Support NeoGAF

[Rootbeer]

TLDR: uninstalling 5.33 or upgrading to 5.34 (or newer) removes the malware as it is embedded within the CCleaner binary itself, even though thankfully it has been made inert since control of the remote servers is no longer in the wrong hands. Read on for more details.

In reviewing the Version History page on the CCleaner download site, it appears that the affected version (5.33) was released on August 15, 2017. On September 12, 2017 version 5.34 was released. The version containing the malicious payload (5.33) was being distributed between these dates. This version was signed using a valid certificate that was issued to Piriform Ltd by Symantec and is valid through 10/10/2018. Piriform was the company that Avast recently acquired and was the original company who developed the CCleaner software application.

Detailed analysis of the malware attack from TALOS

Blog post from Piriform about this

UPDATE:

So some vigilante apparently got into the command + control server the malware was talking to (detailed in the original tech writeup), and handed over the files there to Talos.

Talos then posted an update with more information about what the malware actually did, and some info about how many machines were affected:

http://blog.talosintelligence.com/2017/09/ccleaner-c2-concern.html

It looks like it was a highly targeted attack; the server was set up to check if the infected machine belonged to a predefined set of organizations, and then install further malware from another server. It's very possible the set of organizations changed over time.

Over 700k machines reported to the command and control server in a recent 4 day period, and of those, only 20-30 of them were actually instructed to install further malware. It's very likely that far more machines were infected than that, since the malware was in the CCleaner install binary for a few months.

 

[Rebel Leader]

I haven't updated it in months

 

[Dreams-Visions]

good lord.

 

[strafer]

for fuck sake

 

[bob_arctor]

Hmm. Pretty sure I updated but Hitman Pro, RogueKiller and MB are telling me I'm good.

 

[BAW]

Hey hold on a minute, it's not cleaning crap, it's doing the opposite!

 

[astroturfing]

i cant keep up with all this malware/ransomware/spyware bullshit.. i want to give up. just take all my personal info and passwords etc, go ahead. do it.

 

[close to the edge]

What the fuck, Avast?

 

[DarkKyo]

why does everyone want my computer dead

 

[Impeccable]

Pretty sure I uninstalled last week. Time to clean up.

 

[always crazy bacon]

It stopped working for windows 10 so I uninstalled it last year.

 

[NoRéN]

On version 5.32. Hooray for forgetting to update!

I hope.

 

[Budi]

Whew, checked and I have an older version so I assume I'm safe. Thanks for the heads up though.

 

[Htown]

just opened my ccleaner, it's on 5.32

dodged a bullet by not updating, apparently

jeez

 

[FyreWulff]

And it looks like it's due to being internally compromised:

The presence of a valid digital signature on the malicious CCleaner binary may be indicative of a larger issue that resulted in portions of the development or signing process being compromised. Ideally this certificate should be revoked and untrusted moving forward. When generating a new cert care must be taken to ensure attackers have no foothold within the environment with which to compromise the new certificate. Only the incident response process can provide details regarding the scope of this issue and how to best address it.

Interestingly the following compilation artifact was found within the CCleaner binary that Talos analyzed:

S:\workspace\ccleaner\branches\v5.33\bin\CCleaner\Release\CCleaner.pdb

Given the presence of this compilation artifact as well as the fact that the binary was digitally signed using a valid certificate issued to the software developer, it is likely that an external attacker compromised a portion of their development or build environment and leveraged that access to insert malware into the CCleaner build that was released and hosted by the organization. It is also possible that an insider with access to either the development or build environments within the organization intentionally included the malicious code or could have had an account (or similar) compromised which allowed an attacker to include the code.

 

[jmdajr]

Lol

 

[Dr.Parity]

uhhhhh

one sec

 

[rocketskates]

Fuckkk

 

[compo]

I've never downloaded a virus scanner on android. It's too hard to weed out the scam scanners, and android has been relatively safe so far in terms of malware, as long as you don't go to weird sites (oddly enough, NeoGAF mobile is the scariest site I go to, with its weird redirecting ads that vibrate your phone, and whatnot).

Should I download a virus scanner, though? And if so, does anyone have a recommendation for a legitimate virus scanner?

 

[strafer]

just opened my ccleaner, it's on 5.32

dodged a bullet by not updating, apparently

jeez

Yeah, I had the same version, but I uninstalled it anyways, not taking any chances.

 

[SargerusBR]

Glad i rarely update CCleaner.

 

[Setsuna]

Oh shit! I haven't been able to update CCleaner since 5.29

I guess it was a blessing in disguise

 

[kAmui-]

Glad i rarely update CCleaner.

Me too. Apparently, I'm still rocking 5.29.

 

[BlazinSkatinAxel]

CreditCleaner.

 

[Phoenix RISING]

People still use CC Cleaner in the age of the SSD?

