Jump to content
Piriform Community Forums
Tom Piriform

Announcement: Security Notification for CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191

Recommended Posts

Nergal has said the most important thing:  AVs will now flag the infected installers. 

Avast just went panicky here when I tried to submit that installer to Virustotal.  :lol:

 

I don't know what IOC means.

 

I don't know what "1st question: get these official checksums." means.

 

2nd question:  The hash for CCleaner533_slim is the 7th one down on that list. 

4f8f49e4fc71142036f5788219595308266f06a6a737ac942048b15d8880364a

It isn't listed by that name, it is just called CCleaner - installer (v5.33.0.6162)  I checked it.

 

Its slow to check all those manually, but if you have a SHA256 hash you want to check you can submit it to Virustotal.  You can also submit a questionable file, or you can scan the file with an av to see if it is safe. 

Share this post


Link to post
Share on other sites

Thanks.  Good to know. 

I couldn't decide between that and inversion of control.

I had pretty well ruled out International Olive Council:lol: 

Share this post


Link to post
Share on other sites

 

Thanks.  Good to know. 

I couldn't decide between that and inversion of control.

I had pretty well ruled out International Olive Council:lol:

Ruled out??? Aw man, I've completely misunderstood this issue :lol:

Share this post


Link to post
Share on other sites

I didn't mean for post 279 to sound as sarcastic as it does when I re-read it. 

It as a pitiable attempt at humor.  Someday I'll learn . . .

 

Anyway, maybe "1st Question ..." is asking how to calculate hash sums?

Great software for calculating hash sums offline is Nirsoft's Hash My Files. Free, no installation, fast. 

Share this post


Link to post
Share on other sites

I didn't mean for post 279 to sound as sarcastic as it does when I re-read it. 

It as a pitiable attempt at humor.  Someday I'll learn . . .

 

Anyway, maybe "1st Question ..." is asking how to calculate hash sums?

Great software for calculating hash sums offline is Nirsoft's Hash My Files. Free, no installation, fast. 

7-zip can do it in the context menu (does SHA-1 and SHA-256, but not md5 -- but who uses md5 any more these days?)

Sigcheck from sysinternals can also do it (command line only). It also does a better job of checking digital signatures than the windows interface.

Share this post


Link to post
Share on other sites

I use HashTab (free, but has to be installed). Just wish something like it was included with Windows by default. Unfortunately some sites still list only the MD5, but it's better than nothing at all.

Share this post


Link to post
Share on other sites

Hi,

 

I'm learnig too, all things considered,  that on 2017-09-18 I had a very competent AV keeping me safe with the CCeaner533 standard download, which was flagged at that time only by some AVs, among which mine, ( https://virustotal.com/en/file/36b36ee9515e0a60629d2c722b006b33e543dce1c8c2611053e0651a0bfdb2e9/analysis/1505759047/ ). Now, I'll try to get it back and updated really.

For checksum's calculating at home, I found  "MD5 & SHA Checksum Utility" (not verified, no need of installation

SHA-1  4B70B5213249014C3785460720B81B5F9BEABEC3,

SHA-256  D3D6F3597AEBA37312F61E59BA465E57B19140CC9A4517C7F9C49461F1D0A4BB), but we may need cheksums from the vendor itself for next versions of CCleaner; hope this'll be possible to stay in full confidence; what I mean is "as official checksums".

Share this post


Link to post
Share on other sites

but we may need cheksums from the vendor itself for next versions of CCleaner; hope this'll be possible to stay in full confidence; what I mean is "as official checksums".

 

That has already been suggested to them, however it's entirely up to them if they supply the hashes/checksums.

Share this post


Link to post
Share on other sites

 

Did you have a registry folder Agomo?

HKEY_LOCAL_MACHINE\SOFTWARE\Piriform\Agomo

Or one of the listed registry folders?

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\001
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\002
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\003
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\004
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\HBP

 

none of the above folders are present, however they could have been removed by either Malwarebytes or Bitdefender.

Share this post


Link to post
Share on other sites

It seems that some HKLM Agomo leftover registry key values would be found, after install-uninstall of CCleaner533 on x64 running computers , that belong to CCleaner Cloud (since 2017-09-18) and therefore aren't deleted by the most competent AVs. Vendor's statement about this would be of great interest.

Here's how a competent AV sorts these out:    https://forums.malwarebytes.com/topic/210927-ccleaner-hack/

Share this post


Link to post
Share on other sites

Why are there no updates on this?

