Announcement: Security Notification for CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191

[nocluez]

https://d2wqgvap25i10a.cloudfront.net/monthly_2017_09/image.png.9dca49c1c337b7a6ea175e55ed7db80a.png

 

I had this. Where does that fall in the guidelines?

[malika4]

 

If you are on a windows 64-bit be sure to check the 32-bit registry as if a 32-bit program wrote to:
HKEY_LOCAL_MACHINE\SOFTWARE\Piriform\Agomo
and you checked it with regedit it would actually end up here:
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Piriform\Agomo

 

Hi, I don't have any Piriform folder on HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node on my desktop, in my husband's laptop there is but Agomo there isn't

and in HKEY_LOCAL_MACHINE\SOFTWARE\Piriform\ no Agomo

On all my 3 pcs Windows 10 64bit I have this

Yes Task CCleanerSkipUAC Piriform Ltd "C:\Program Files\CCleaner\CCleaner.exe" $(Arg0)

and is like this by default (I haven't modified this) so I think that if this task can activeted the trojan all the 64bits systems will be affected because I read that all 64bit version have the task like this but on Avast Blog there is write that The total number of unique PCs (unique MAC addresses) that communicated with the CnC server was 1,646,536

[login]

https://d2wqgvap25i10a.cloudfront.net/monthly_2017_09/image.png.9dca49c1c337b7a6ea175e55ed7db80a.png

 

I had this. Where does that fall in the guidelines?

 

What version of the operating system are you using? 32 bit or 64 bit?

 

-----------------------------------------------

 

Question for administrators or people close to the topic:

Were there any cases of infection of 64-bit computers or not? If so, under what conditions 64-bit computers could infect?

[jonmar]

Before installing the latest version of CCleaner (5.35), I checked my registry and there were some entries left over from 5.34 in HKLM/SOFTWARE/Piriform. In there I saw default and CR (or was it CZ? I can't remember now). I deleted HKLM/SOFTWARE/Piriform, rebooted, and then installed 5.35. I checked the registry again but this time I saw only default in there. What is the CR entry? Is it something legit or connected to the attack somehow? I haven't seen it mentioned anywhere in connection to this attack but I just wanted to make sure.

 

Thanks.

[malika4]

-----------------------------------------------

 

Question for administrators or people close to the topic:

Were there any cases of infection of 64-bit computers or not? If so, under what conditions 64-bit computers could infect?

 

 

on the piriform zendesk there is write:

 

Who was affected?

This issue was isolated to two versions: Cleaner v5.33.6162 for 32-bit Windows users and CCleaner Cloud v1.07.3191 (if you are using CCleaner Cloud, the 32-bit version runs on 64-bit machines).

All builds on these version numbers were affected: Free, Professional, Slim, Portable, Business and Technician versions of CCleaner.

 

so a 64bit windows if has the ccleaner cloud version it runs the ccleaner.exe (32bit version)

[WNT]

My apologies if these questions have already been covered. Apparently, the ccleaner attack resulted in two found malwares, Nyetya and Floxif. Are they the same malware with different names or totally different? According to sources, under the stage 1 attack, the attackers received

the following, name of computer, active software, MAC Addresses and Network Adapters. Is this a concern and is there risk of the MAC addresses and Network Adapters being hacked and compromised in the future?

[patrykr]

Question for administrators or people close to the topic:

Were there any cases of infection of 64-bit computers or not? If so, under what conditions 64-bit computers could infect?

 

I think it depends on how you define "infection", because, technically anyone using v5.33 was infected. The thing is, 64 bit systems were not affected by the infection (allegedly, as I have not seen official confirmation or better yet - an explanation).

They were not, because the infected file CCleaner.exe does not normally run on 64 systems. It just runs for a little while (or not at all, depending on your UAC configuration), perhaps not enough for the virus to execute? - I'm sorry this is the part I got no answer to, despite of asking. After that, the file that really runs and works is the not-infected CCleaner64.exe.

If you somehow managed to keep CCleaner.exe open instead of CCleaner64.exe (which does not normally happen, probably could if you first deleted CCleaner64.exe) you would surely be both infected and affected by the infection.

 

 

the following, name of computer, active software, MAC Addresses and Network Adapters. Is this a concern and is there risk of the MAC addresses and Network Adapters being hacked and compromised in the future?

