Jump to content
Piriform Community Forums
Tom Piriform

Announcement: Security Notification for CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191

Recommended Posts

Dear CCleaner customers, users and supporters,

 

We would like to apologise for a security incident that we have recently found in CCleaner version 5.33.6162 and CCleaner Cloud version 1.07.3191. We recently determined that these versions of our software had been compromised. We resolved this quickly and believe no harm was done to any of our home users, but we do have evidence that this has targeted large technology and telecommunication companies in Japan, Taiwan, UK, Germany and the US. This compromise only affected customers with the 32-bit version of the v5.33.6162 of CCleaner and the v1.07.3191 of CCleaner Cloud. No other Piriform or CCleaner products were affected.

 


We encourage all CCleaner users to download the latest version of CCleaner: here. We apologize and are taking extra measures to ensure this does not happen again.


 


For further information, please read the official announcements linked below.


 


 


Official Information


 


CCleaner v5.33 and CCleaner Cloud v1.07 Security FAQs


https://piriform.zendesk.com/hc/en-us/articles/115001699371


 


Piriform blog: Security Notification for CCleaner version 5.33.6162 (Monday, 18 September 2017)


Security Notification for a general audience.


http://www.piriform.com/news/release-announcements/2017/9/18/security-notification-for-ccleaner-v5336162-and-ccleaner-cloud-v1073191-for-32-bit-windows-users


 


Piriform blog: Security Notification with Technical Overview (Monday, 18 September 2017)


A similar announcement to the above, aimed at a technical audience and revealing technical details about the nature of compromise.


http://www.piriform.com/news/blog/2017/9/18/security-notification-for-ccleaner-v5336162-and-ccleaner-cloud-v1073191-for-32-bit-windows-users


 


Avast blog: Follow-Up Announcement by Avast CEO & CTO (Tuesday, 19 September 2017)


This blogpost confirms the timeline of events surrounding the detection, investigation and announcement of the compromise; what precautions we are advising customers to take and what information we are basing this on; and what precautions we are taking to ensure this does not happen again.


https://blog.avast.com/update-to-the-ccleaner-5.33.6162-security-incident


 


Avast blog: Investigation Progress Update #1 by Avast Threat Labs team (Thursday, 21 September 2017)


This blogpost reveals more information regarding the target of the attack and more technical details about how the compromise behaves.


https://blog.avast.com/progress-on-ccleaner-investigation


 


Avast blog: Investigation Progress Update #2 by Avast Threat Labs team (Thursday, 21 September 2017)


This second progress update explains why only part of the command & control server logs were recovered and provides yet deeper technical understanding of the way the malicious code was put together. It also shares some clues as to the identity of the perpetrators. 


https://blog.avast.com/avast-threat-labs-analysis-of-ccleaner-incident


 


Avast blog: Investigation Progress Update #3 by Avast Threat Labs team (Monday, 25 September 2017)


This third progress confirms how many and which companies were specifically targeted by the attack and present a hypothesis on the origin of the perpetrator(s). The blogpost also contains a full list of IOCs (Indicators of Compromise - in this case a list of files whose existence show that a system has at one time been compromised by this attack).


https://blog.avast.com/additional-information-regarding-the-recent-ccleaner-apt-security-incident


 


 


Future announcements will be made on the Piriform and Avast blogs.


 


Piriform Software blog: https://www.piriform.com/news/blog


Avast Software blog: https://blog.avast.com/


Share this post


Link to post
Share on other sites

Given that your now owned by a massive security company, Avast, are you going to release a tool that detects and removes the infection? That way any user of your software, can do a really quick check to see if you have accidentally infected them and get it removed. 

 

Or if disinfection is not possible, then at least a tool to check if you are infected, so that way users can attempt to wind back to a previous state of Windows.

Share this post


Link to post
Share on other sites
We encourage all users of the 32-bit version of CCleaner v5.33.6162 to download v5.34 here: download.