 

How did the malware version of CCleaner get published?... specifically, did someone at the company intentionally insert the malicious code, was a computer a the company compromised, or was there some other cause for the code getting into the published version?

 

What was the country of origin of whoever setup the malware?

 

While the server controlling the malware was taken down and CCleaner updated, can the stolen data be used to effect any of the compromised computers?

 

What is being done with the data that was on the server?

 

Other than the previously mentioned registry changes/files added by the malware, has anything else been found to have been modified?

Share this post


Link to post
Share on other sites

I'm not sure what else can be said that hasn't already been covered in depth already.

My guess is they (Piriform/Avast) have moved past the "let's report it and fix it" stage and are now in the "how, who" stage and that won't get reported, then there's the whole litigation cause and effect to consider.

There would be a lot they won't say and even more they can't say.

 

All I need to know is that the current version is safe.

Share this post


Link to post
Share on other sites

Honestly, I think they've provided as much as they're going to. The data from the first phase was used already to identify the computers they were spearing for. The attackers had foreknowledge (I assume) that the target corperations used ccleaner (more specifically ccleaner cloud). The backdoor was inserted in the compile phase of the affected executable. Everything else you've asked for either won't be known or will be used in investigation to corral the who.

Share this post


Link to post
Share on other sites

Hi,

 

Thanks for CClaner536 checksums, I'm looking for CCleaner536_slim later.

As far I'm concerned, I use MD5_&_SHA_Checksums_Utility which shows MD5, SHA-1, SHA-256, SHA-512 (free version) with verifying function; it doesn't need installation and I downloaded from  https://raylin.wordpress.com/downloads/md5-sha-1-checksum-utility/   (Publisher gives checksums). No competent AV flags it when downloaded on the above.

Share this post


Link to post
Share on other sites
So after reading this whole thread, I’m pretty confused.

 

I attended to two machines as soon as I got home from work the evening that the problem was reported;

 

1)

 

64 bit

Updated cccleaner straight away, then uninstalled.

Bullguard and malwarebytes found nothing.

Could not find the mentioned registry entries.

 

2)

 

64 bit

Updated cccleaner straight away, then uninstalled.

Bullguard and malwarebytes found nothing, except the downloaded installer file in the downloads folder, which I then deleted.

Could not find the mentioned registry entries.

 

Can I assume that these machines are ok? I don’t particularly want to nuke them...

Would the trace registry entries have been removed when updating/uninstalling? I don’t know how else to see if I’m safe or not...

 

Share this post


Link to post
Share on other sites

g'day @mykeprime and welcome to the forums,

 

based on 2 security scans finding nothing, no reg keys found, and that you had the safe 64bit version then Yes, you can assume you are OK.

all you need to do is replace v5.33 with any of the newer ones.

Share this post


Link to post
Share on other sites

Yes, the key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WbemPerf" is a Windows default key.

 

Only the mentioned subkeys (\001 to \004) are created by the malware.

Share this post


Link to post
Share on other sites

Yes, the key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WbemPerf" is a Windows default key.

 

Only the mentioned subkeys (\001 to \004) are created by the malware.

ty

Share this post


Link to post
Share on other sites

Haven't read the hundreds of posts but must say I'm a bit surprised that we were told it was a PUA/Wrong detection.
This implies that Piriform simply wrote it off as bogus without even checking the validity of the warnings from various AV vendors.
Thank god I didn't trust it and did not update past version 5.32 on our thousands of client PC's. But this should be a learning curve for Piriform to check detection's validity a bit better.
Still liking the product of course. Just raising frustration at how the initial reporting was handled/fobbed off as wrong detection.

Share this post


Link to post
Share on other sites

at no point, with this version, was it called a false positive, at least not on purpose.

Share this post


Link to post
Share on other sites

Haven't read the hundreds of posts but must say I'm a bit surprised that we were told it was a PUA/Wrong detection.

This implies that Piriform simply wrote it off as bogus without even checking the validity of the warnings from various AV vendors.

Thank god I didn't trust it and did not update past version 5.32 on our thousands of client PC's. But this should be a learning curve for Piriform to check detection's validity a bit better.

Still liking the product of course. Just raising frustration at how the initial reporting was handled/fobbed off as wrong detection.

I would be interested in seeing where you got this information. Neither Piriform nor Avast has communicated that 5.33 detections (or 5.34 revoked certificate detections) were a false positive.

Edited by Stephen Piriform
Typo: should say OR 5.34 revoked certificate detections

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

×