Jump to content
Piriform Community Forums
Tom Piriform

Announcement: Security Notification for CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191

Recommended Posts

Hi, mrdimly. 

Don't mean to butt in, but the moderators & admins are probably pretty busy right now.

If you go see the post linked below it will lead you to a list of the hashes for the infected files, about three quarters down the page. 

Also, it's recommended to delete any infected installers. You probably wouldn't run them but someone else might. 

https://blog.avast.com/additional-information-regarding-the-recent-ccleaner-apt-security-incident

Share this post


Link to post
Share on other sites

Hi Stephen Piriform,

 

Would be nice to give us MD5, SHA-1 and SHA-256 hashes for CCleaner 5.33 standard, slim, and portable versions for verifying purposes, as still having a 5.33_slim installer archived (downloaded 01 Sept 2017), although I uninstalled it successfully as it seems. I didn't find those anywhere and as many people am very curious to know about.

 

Hi mrdimly,

 

These are in the FAQs linked from the first post in this thread ('Official Information') and also from the latest blogpost on the security incident.

 

For convenience, here is the link: https://piriform.zendesk.com/hc/en-us/articles/115001699371

 

[Edit] I see login123 already posted this.

Share this post


Link to post
Share on other sites

Hi mrdimly,

 

These are in the FAQs linked from the first post in this thread ('Official Information') and also from the latest blogpost on the security incident.

 

For convenience, here is the link: https://piriform.zendesk.com/hc/en-us/articles/115001699371

 

[Edit] I see login123 already posted this.

 

Hi Stephen Piriform,

I just arrived in this Forum. :)

 

And I'm not aware, if my following question was already asked and answered.

 

Q: is the ccleaner 5.33 (32 bit) the only infected Version, or were older Versions infected too?

Especially ver. 5.26 (32 bit).

 

For me no trivial question. Ver. 5.26 is the last ccleaner supporting one of my old PCs (CPU).

 

Regards

CC_SR

 

--

"Please ring, if an answer is required"

"Please knock, if an answer is not required"

[Winnie the Pooh, Chapter 4]

 

Share this post


Link to post
Share on other sites

@CC_SR that is correct only 5.33.6162 was affected. No other version, past or present, have the backdoor (malware)

Share this post


Link to post
Share on other sites

Hi mrdimly,

 

These are in the FAQs linked from the first post in this thread ('Official Information') and also from the latest blogpost on the security incident.

 

For convenience, here is the link: https://piriform.zendesk.com/hc/en-us/articles/115001699371

 

[Edit] I see login123 already posted this.

Hi,

 

Sorry, but didn't find anything about CCleaner 5.33 checksums.

Thanks for attention.

Share this post


Link to post
Share on other sites

Hi, running Win10 32 bit last month got infected by the compromised 5.32 version of CCleaner.

When I followed the Bleeping computer article my system showed under cleaner registry I had the entry piriform>Agomo>MUID but not the TCID one it mentioned.

Anyway after reading Piriform's blog post I just followed their latest advice and updated to the latest version (5.35).

However tonight my Comodo Internet security flagged up the CCleaner version 5.35 install files (which were still in my download history folder) as a PUP so it's quarantined them.Is this a false alarm do you think? I attach a photo of my Comodo so you can see it's file name and what it looks like.I've googled and don't see anything mentioned about a problem with the new version, I've also emailed both Piriform/Comodo about it but would love some help from you guys too please.Also to inform the community in case it's a new problem not found yet but i doubt it.I'm a bit of a technophobe so appreciate the help.I haven't used the new version at all since install as I'm still a bit wary though I did accidentally open it just there to get the Comodo screenshot as both icons are red and opened the wrong one lol

Thanks in advance for any help!

post-80180-0-63319800-1507075264_thumb.jpg

Share this post


Link to post
Share on other sites

@Crp comodo flags that a pup (potentially unwanted program) because the google offer in the installer. You can download a version without the google offer if you're worried it's the slim build of http://piriform.com/ccleaner/builds but remember that the slim comes out weeks later than normal installer.

 

But you can just use the normal installer and tell comodo to let it through

 

The one from September that you show for installer 5.33 that says backdoor, that was the actually infected one.

Share this post


Link to post
Share on other sites

Awesome thanks for the very quick reply Nergal! I can sleep easy tonight now :D. With regards to the earlier infection that's still in quarantine in your experience is it better to now delete them from quarantine after they're found? I don't know why but if my software ever finds anything like that I leave them in quarantine so they're "safe" though i'm not sure that's the best approach? Thanks for the help it's greatly appreciated :)

Share this post


Link to post
Share on other sites

@Crp yes it is safe to delete them from quarantine most security software will do that within the software in a secure manner.