 

So is updating to the new version enough to remove the problem, or do I need to do what people are suggesting and reinstall windows completely? it seems a bit over the top to reinstall windows, but I'll do it if necessary. thanks.

Share this post


Link to post
Share on other sites

So is updating to the new version enough to remove the problem, or do I need to do what people are suggesting and reinstall windows completely? it seems a bit over the top to reinstall windows, but I'll do it if necessary. thanks.

 

Just get a better Antivirus and scan your PC/Laptop with Malwarebytes.

But this time most AVs should detect the issue

 

For more info read  this link

Share this post


Link to post
Share on other sites

Could you give some clarification on the installers and CPU architecture? Because a lot of sites including Piriform's, are mentioning that only the 32-bit version was affected. However, I also read a lot of reports about only one installer for both architectures being available. So wether you are on x86 or x64, the installer decides which package to install eventually. As a x64 user this kinda confuses me and now I'm not really sure if my system was infected or not.

 

Also it would be very decent if you could give some instructions to check if you were infected. For example, is the presence of mentioned registry keys a good indicator to check wether or not you were infected?

Share this post


Link to post
Share on other sites

I learned of this attack more than an hour ago through an article a friend  linked: https://www.forbes.com/sites/thomasbrewster/2017/09/18/ccleaner-cybersecurity-app-infected-with-backdoor/#1ef52507316a

 
I congratulate you on getting in front of the news, reviewing your software, and informing your customers.  That is praiseworthy and I will not withhold due praise... but there's a but and here it comes ....  but that's not good enough, there's potentially more damage being done at this moment and it is within your power to limit it.  Piriform does not have checksums displayed on the website.  So customers, like me, can't review their download and learn if they may have been infected.
 
I did not download CCleaner but I recognized the name immediately because it was "included" with one of your products last week.  I'll call it a concentration test.  I'm certain you know what I mean, if the customer is installing one piece of software and loses concentration then they may click a button without unchecking a box - and end up with CCleaner on their system.  Anyhow, my point is this, we both know at least one dangerous file was hosted, as your customer, I cannot confirm if the file I got last week is clean.  A customer doesn't have inside knowledge, they don't know if it was a funny prank by an employee or a serious breach.  What they know is one product took a bullet and that makes it conceivable that others may have been lined with it.  The single best thing they can do right now is confirm the integrity of their file.  At best, the numbers match and the customer is at ease - at worst, the numbers don't match and a second attack vector was discovered... This is information that we both need to know!
 
As it is right now, I have 2 options, I either finish  scrubbing my computer and forget about ever trusting Piriform again, or I turn my computer off and wait for the numbers to be posted so I can move forward with accurate information.   Neither choice is pleasant but I really do prefer the second option.  Can you see that it gets done quickly?
 
One last thing, I do find it amusing that Speccy has a sticky informing the readers of a false positive... this is amusing because my concern is a false negative.
 
 
Thank you,
 
Prof

Share this post


Link to post
Share on other sites

Piriform: Can you please provide cryptographic hashes of the compromised installers and the infected CCleaner.exe binaries for versions of CCleaner 5.33.6162 and CCleaner Cloud 1.07.3191 and list them on your security notification page (https://www.piriform.com/news/blog/2017/9/18/security-notification-for-ccleaner-v5336162-and-ccleaner-cloud-v1073191-for-32-bit-windows-users). Maybe MD5, SHA1, and SHA256.

Share this post


Link to post
Share on other sites

How does this all tie in with a "spurious" version of Ccleaner being installed automatically on 15-Sep-17???

 

See this thread for more info:https://forum.piriform.com/index.php?showtopic=48859

 

We have a separate staff only discussion about it, and I gave a link very early this morning to your topic -- which instantly came to mind. If they obtain any information about that strange version you had that isn't in any change logs hopefully they'll post about it in here.