 

That information is non-sensitive. It can help in preparing a highly targeted attack against you, but as long as there are no apparent vulnerabilities in your system configuration, it is, in the worst case scenario extremely hard (when you're careful). Also, no one can hack your Network Adapter just by knowing the MAC address, there has to be an exploitable vulnerability first (note, that sometimes you see MAC addresses on outer boxes of the hardware you buy).

 

Perhaps the question you should be asking yourself is, did the infection leave your system vulnerable. The general consensus is - no. However, some state that yes, everyone should reinstall their systems. Decision is yours to make.

 

 

All the above are just my opinions. I am not an expert. Perhaps a power-user (at best).

[nocluez]

@login I'm running 64bit win10

 

What does the UAC stuff mean?

 

My version of ccleaner was downloaded when I was installing Recuva. No idea what version that means it is

[Guest Stephen CCleaner]

My apologies if these questions have already been covered. Apparently, the ccleaner attack resulted in two found malwares, Nyetya and Floxif. Are they the same malware with different names or totally different?

 

Hi WNT

 

I'll try to clear this up.

 

Nyetya is a type of malware completely unrelated to the malware seen in CCleaner v5.33.6162. Nyetya was discovered in late June 2017 by the Talos research team (Cisco) and was delivered via Ukrainian accounting software called M.E.Doc. In their first blogpost on the CCleaner malware investigation, Talos reference Nyetya as an example of "how potent [a supply chain attack] can be".

 

Separately, on the day the security vulnerability was disclosed, Malwarebytes initially detected v5.33.6162 of ccleaner.exe as 'Trojan.Nyetya'. The malware that was injected into the CCleaner v5.33.6162 32-bit binary is completely unrelated and does not behave like Nyetya. MalwareBytes later changed this definition to 'Trojan.Floxif'.

 

'Trojan.Floxif' is a term given to a group of malware that uses Windows executable and DLL files to infect a system and then download additional malicious files. This term goes back to 2009 and is not used ubiquitously by all threat researchers. Various antivirus solutions will detect CCleaner v5.33.6162 under other names (e.g. Kaspersky calls it "Backdoor.Win32.InfeCleaner.a", Avast calls it "Win32:TlsHack-A [Trj]"). The reason many people refer to this as 'Floxif' is because Cisco Talos researchers updated their ClamAV software to detect the malware in CCleaner and took a screenshot of this detection before publishing their article. The screenshot shows the malware was detected as 'Windows.Trojan.Floxif'. Bleeping Computer published one of the earliest articles on the incident and their article was fastest trending on Reddit. In addition to Cisco and MalwareBytes, Windows Defender also refers to this malware as 'Floxif'.

 

--

We are working on responses for many of your other questions and will update you as soon as we are able.

[patrykr]

What does the UAC stuff mean?

 

 

UAC (User Account Control) is basically the pop-up question you see when opening certain applications or most installers. It says something like: "Do you want to let this program make changes to your computer". CCleaner has an convenient setting (Advanced -> "skip UAC warning") allowing you to skip that pop-up question.

 

The way it relates to the infection incident and 64 bit systems is as follows:

- there are two files in install directory (infected CCleaner.exe and non-infected CCleaner64.exe)

- when the setting is disabled, only the non-infected CCleaner64.exe gets executed and CCleaner.exe is just sitting there completely dormant (so is the virus)

- when the setting is enabled (by default I think), both files get executed, but the infected CCleaner.exe just "for a little while", and that is exactly what raises questions and/or doubts

 

 

Again, please note, I am not an expert and can be wrong.

[Nergal]

@patrykr you got it mostly correct except for skip uac being default it isn't. I also think the shortcuts on recycle bin also first call ccleaner.exe

[malika4]

@patrykr you got it mostly correct except for skip uac being default it isn't. I also think the shortcuts on recycle bin also first call ccleaner.exe

Is enables by default, in all My 3 pcs Is Like this And after reinstalled ccleaner Is enables by default

[Nergal]

 

@patrykr Is enables by default, in all My 3 pcs Is Like this And after reinstalled ccleaner Is enables by default

That's because you reinstalled it, your settings were still in registry/ccleaner.ini

[jonmar]

That's because you reinstalled it, your settings were still in registry/ccleaner.ini

 

It was also enabled by default for me. That's after first uninstalling CCleaner completely before installing 5.35. I've also never enabled that setting in the past so it can't have been remembered from past settings.

