• Hey, guest user. Hope you're enjoying NeoGAF! Have you considered registering for an account? Come join us and add your take to the daily discourse.
  • Hi Guest. We've rebooted and consolidated our Communities section, so be sure to check it out and subscribe to some threads. Thanks!

CCleaner infected with malware

Zulithe

Member
Jan 9, 2012
16,196
1
595
San Francisco, CA
TLDR: uninstalling 5.33 or upgrading to 5.34 (or newer) removes the malware as it is embedded within the CCleaner binary itself, even though thankfully it has been made inert since control of the remote servers is no longer in the wrong hands. Read on for more details.




In reviewing the Version History page on the CCleaner download site, it appears that the affected version (5.33) was released on August 15, 2017. On September 12, 2017 version 5.34 was released. The version containing the malicious payload (5.33) was being distributed between these dates. This version was signed using a valid certificate that was issued to Piriform Ltd by Symantec and is valid through 10/10/2018. Piriform was the company that Avast recently acquired and was the original company who developed the CCleaner software application.
Detailed analysis of the malware attack from TALOS

Blog post from Piriform about this

UPDATE:
So some vigilante apparently got into the command + control server the malware was talking to (detailed in the original tech writeup), and handed over the files there to Talos.

Talos then posted an update with more information about what the malware actually did, and some info about how many machines were affected:

http://blog.talosintelligence.com/2017/09/ccleaner-c2-concern.html

It looks like it was a highly targeted attack; the server was set up to check if the infected machine belonged to a predefined set of organizations, and then install further malware from another server. It's very possible the set of organizations changed over time.

Over 700k machines reported to the command and control server in a recent 4 day period, and of those, only 20-30 of them were actually instructed to install further malware. It's very likely that far more machines were infected than that, since the malware was in the CCleaner install binary for a few months.
 

astroturfing

Member
May 20, 2009
9,211
0
0
37
Finland
i cant keep up with all this malware/ransomware/spyware bullshit.. i want to give up. just take all my personal info and passwords etc, go ahead. do it.
 

Htown

STOP SHITTING ON MY MOTHER'S HEADSTONE
Feb 19, 2008
44,017
0
0
just opened my ccleaner, it's on 5.32

dodged a bullet by not updating, apparently

jeez
 

FyreWulff

Member
Jan 21, 2010
39,743
0
0
The Internet
fyrewulff.com
And it looks like it's due to being internally compromised:

The presence of a valid digital signature on the malicious CCleaner binary may be indicative of a larger issue that resulted in portions of the development or signing process being compromised. Ideally this certificate should be revoked and untrusted moving forward. When generating a new cert care must be taken to ensure attackers have no foothold within the environment with which to compromise the new certificate. Only the incident response process can provide details regarding the scope of this issue and how to best address it.

Interestingly the following compilation artifact was found within the CCleaner binary that Talos analyzed:

S:\workspace\ccleaner\branches\v5.33\bin\CCleaner\Release\CCleaner.pdb

Given the presence of this compilation artifact as well as the fact that the binary was digitally signed using a valid certificate issued to the software developer, it is likely that an external attacker compromised a portion of their development or build environment and leveraged that access to insert malware into the CCleaner build that was released and hosted by the organization. It is also possible that an insider with access to either the development or build environments within the organization intentionally included the malicious code or could have had an account (or similar) compromised which allowed an attacker to include the code.
 

compo

Banned
Jul 26, 2016
569
0
0
I've never downloaded a virus scanner on android. It's too hard to weed out the scam scanners, and android has been relatively safe so far in terms of malware, as long as you don't go to weird sites (oddly enough, NeoGAF mobile is the scariest site I go to, with its weird redirecting ads that vibrate your phone, and whatnot).

Should I download a virus scanner, though? And if so, does anyone have a recommendation for a legitimate virus scanner?
 

throwawayname

Member
Jun 3, 2009
4,489
0
0
So I have v5.33.... what else should I do besides uninstalling?
I did a virus and malware scan 2 days ago without any findings.
 

big_z

Member
Oct 15, 2005
13,836
1
1,025
I also had 5.33 installed but I download my copies from piriform so am I okay or do I need to scrub for the digital stds?
 

Zulithe

Member
Jan 9, 2012
16,196
1
595
San Francisco, CA
So I have v5.33.... what else should I do besides uninstalling?
I did a virus and malware scan 2 days ago without any findings.
Read the blog post to look for artifacts of the malware interacting on your system. aside form that, I'm not sure yet. this seems to still be breaking. Some antivirus software may already be updated to scan for anything it leaves on your system, or shortly will be.
 

Kudo

Member
Nov 11, 2014
4,589
7
340
I also had 5.33 installed but I download my copies from piriform so am I okay or do I need to scrub for the digital stds?
The 5.33 on their site was infected.
Not sure what to do in case of infection, uninstall the software and wait for more, apparently they have closed down the servers the malware connects to.
 

Kuro

Member
Jun 12, 2013
3,538
1
405
So I have v5.33.... what else should I do besides uninstalling?
I did a virus and malware scan 2 days ago without any findings.
Put an up to date antivirus on a flash drive through another PC. Boot infected PC into safemode with networking off. Run scan with flash drive. This usually catches most things. Worse case scenario you'll need to wipe.
 

Oersted

Member
Mar 14, 2012
32,330
1
0
i cant keep up with all this malware/ransomware/spyware bullshit.. i want to give up. just take all my personal info and passwords etc, go ahead. do it.
As someone who just got a mail from a ‎email distributor that said distributor got infected....


yeah. Shit is tiresome.
 

Rilasciare

Member
Jun 12, 2012
184
0
370
I also had 5.33 installed but I download my copies from piriform so am I okay or do I need to scrub for the digital stds?
"Updating to recent versions removes malware
In an email to Bleeping Computer, Avast CTO Ondrej Vlcek said that updating CCleaner to the most recent recent versions fixes any issues, as "the only malware to remove is the one embedded in the CCleaner binary itself."

"The affected software (CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191) has been installed on 2.27M machines from its inception up until now," Vlcek also added. "We believe that these users are safe now as our investigation indicates we were able to disarm the threat before it was able to do any harm."

"There is no indication or evidence that any additional "malware" has been delivered through the backdoor," Vlcek added."





https://www.bleepingcomputer.com/news/security/ccleaner-compromised-to-distribute-malware-for-almost-a-month/


Seems that v5.34 will fix the issue.
 

slabrock

Banned
Feb 15, 2013
3,436
0
0
yeah that part is both interesting and potentially very important. Does that mean people on 64 bit systems were not compromised?
"This compromise only affected customers with the 32-bit version of the v5.33.6162 of CCleaner and the v1.07.3191 of CCleaner Cloud"

I believe so. It said the program may have been used by up to 3% of users
 

Nokagi

Unconfirmed Member
Apr 9, 2012
8,012
0
0
Running 5.25. Guess I'm okay. I don't update stuff unless I'm basically forced to.
 

Wulfric

Member
Nov 17, 2014
1,674
81
360
I never update it, still on 5.02. This is why you don't turn on automatic updates folks.