Share this post


Link to post
Share on other sites

Hi all,

 

The only version affected is the 32-bit binary of CCleaner v5.33.6162. It was the application that was the issue, not the installer. If you’re using a 64-bit version of CCleaner, then you’re unaffected although we recommend updating to the latest version. There is also no effect to the Mac or Android versions.

At this time, we won’t be releasing a detection tool as the issue was in CCleaner itself, so uninstalling or updating the software removes the risk. You can download directly for free from here: www.piriform.com/ccleaner/download/standard

For those interested, the MD5 hash of the affected CCleaner.exe is: ef694b89ad7addb9a16bb6f26f1efaf7

 

Thanks - Tom

Share this post


Link to post
Share on other sites

Hi, I have windows 10 64bit and use ccleaner 64bit. Today my antivirus Kaspersky 2017 and also Malwarebytes antimalware flagged the ccleaner 5.33 installer that I have in the document folder, is normal? and I ahve installed the 5.34 version the same day of release but today I do a verification of my 5.34 version of ccleaner with Kaspersky Application Advisor and I see the installer has Invalid Certificate but the application has valid certificate. Is correct?

Share this post


Link to post
Share on other sites

I am not particularly knowledgeable on such situations. 

 

I think those who have/may have installed the version identified have many questions. A few I can think of are:

 

1) Will updating to the latest software version remove the infected files? I assume it will as it were those particular files that were affected. However, what about the "2nd payload" mentioned in the blog post? Was this actually downloaded or just potentially could have been downloaded if set to do so? If it is downloaded somewhere, is it in a separate location as the files affected or in the same location and will it too be removed? Clarification on this would be good. 

 

2) The blog post mentions it is the 32-bit version of Windows that is affected. From the above post I can see that it is the 32-bit version of the CCleaner software that is affected. I assume the 64-bit version isn't affected, however like the above post mentions, their ccsetup5.33 installer has been flagged (mine too). When I read one of the original articles I updated immediately as I had the affected version number in question, however I did not notice if I had the 64-bit or 32. It now says I have the 64-bit latest release. This may sound dumb, but I guess that the updater will not update to 64-bit from 32 and assume I had 64-bit before? If anyone could confirm that would be great.

 

3) Is there any information on what the 2nd payload did/was supposed to do? I guess what people really want to know is are all my passwords safe? Is my bank info safe? Do I need to change everything?

 

4) Is there anyway to tell if we were/are infected? Can we see if our PC's contacted this IP or downloaded anything from there? Will the latest updates to scanners detect anything? (See Q5)

 

5) I assume that all the security packages, malware scanners etc. are now aware of the situation and can scan for anything affected? I guess I should be checking their website for updates as well, but clarification on this would be good. 

 

I realise some of these are probably dumb questions, but there maybe people out there who are in the same boat and would like information on this matter to sort the problem or alleviate their own fears. 

 

Thanks

Share this post


Link to post
Share on other sites

 Today my antivirus Kaspersky 2017 and also Malwarebytes antimalware flagged the ccleaner 5.33 installer that I have in the document folder, is normal?

 

Yes, I also have that installer version saved and Malwarebytes is now showing it as infected with "nyetya".

(It didn't before so I guess MB have now blacklisted that installer, shows that they are on the ball).

Share this post


Link to post
Share on other sites

Hello Piriform-Team,

 

i have Windows 10 64-bit installed. Furthermore i used the portable Version of CCleaner v5.33.6162. So in the original program folder there are both versions, 32 bit and 64 bit. I also worked with the 32-bit version as well, as i guess, no matter which of the both Exe-files i opened, CCleaner always switches to 64-bit mode.

 

In conclusion my question is: Am i affected by this issue with my 64-bit Windows 10, as i runned the 32-bit-Exe of CCleaner portable v5.33.6162?

 

Thanks,

 

Dennis2

Share this post


Link to post
Share on other sites

@Tom Piriform: I get the fact that malware get's cleaned with an uninstall of CC but please confirm or deny that the presence of mentioned registry keys is a indicator to check wether or not you were infected?

Some of us want to know if we were infected!