Share this post


Link to post
Share on other sites

@CC_SR that is correct only 5.33.6162 was affected. No other version, past or present, have the backdoor (malware)

 

Nergal, thanks for Your prompt answer!

 

I assume, piriform aka avast checked out the date and time of the ccleaner infection. True?

And checked out ccleaner ver. 5.32 (and older vers.) for backdoor infection. True?

 

Q: was the detailed data upon the infection published in the avast blog?

A specific link would be very helpful.

 

Regards

CC_SR

 

--

Albert Einstein: "Imagination is more important than knowledge,

because knowledge is limited."

Share this post


Link to post
Share on other sites

I'm not a frequent user of CCleaner, but recently (I think) used an infected portable version from a USB stick when setting up some laptops for an overseas school. They are now in a remote location so it's not super simple to check the impact, but just wanted to ask an initial question here. I understand that the portable version was affected, but does that mean it installed anything locally, or would it just have gathered information while running and then stopped? i.e. did it subversively change any registry values while running, or is the malware effectively 'portable' like the version of CCleaner, so that once it's closed, nothing more happens? Hope that makes sense. Because they were basically new when cleaned and still generic, I'm not really that concerned about any personal data being gathered, because there really wasn't any, but need to find out if I should proceed with further cleaning to prevent future issues, or whether instead there is nothing residual on there because I used the portable version? 'Cleaning' now is complicated by location and language. If has to be done, so be it, but maybe isn't necessary because I used the portable version? 

Share this post


Link to post
Share on other sites

@jaymann2 the portable exe was also violated so it too would spawn the second process and attempt to call home ("home" has been pwned so there's nothing left to call to) you can see the action of the backdoor in this vid

 

 

But no the infection would not ask portable, it would place the registry markers

 

Share this post


Link to post
Share on other sites

Thanks for your repsonse Nergal, and the video. So just to confirm your conclusion, it is the running of CCleaner.exe process that places the registry markers, not the installation process? So just running the portable version would have left behind some entries in the registry, that would still be there (albeit now pinging a server that is no longer active)?

Share this post


Link to post
Share on other sites

I'm not a frequent user of CCleaner, but recently (I think) used an infected portable version from a USB stick when setting up some laptops for an overseas school. They are now in a remote location so it's not super simple to check the impact, but just wanted to ask an initial question here. I understand that the portable version was affected, but does that mean it installed anything locally, or would it just have gathered information while running and then stopped? i.e. did it subversively change any registry values while running, or is the malware effectively 'portable' like the version of CCleaner, so that once it's closed, nothing more happens? Hope that makes sense. Because they were basically new when cleaned and still generic, I'm not really that concerned about any personal data being gathered, because there really wasn't any, but need to find out if I should proceed with further cleaning to prevent future issues, or whether instead there is nothing residual on there because I used the portable version? 'Cleaning' now is complicated by location and language. If has to be done, so be it, but maybe isn't necessary because I used the portable version? 

 

Depends on which version you used, when you used it, and if the computer had an internet connection at the time.

 

Refer back to this rough outline from my previous post:

https://forum.piriform.com/index.php?showtopic=48869&page=11&do=findComment&comment=286985

 

Also an update the second line labeled "Note A1" appears to be improbable.

 

For the portable version you can ignore anywhere it says "installed".

Share this post


Link to post
Share on other sites

Thanks for your repsonse Nergal, and the video. So just to confirm your conclusion, it is the running of CCleaner.exe process that places the registry markers, not the installation process? So just running the portable version would have left behind some entries in the registry, that would still be there (albeit now pinging a server that is no longer active)?

The registry traces are irrelevant, they only traces left behind by early stage malware action. After the fact they are just traces. Worry about the intruder, don't worry about his footprints.

 

The registry traces don't try to connect to the (offline) malware server, the program itself does. If you didn't leave behind the portable version it isn't still trying to connect to the disabled malware server.

Share this post


Link to post
Share on other sites

 

Thanks for your repsonse Nergal, and the video. So just to confirm your conclusion, it is the running of CCleaner.exe process that places the registry markers, not the installation process? So just running the portable version would have left behind some entries in the registry, that would still be there (albeit now pinging a server that is no longer active)?
Correct

Share this post


Link to post
Share on other sites

Thanks NonConvergentWaveform. That was really the essence of my question. I'm not as worried about the past intrusion because there was nothing on there, but am worried about whether there might be any potential ongoing issues once private data starts being added to a computer. Bascially, having used the portable version, is there any residual, ongoing threat still on the computers?

