Guess I dodged a bullet. Is it safe to update, or should I just delete it at this point?
 
I'm gonna say this simply for the non-IT geeks.

File caching and temp files and browser caches exist for a reason. To speed things up.

Tinkering with the registry by "cleaning" it has no tangible benefits and only risks (even if they are fairly minor). Microsoft's registry is like its own proprietary thing. It isn't open source.

You're only slowing yourself down by fiddling with this stuff on a weekly basis, or at best, doing nothing to speed your PC up.

The only reason you would need to do aggressive cache cleaning / temp files cleaning / etc is if you were on a very small SSD or the like that you critically need the space.

And every app you run expands your attack surface, this exact attack is an example of that.

"Cleanup" like this app is doing isn't going to speed things up.

Again, it's like the Black Viper tweaks all over again. The theory of disabling not-useful services sounds good to the uninformed, but in reality, it either does nothing (best case scenario) or it slows things down (worse case scenario) or it breaks stuff (worst case scenario).

Cleaning up temp files and such is the kind of thing you should be doing once in a blue moon. Not weekly.

And "it's too hard to remember to empty the recycle bin"? Really?

I mean my experience is from windows 7. But I distinctly remember as a non-IT person who was moderately computer literate needing to go in regularly and cleaning out old files because in reality shit had the opposite effect: my pc would become a low piece of shit. It was the primary reason I switched to a Mac as micromanaging a rig stopped being fun and felt like a waste of time. I didn't clean out the registry often but I remember it having bad shit causing issues every now and then.

Now we're at windows 10 and it's better I hope but that culture of cleaning a pc is still there. You're saying it's no longer the case. I hope you're right because it's time for me to upgrade and I want to come back to windows but shit like this makes me wanna stay in my walled garden.
 

Akronis

Member
I mean my experience is from windows 7. But I distinctly remember as a non-IT person who was moderately computer literate needing to go in regularly and cleaning out old files because in reality shit had the opposite effect: my pc would become a low piece of shit. It was the primary reason I switched to a Mac as micromanaging a rig stopped being fun and felt like a waste of time. I didn't clean out the registry often but I remember it having bad shit causing issues every now and then.

Now we're at windows 10 and it's better I hope but that culture of cleaning a pc is still there. You're saying it's no longer the case. I hope you're right because it's time for me to upgrade and I want to come back to windows but shit like this makes me wanna stay in my walled garden.

Registry "cleaning" or registry maintenance has always been scummy shit. There are issues that can crop up that require you to edit the registry, but dumb shitty programs aren't going to fix those.
 

Erebus

Member
I'm on 5.14 lol. Guess I dodged a bullet. Is it safe to update, or should I just delete it at this point?
It is safe to update now.

I don't understand why people are rushing to uninstall it now. If your PC was infected simply uninstalling CCleaner won't do you any good. And if you're on an older version than the affected one, just update to the latest one.

I don't understand the overreaction in this thread with people uninstalling it lol.
 
Registry "cleaning" or registry maintenance has always been scummy shit. There are issues that can crop up that require you to edit the registry, but dumb shitty programs aren't going to fix those.

From what I remember it was a cache aggregator. Just said "here's a list of all the shit you can clear out" and "here's some dead end registry entries that could cause issues". I tried not to fuck with the registry often but every once in a while I'd back it up and clean it. Never a problem but you're right it prolly ain't do shut either.

It is safe to update now.

I don't understand why people are rushing to uninstall it now. If your PC was infected simply uninstalling CCleaner won't do you any good. And if you're on an older version than the affected one, just update to the latest one.

I don't understand the overreaction in this thread with people uninstalling it lol.

I think it's a lost of trust in the brand and never risking it again by using it. I personally would never use another avast product again. For protection software not having malware infested shit is a key competency to have. Their name is mud to me now.
 

Rootbeer

Banned
So some vigilante apparently got into the command + control server the malware was talking to (detailed in the original tech writeup), and handed over the files there to Talos.

Talos then posted an update with more information about what the malware actually did, and some info about how many machines were affected:

http://blog.talosintelligence.com/2017/09/ccleaner-c2-concern.html

It looks like it was a highly targeted attack; the server was set up to check if the infected machine belonged to a predefined set of organizations, and then install further malware from another server. It's very possible the set of organizations changed over time.

Over 700k machines reported to the command and control server in a recent 4 day period, and of those, only 20-30 of them were actually instructed to install further malware. It's very likely that far more machines were infected than that, since the malware was in the CCleaner install binary for a few months.
Thanks, very interesting. Thank goodness for the white hats.

Added it to the OP since I'm sure there are still people out there who haven't uninstalled or upgraded. Just to be safe.
 

LoveCake

Member
I just scanned mine and it flagged up Trojan - Nyetya.

I had the 5.33 x64 version running Win10 as a Admin.

I have removed it now, but am I ok now?

I have scanned a few times now with Malwarebytes and Kaspersky and nothing is showing up, should I re-install or reset my Windows 10 or am I ok?

There seems to be quite some confusion as the download contains both 32-bit and 64-bit and when people with 64-bit machines have scanned the scan has picked up something related to the CCleaner installer.

I am now really thinking about resetting my system, even though it's going to be a hassle.

Avast really need to be telling normal users what they should be doing, even having something flash up on the screen when they open the program, it's ok (it's not I agree) for the big companies with a staff of IT people and huge resources, but us normal users need good advice, it's ok to put a load of code in a blog that you need to be a computer scientist to understand, but people who don't understand are going to be the most vulnerable.
 
I'm just bumping this to let you know it could be infected again. Before it came out it was infected I ran the update and ran a clean of my system. My system started lagging alot, but no virusscan detected anything. I had to update to windows 10 to fix it. Now I ran it again on the newest version and the same thing is happening.
 

badflame

Banned
I'm just bumping this to let you know it could be infected again. Before it came out it was infected I ran the update and ran a clean of my system. My system started lagging alot, but no virusscan detected anything. I had to update to windows 10 to fix it. Now I ran it again on the newest version and the same thing is happening.

For security, I never update the programs to the latest version until it has been tested.
 

Future

Member
Was just thinking the other day to buy an iPad and embrace the closed nature of OS and browser. Use PC only for software I absolutely have to have, and browse with the iPad
 

Zonic

Gives all the fucks
*checks version*

I'm on 5.35.6210. I THINK I'm in the clear? I even had Malwarebytes do a scan & remove two items (though I don't think they were related to this?), plus I haven't noticed any issues with my laptop.

I also barely use it, so I feel like I haven't updated it, let alone touched it when this was discovered.
 
*checks version*

I'm on 5.35.6210. I THINK I'm in the clear? I even had Malwarebytes do a scan & remove two items (though I don't think they were related to this?), plus I haven't noticed any issues with my laptop.

I also barely use it, so I feel like I haven't updated it, let alone touched it when this was discovered.
I honestly haven't updated ccleaner in what feels like a couple of years.
 
Top Bottom