Share this post


Link to post
Share on other sites

When I installed the 64-bit v5.33.6162, the installer told me I had to reboot for the update. I found this extremely odd and questionable at the time since I've never been asked to reboot after a CCleaner update before... 

 

I've updated to the latest version and can confirm that I have/had the 64-bit version, but what assurance do we have that this was solely impacting the 64-bit version? 

Share this post


Link to post
Share on other sites

The only version affected is the 32-bit binary of CCleaner v5.33.6162.

The problem is that on 64-bit systems the 32-bit binary is still part of the installation (there's a CCleaner.exe and a CCleaner64.exe). Here's my assumption so you can correct me if I'm wrong. When you launch CCleaner the CCleaner.exe (32-bit) file is the one that's initially started even on 64-bit systems which upon launch the CCleaner.exe (32-bit) binary detects that your system is a 64-bit OS, launches the CCleaner64.exe binary, and then the 32-bit version exits. So if my assumption is correct here it doesn't matter if the 32-bit binary was the only one that was infected, 64-bit OS or not... you're still going to become infected.

 

Heck, even the Scheduled Task that allows CCleaner to be auto-elevated without a UAC prompt is pointing to the CCleaner.exe (32-bit) binary.

Share this post


Link to post
Share on other sites

There is a fundamental issue here that has not been addressed. The hacked version was signed with the Piriform private key was it not. If so, the hackers had access of that private key. Either this was an inside job, or Piriform was compromised to the extent that the hackers got access to the private key. Either is catastrophic.

 

A more plausible scenario: This wasn't a hack at all, but instead a intentional move on Avast's part to collect configuraration data.

 

All bad! Won't be using it anymore... uninstalled.

Share this post


Link to post
Share on other sites

The problem is that on 64-bit systems the 32-bit binary is still part of the installation (there's a CCleaner.exe and a CCleaner64.exe). Here's my assumption so you can correct me if I'm wrong. When you launch CCleaner the CCleaner.exe (32-bit) file is the one that's initially started even on 64-bit systems which upon launch the CCleaner.exe (32-bit) binary detects that your system is a 64-bit OS, launches the CCleaner64.exe binary, and then the 32-bit version exits. So if my assumption is correct here it doesn't matter if the 32-bit binary was the only one that was infected, 64-bit OS or not... you're still going to become infected.

 

Heck, even the Scheduled Task that allows CCleaner to be auto-elevated without a UAC prompt is pointing to the CCleaner.exe (32-bit) binary.

 

I'm still not comfortable with their claim that 64-bit systems are uncompromised.  The fact that the installer has this Trojan lurking around doesn't make me feel any better.  MWB result attached.

post-79972-0-11211100-1505760308_thumb.png

Share this post


Link to post
Share on other sites

If you guys feel like you are at risk on 64-bit versions, then you can go ahead and download the 5.34 version too. That version also is for 64-bit, not just for 32-bit.

 

If you guys feel like you are at risk, then you should scan with a anti-virus. Try Avast, Malwarebytes, and Adwcleaner and see if anything comes out.

 

Lastly, why would Avast try to trash one of their own products, then make a post about it? If they were really going to go to that lengths, I am sure they would have done it way more stealthy.

Share this post


Link to post
Share on other sites

We have a separate staff only discussion about it, and I gave a link very early this morning to your topic -- which instantly came to mind. If they obtain any information about that strange version you had that isn't in any change logs hopefully they'll post about it in here.

 

I have added a bit more information to my thread at: https://forum.piriform.com/index.php?showtopic=48859

Share this post


Link to post
Share on other sites

Here's my assumption so you can correct me if I'm wrong.

That's easy enough to test,

 

Go to the CCleaner folder and delete CCleaner.exe, just leaving CCleaner64.exe.

 

Then launch CCleaner from the desktop or taskbar.

 

It still runs even without the 32-bit exe being there at all.

 

So I would say the assumption is wrong.

 

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

×