 

[throwawayname]

So I have v5.33.... what else should I do besides uninstalling?
I did a virus and malware scan 2 days ago without any findings.

 

[Impeccable]

People still use CC Cleaner in the age of the SSD?

Nope, no one.

 

[MilkLizard]

People still use CC Cleaner in the age of the SSD?

Yes obviously people still do.

 

[saks for ost]

Phew, had 5.31. Uninstalled anyway. Are they releasing a tool so we can check if we are infected?

 

[slabrock]

according to their site it was only the 32 bit version at least

 

[big_z]

I also had 5.33 installed but I download my copies from piriform so am I okay or do I need to scrub for the digital stds?

 

[Htown]

People still use CC Cleaner in the age of the SSD?

Not everyone has an SSD.

 

[Rootbeer]

So I have v5.33.... what else should I do besides uninstalling?
I did a virus and malware scan 2 days ago without any findings.

Read the blog post to look for artifacts of the malware interacting on your system. aside form that, I'm not sure yet. this seems to still be breaking. Some antivirus software may already be updated to scan for anything it leaves on your system, or shortly will be.

 

[Maximo]

People still use CC Cleaner in the age of the SSD?

Got any spare moneybags?

 

[magawolaz]

The version containing the malicious payload (5.33)

It's good to be lazy sometimes lol.

EDIT: oh 32bit? nevermind then

 

[Kudo]

I also had 5.33 installed but I download my copies from piriform so am I okay or do I need to scrub for the digital stds?

The 5.33 on their site was infected.
Not sure what to do in case of infection, uninstall the software and wait for more, apparently they have closed down the servers the malware connects to.

 

[close to the edge]

So I have v5.33.... what else should I do besides uninstalling?
I did a virus and malware scan 2 days ago without any findings.

You probably wanna reinstall. It's the only real safe option.

 

[Kuro]

So I have v5.33.... what else should I do besides uninstalling?
I did a virus and malware scan 2 days ago without any findings.

Put an up to date antivirus on a flash drive through another PC. Boot infected PC into safemode with networking off. Run scan with flash drive. This usually catches most things. Worse case scenario you'll need to wipe.

 

[Rootbeer]

according to their site it was only the 32 bit version at least

yeah that part is both interesting and potentially very important. Does that mean people on 64 bit systems were not compromised?

 

[evil solrac v3.0]

Haven't used cleaner since switching to SSD but that sucks. So sick of these damn criminals.

 

[Oersted]

i cant keep up with all this malware/ransomware/spyware bullshit.. i want to give up. just take all my personal info and passwords etc, go ahead. do it.

As someone who just got a mail from a ‎email distributor that said distributor got infected....


yeah. Shit is tiresome.

 

[Rilasciare]

I also had 5.33 installed but I download my copies from piriform so am I okay or do I need to scrub for the digital stds?

"Updating to recent versions removes malware
In an email to Bleeping Computer, Avast CTO Ondrej Vlcek said that updating CCleaner to the most recent recent versions fixes any issues, as "the only malware to remove is the one embedded in the CCleaner binary itself."

"The affected software (CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191) has been installed on 2.27M machines from its inception up until now," Vlcek also added. "We believe that these users are safe now as our investigation indicates we were able to disarm the threat before it was able to do any harm."

"There is no indication or evidence that any additional "malware" has been delivered through the backdoor," Vlcek added."





https://www.bleepingcomputer.com/ne...sed-to-distribute-malware-for-almost-a-month/


Seems that v5.34 will fix the issue.

 

[slabrock]

yeah that part is both interesting and potentially very important. Does that mean people on 64 bit systems were not compromised?

"This compromise only affected customers with the 32-bit version of the v5.33.6162 of CCleaner and the v1.07.3191 of CCleaner Cloud"

I believe so. It said the program may have been used by up to 3% of users

 

[Netherscourge]

Does this affect smartphones?

My older phone had CCleaner as a cache wiper.

 

[Nokagi]

Running 5.25. Guess I'm okay. I don't update stuff unless I'm basically forced to.

 

[shira]

I don't use antivirus

unless Steam or battle.net ever get infected I should be ok

 

[Wulfric]

I never update it, still on 5.02. This is why you don't turn on automatic updates folks.

 

[chadskin]

If you still have the installer file, the browser-based virus scanner VirusTotal can detect if you're affected: https://www.virustotal.com/

 

[Hesemonni]

So wait what, so Avast distributes CCleaner as a part or with their anti-virus and the version 5.33 of that distro is infected? Or all 5.33 versions?

If you still have the installer file, the browser-based virus scanner VirusTotal can detect if you're affected: https://www.virustotal.com/

Whee! Guess it's uninstall time

 

[Always-honest]

For fuck's sake...

I don't have it but still... incredible.