[pearshaped]

You can click "Restore default settings" in order to be sure what the default values are in CCleaner (unless Piriform changed them in the latest version).

 

On an unrelated note, why does CCleaner 5.35 try to connect to 151.101.112.64 when I run it? Is it a Piriform/Avast server?

[NonConvergentWaveform]

[...]

On an unrelated note, why does CCleaner 5.35 try to connect to 151.101.112.64 when I run it? Is it a Piriform/Avast server?

It comes back to a company called "Fastly" in San Francisco, CA. They are listed only by a PO Box. Their allocation is named "SKYCA-3". Never heard of them.

https://whois.arin.net/rest/net/NET-151-101-0-0-1/pft?s=151.101.112.64

[hazelnut]

Fastly is a Content Dellivery Network provider.

 

Old thread here but still relevant

 

 https://forum.piriform.com/index.php?showtopic=42539&do=findComment&comment=257266

[Guest Stephen CCleaner]

hazelnut is correct. We use Fastly for a number of things, including web caching.

[Guest Stephen CCleaner]

Hey guys,

 

NonConvergentWaveform has deduced some of this already, but I wanted to confirm the behaviour on 64-bit systems to provide a greater understanding.

 

Our investigations show that the compromised code was only present in the 32-bit binaries (CCleaner.exe) and not the 64-bit binaries (CCleaner64.exe). Regardless of system architecture, CCleaner v5.33 installs both CCleaner.exe and CCleaner64.exe. The application shortcut created on install points to the executable appropriate for the system architecture (e.g. on a 64-bit system, the CCleaner shortcut points to CCleaner64.exe). When the installation finishes the final button 'Run CCleaner' will launch the binaries appropriate for the system architecture.

 

In some cases, the 32-bit executable may be launched on a 64-bit system. For example, the CCleaner cleaning scheduler points to CCleaner.exe regardless of system architecture. If the 32-bit executable is launched, it goes through the following sequence:

 

1.     Check the operating system architecture

2.a.     If 32-bit: continue through CCleaner.exe initialisation sequence

2.b.     If 64-bit: search for the existence of CCleaner64.exe in the CCleaner folder

2.b.i.      If CCleaner64.exe exists: attempt to launch it and immediately close the current instance of CCleaner.exe (do not wait for any callback)

2.b.ii.     If CCleaner64.exe does not exist: continue through CCleaner.exe initialisation sequence

 

The malware was injected early in the initialisation code of the 32-bit binary and runs on a separate thread parented to the 32-bit instance. When the malicious code is run, first it records the system time, then it waits 601 seconds before performing any other operation. On a 64-bit system, the 32-bit instance will typically terminate in fractions of a second, long before the 601-second 'sleep' window has expired. Unless the code ran on a 64-bit system long enough for the delayed action to be triggered, assuming the installation was not corrupt or the CCleaner64.exe binaries modified in any way, we believe a 64-bit system should not have received the second payload.

[malika4]

So a 64bit system has Clean And safe? Hasn t received The first payload You would Tell?

 

"Unless the code ran on a 64-bit system long enough for the delayed action to be triggered, assuming the installation was not corrupt or the CCleaner64.exe binaries modified in any way, we believe a 64-bit system should not have received the second payload."

 

It s correct that if The Agomo Keys aren t in The registry The backdoor was Not activated? And a 64bit syste without Agomo Keys i Clean And Not compromises?

[patrykr]

So a 64bit system has Clean And safe? Hasn t received The first payload You would Tell?

 

 

Hello, no one can confirm that for you with 100% certainty. Piriform, forum moderators and members provide the relevant information, the rest is up to you to figure out based on your knowledge of your system. There are some unusual and highly unlikely conditions which, when met, could get your system infected with the first payload.

Let me tell you this, if I were in Millionaires, and the last $1.000.000 question would be "Did malika4 get infected with the first stage payload during the CCleaner v5.33 infection incident?", and one of the answers would be "No", I would (based on info you provided, x64, no Agomo keys etc) certainly choose "No" as that is simply the most probable answer.

