Announcement: Security Notification for CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191

[Andavari]

I've ran full scans with everything I can think to scan with on my system (ClamWin, Panda, Malwarebytes, Zemana AntiMalware, anti-rootkit, etc.,) and nothing was found -- even though I had previously used that infected 5.33 version up until 5.34 was released which I started using on the same day it was released 12 September 2017.

 

So the burning question I have is if that registry key HKLM\SOFTWARE\Piriform\Agomo doesn't exist on my system and no infections were found (since some malware likes to download and install other malware) should my system be deemed clean?

[Guest Stephen CCleaner]

Hi Andavari,

 

Have you read this: https://blog.avast.com/update-to-the-ccleaner-5.33.6162-security-incident ?

 

In that blogpost there is a quote from the CTO of Avast that says:

Some media reports suggest that the affected systems needed to be restored to a pre-August 15th state or reinstalled/rebuilt. We do not believe this is necessary. About 30% of CCleaner users also run Avast security software, which enables us to analyze behavioral, traffic and file/registry data from those machines. Based on the analysis of this data, we believe that the second stage payload never activated, i.e. the only malicious code present on customer machines was the one embedded in the ccleaner.exe binary. Therefore, we consider restoring the affected machines to the pre-August 15 state unnecessary. By similar logic, security companies are not usually advising customers to reformat their machines after a remote code execution vulnerability is identified on their computer.

 

Customers are advised to update to the latest version of CCleaner, which will remove the backdoor code from their systems. As of now, CCleaner 5.33 users are receiving a notification advising them to perform the update.

 

 

Further to this, and touching on some of the requests in this thread, a new version (5.35.6210) has been released on the Piriform website signed with new certificates:

http://www.piriform.com/news/release-announcements/2017/9/20/ccleaner-v535

 

 

Lastly, I'd like to apologise for the communication thus far. Things have been moving very quickly and our focus has been on getting out security updates. We'll endeavour to make the information we have more visible. In the meantime, I'd encourage everyone to keep an eye on the CCleaner and Avast blogs:

 

CCleaner blog: https://www.piriform.com/news/blog

Avast blog: https://blog.avast.com/

[Hijin25]

I am currently more angry with my antivirus software, than Piriform, who were the victim after all.

 

ESET, Karspersky, Avira, Malwarebytes and others, were not able to detect the unusual behavior of the program, so why are they supposed to exist ?.

 

If Piriform had not made it public, the big companies of "security" do not know.

[Andavari]

Have you read this: https://blog.avast.com/update-to-the-ccleaner-5.33.6162-security-incident ?

 

Just did. Based upon that information, and all the full system scanning I've done my system is clean.

[Hav0c]

 

I am currently more angry with my antivirus software, than Piriform, who were the victim after all.

 

ESET, Karspersky, Avira, Malwarebytes and others, were not able to detect the unusual behavior of the program, so why are they supposed to exist ?.

 

If Piriform had not made it public, the big companies of "security" do not know.

 

 

The problem with most Antivirus software and Malware software is IF they do not know about it then how can they protect you ?

ESET detected the issue  link

[Andavari]

That and the malware was sitting behind a legit digital signature from a trusted vendor.

[Hijin25]

But are not they supposed to have research departments?

 

The way this problem was detected was due to anomalous behavior of the program. None of the big "security" companies could detect the same thing?

 

One month, this was active one month, and no "major" antivirus reported anything. That is unacceptable.

[fireguy1978]

I currently have McAfee total protection, having read the reports of CCleaner being comprised,I immediately downloaded the latest version and completed a full scan which found this( attached file) I am a little concerned as the file path does not contain version 5.33 exe( I would have deleted it following the next update)only 5.34.

 

Please excuse my PC speak as I am a  newbie to all this.

 

I contacted McAfee who said as this file had been quarantined it should not pose a problem however I would like to know if anybody has any further advice or help?

[Nergal]

Try the new ccleaner 5.35 as it has a uncompromised security signature

[Emrah]

Hi! I have the 64 bit version and my windows 10 defender detected this makware and quarantined it. I updated to the latest version. Can you please tell me if I still need to back up all my files and do a fresh reinstall of windows to make sure I'm 100% safe and are all my passwords and cofidential files safe?

 

Thanks!

[Nergal]

You don't have to reinstall your windows. The trojan was embedded in the ccleaner​.exe as soon as you upgrade to ccleaner 5.35 the trojan is gone. Also the recipient server, to which data was being sent, has been shutdown.

Thirdly your usernames and passwords were not at risk in this attack.

[NonConvergentWaveform]

You don't have to reinstall your windows. The trojan was embedded in the ccleaner​.exe as soon as you upgrade to ccleaner 5.35 the trojan is gone. Also the recipient server, to which data was being sent, has been shutdown.

Thirdly your usernames and passwords were not at risk in this attack.

 

Can you/piriform clarify why there is a second build of "5.33.6162" signed 16 minutes later? Why was this second copy created? What is changed? Is it typical to build and sign a second copy of the software (and installer) at ever? (or not to change the build number?)

 

ccsetup533.exe

SHA-256

1A4A5123D7B2C534CB3E3168F7032CF9EBF38B9A2A97226D0FDB7933CF6030FF

Signing date

8/3/2017 10:43 AM

 

CCleaner.exe (32-bit 5.33.6162)

SHA-256

6F7840C77F99049D788155C1351E1560B62B8AD18AD0E9ADDA8218B9F432F0A9

Signing date

8/3/2017 10:42 AM

 

ccsetup533.exe

SHA-256

276936C38BD8AE2F26AAB14ABFF115EA04F33F262A04609D77B0874965EF7012

Signing date

8/3/2017 10:59 AM

 

CCleaner.exe (32-bit 5.33.6162)

SHA-256

36B36EE9515E0A60629D2C722B006B33E543DCE1C8C2611053E0651A0BFDB2E9

Signing date

8/3/2017 10:58 AM

 

 

 

Also since the malware (when talking to the malware server when it was up for weeks) sends a list of running software couldn't the malware authors have chosen NOT to deploy malware phase/stage 2 (or to deploy different malware) on the basis of which anti-virus (if any) was installed or any of a large number of system specific criteria?