Share this post


Link to post
Share on other sites

Thanks NonConvergentWaveform. That was really the essence of my question. I'm not as worried about the past intrusion because there was nothing on there, but am worried about whether there might be any potential ongoing issues once private data starts being added to a computer. Basically, having used the portable version, is there any residual, ongoing threat still on the computers?

For this threat there was little or no distinction between the portable version and the installed version.

 

Since you didn't specific details as to your usage I am making a few guesses. You used the 32-bit version out of the portable package "CCleaner.exe" vs "CCleaner64.exe", you did so before September 16th, you were connected to the internet at the time. Which means it's possible for stage 2.

 

If Stage 2 possible:

The attackers probably decided not to infect your computer. They had the option to infect you, but they passed. (this info comes from the attacker's captured server, info could have been tampered with)

For those few machines that were given the stage 2 infection, this malware could have taken any action(s), including downloading more malware, stealing info, and/or deleting all traces of infection. (leaving nothing to find later)

Share this post


Link to post
Share on other sites

post-80119-0-78456900-1507410438_thumb.png

Scroll all the way to the bottom of the FAQs page.

It might look differently here overseas (attachement), no 533 versions checksums. Not to mention that for example Qihoo-360 (my AV) flagged CCleaner533_standard since 2017-09-18, but not Microsoft nor many well-known AV brands ( https://virustotal.com/en/file/36b36ee9515e0a60629d2c722b006b33e543dce1c8c2611053e0651a0bfdb2e9/analysis/1505759047/ ) 

although nowadays Qihoo-360 doesn't yet flag CCleaner533_slim as some other well-known AV brands

( https://www.virustotal.com/fr/file/4f8f49e4fc71142036f5788219595308266f06a6a737ac942048b15d8880364a/analysis/ )

Don't ask why I'm still confused even after this huge amount of posts above.

 

 

Share this post


Link to post
Share on other sites

CCleaner 5-35 hash rates confirmed.png

It might look differently here overseas (attachement), no 533 versions checksums. Not to mention that for example Qihoo-360 (my AV) flagged CCleaner533_standard since 2017-09-18, but not Microsoft nor many well-known AV brands ( https://virustotal.com/en/file/36b36ee9515e0a60629d2c722b006b33e543dce1c8c2611053e0651a0bfdb2e9/analysis/1505759047/ )

although nowadays Qihoo-360 doesn't yet flag CCleaner533_slim as some other well-known AV brands

( https://www.virustotal.com/fr/file/4f8f49e4fc71142036f5788219595308266f06a6a737ac942048b15d8880364a/analysis/ )

Don't ask why I'm still confused even after this huge amount of posts above.

I don't quite understand what your ultimate question is, can you boil it down to a question?

Share this post


Link to post
Share on other sites

Hi, mrdimly. 

 

Confusion is understandable, imho.  :wacko:  :)

 

If you go to this avast blog post and scroll about three quarters down there is a list hashes known to be compromised.  They are for CCleaner 5.33 and some others. 

https://blog.avast.com/additional-information-regarding-the-recent-ccleaner-apt-security-incident

edit to include picture:  First part of the list looks like this: 

19 nov 17 edit to remove picture

cclnrhashes533.jpg

Share this post


Link to post
Share on other sites

Hi, mrdimly. 

 

Confusion is understandable, imho.  :wacko:  :)

 

If you go to this avast blog post and scroll about three quarters down there is a list hashes known to be compromised.  They are for CCleaner 5.33 and some others. 

https://blog.avast.com/additional-information-regarding-the-recent-ccleaner-apt-security-incident

edit to include picture:  First part of the list looks like this: 

 

attachicon.gifcclnrhashes533.jpg

Hi login123,

 

I went to the Avast blog last week after your post, but am sorry not to recognize the official CCleaner533_slim self-extracting installer checksums (MD5, SHA-1, SHA-256) among those tens of IOCs 1st stage, 2nd stage, etc.... ?! (IOC: Intelligent Orientation Control or what else ?)

Simply: 1st question: get these official checksums.

             2nd question: what about some AVs that flag CCleaner533 standard installer, but not CCleaner533_slim installer ?

Hope you have now a clear understanding of my questions.

Share this post


Link to post
Share on other sites

@mrdimly most competent Av will flag any build of ccleaner 5.33 (normal, pro, ccleaner could, slim and portable) the virus/backdoor is in the executable file ccleaner.exe

 

What your talking about on non-5.33 installer builds flagging is Pup (google bar or chrome) that doesn't exist in slim (it's the ONLY difference between regular installer and slim installer)

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

×