[Guest Stephen CCleaner]

Hi patrykr

 

Is the Business Edition installer (ccsetup533_be.exe, MD5: 60f18d92353d46dfc715ffd9fbefecfc) affected like the other ones, i.e. the executable of the installer itself is malware-free, and only installs trojanized CCleaner.exe file?

 

 

That's correct. Your antivirus solution should detect this. We recommend that you remove the installer (or allow your antivirus to remove it) whether it has been launched or not.

 

The MD5 and SHA-256 hashes for the latest versions of Business Edition are as follows:

 

ccsetup535_be.exe - CCleaner Business Edition Installer

MD5:                   a4764ceac2ea72ce6045367c0e59b6eb

SHA256:             40e18acdda6b3d58665f58231c700a1f15e1dbbcd8f7f56b5e8f94cca115652f

 

ccsetup535_be.msi - CCleaner Business Edition MSI Installer

MD5:                   f16911c5aaf026e189705f06d9da41ee

SHA256:              7f6c24f459725110d714fa5324cfd7a57afb24245c9cc358b7f2b724a64763d6

 

ccsetup535_be_trial.exe - CCleaner Business Edition Trial Installer

MD5:                    f545db13ed4833821266f1a740d83bfe

SHA256:               04ff4c729fc93a97688602f83fa4603cb2d0913bdc7538fa7e69b098f4307402

[malika4]

 

 

In some cases, the 32-bit executable may be launched on a 64-bit system. For example, the CCleaner cleaning scheduler points to CCleaner.exe regardless of system architecture. If the 32-bit executable is launched, it goes through the following sequence:

 

1.     Check the operating system architecture

2.a.     If 32-bit: continue through CCleaner.exe initialisation sequence

2.b.     If 64-bit: search for the existence of CCleaner64.exe in the CCleaner folder

2.b.i.      If CCleaner64.exe exists: attempt to launch it and immediately close the current instance of CCleaner.exe (do not wait for any callback)

2.b.ii.     If CCleaner64.exe does not exist: continue through CCleaner.exe initialisation sequence

 

 

 

 

the ccleaner scheduler is the automatic cleaning of the system option? (Run ccleaner on a schedule?) i haven t this option activated

[kleonmon]

Hello, I have upgraded yesterday, I do not know from which version, to 535. I have not noticed yesterday that ccleaner was not running. Today I noticed that it was not running, I am using the free version, I uninstalled from apps and features, windows 10 x64, and tried installing 535 version, which failed with an error about "ccleaner64.exe". I tried deleting this file in "program files/ccleaner" folder that it says I need to be an administrator, which I am. I tried running force delete from cmd as administrator and failed again. Then I noticed that Windows Defender and Malwarebytes Anti-Malware had quarantined 533 setup file earlier in the month. How do I delete "ccleaner64.exe"? How do I check if my computer is infected by this virus/malware? Please advise.

[mrdimly]

 

Hi patrykr

 

 

That's correct. Your antivirus solution should detect this. We recommend that you remove the installer (or allow your antivirus to remove it) whether it has been launched or not.

 

The MD5 and SHA-256 hashes for the latest versions of Business Edition are as follows:

 

ccsetup535_be.exe - CCleaner Business Edition Installer

MD5:                   a4764ceac2ea72ce6045367c0e59b6eb

SHA256:             40e18acdda6b3d58665f58231c700a1f15e1dbbcd8f7f56b5e8f94cca115652f

 

ccsetup535_be.msi - CCleaner Business Edition MSI Installer

MD5:                   f16911c5aaf026e189705f06d9da41ee

SHA256:              7f6c24f459725110d714fa5324cfd7a57afb24245c9cc358b7f2b724a64763d6

 

ccsetup535_be_trial.exe - CCleaner Business Edition Trial Installer

MD5:                    f545db13ed4833821266f1a740d83bfe

SHA256:               04ff4c729fc93a97688602f83fa4603cb2d0913bdc7538fa7e69b098f4307402

 

 

Hi Stephen Piriform,

 

Would be nice to give us MD5, SHA-1 and SHA-256 hashes for CCleaner 5.33 standard, slim, and portable versions for verifying purposes, as still having a 5.33_slim installer archived (downloaded 01 Sept 2017), although I uninstalled it successfully as it seems. I didn't find those anywhere and as many people am very curious to know about.