 

How would you know what stage/phase 2 malware was deployed (under the control of the malware author on the basis of system data send via the trojan) if the malware author chose not to deploy it to systems with avast installed?

 

Was the malware server captured for examination? I understand that it is (probably) in the USA. Clues from it could be reveling/handy.

[Nergal]

The second version should be .6163 and that was released as soon as the backdoor was discovered

[NonConvergentWaveform]

The second version should be .6163 and that was released as soon as the backdoor was discovered

No, it can't be. Check the version number.

Also the clean version wasn't digitally signed and released 16 minutes later on 8/3/2017.

[pompste]

Hi all,

 

The only version affected is the 32-bit binary of CCleaner v5.33.6162. It was the application that was the issue, not the installer. If you’re using a 64-bit version of CCleaner, then you’re unaffected although we recommend updating to the latest version. There is also no effect to the Mac or Android versions.

 

At this time, we won’t be releasing a detection tool as the issue was in CCleaner itself, so uninstalling or updating the software removes the risk. You can download directly for free from here: www.piriform.com/ccleaner/download/standard

 

For those interested, the MD5 hash of the affected CCleaner.exe is: ef694b89ad7addb9a16bb6f26f1efaf7

 

Thanks - Tom

 

After installing CC V 5.35 I ran a Malwarebytes scan and it found 2 Floxit trojans in 2 registry keys named Agoma. I removed them quick then ran another scan to make sure it got rid of those.

So it seems even though the new version may remove the threat, version 5.33 leaves behind at least 2 active Trojans.

It found those on a quick scan--there may be more when I run a deep scan.

Anyone that had version 5.33 installed should really run a Malwarebytes scan like now.

[Nergal]

Agomo is ccleaner cloud, but yes those reg entries should go

[NonConvergentWaveform]

 

Hi all,

 

The only version affected is the 32-bit binary of CCleaner v5.33.6162. It was the application that was the issue, not the installer. If you’re using a 64-bit version of CCleaner, then you’re unaffected although we recommend updating to the latest version. There is also no effect to the Mac or Android versions.

 

At this time, we won’t be releasing a detection tool as the issue was in CCleaner itself, so uninstalling or updating the software removes the risk. You can download directly for free from here: www.piriform.com/ccleaner/download/standard

 

For those interested, the MD5 hash of the affected CCleaner.exe is: ef694b89ad7addb9a16bb6f26f1efaf7

 

Thanks - Tom

 

After installing CC V 5.35 I ran a Malwarebytes scan and it found 2 Floxit trojans in 2 registry keys named Agoma. I removed them quick then ran another scan to make sure it got rid of those.

So it seems even though the new version may remove the threat, version 5.33 leaves behind at least 2 active Trojans.

It found those on a quick scan--there may be more when I run a deep scan.

Anyone that had version 5.33 installed should really run a Malwarebytes scan like now.

 

MD5: ef694b89ad7addb9a16bb6f26f1efaf7

=

CCleaner.exe (32-bit 5.33.6162)

SHA-256: 6F7840C77F99049D788155C1351E1560B62B8AD18AD0E9ADDA8218B9F432F0A9

Signing date

8/3/2017 10:42 AM

 

By "2 active Trojans" you mean 2 left over registry traces? That hardly counts. What counts is the stage/phase 2 download that the attacker only did on some machines (targeted attack) that no-one is talking about or has an good sample of. No idea what it does or if it exists.

[pompste]

MD5: ef694b89ad7addb9a16bb6f26f1efaf7

=

CCleaner.exe (32-bit 5.33.6162)

SHA-256: 6F7840C77F99049D788155C1351E1560B62B8AD18AD0E9ADDA8218B9F432F0A9

Signing date

8/3/2017 10:42 AM

 

By "2 active Trojans" you mean 2 left over registry traces? That hardly counts. What counts is the stage/phase 2 download that the attacker only did on some machines (targeted attack) that no-one is talking about or has an good sample of. No idea what it does or if it exists.

 

Right--2 leftover registry Trojans---Malwarebytes listed them as "Trojans".

I`ll be running a deep scan real soon---hoping it does`nt find anymore crap.

[NonConvergentWaveform]

 

MD5: ef694b89ad7addb9a16bb6f26f1efaf7

=

CCleaner.exe (32-bit 5.33.6162)

SHA-256: 6F7840C77F99049D788155C1351E1560B62B8AD18AD0E9ADDA8218B9F432F0A9

Signing date

8/3/2017 10:42 AM

 

By "2 active Trojans" you mean 2 left over registry traces? That hardly counts. What counts is the stage/phase 2 download that the attacker only did on some machines (targeted attack) that no-one is talking about or has an good sample of. No idea what it does or if it exists.

 

Right--2 leftover registry Trojans---Malwarebytes listed them as "Trojans".

I`ll be running a deep scan real soon---hoping it does`nt find anymore crap.

Traces FROM Trojans.

A burglar's footprint is FROM a burglar, but it can't steal your TV.

 

Don't worry about how to remove his footprint from the mud, worry about what his friend (that he invited) was doing hiding in your house for the last month.

[Guest Stephen CCleaner]

Hello everyone,

 

Yesterday I updated the first post in this thread to give a better overview of events to any new reader, and as a handy reference for anyone wishing to fact-check.

 

This morning another official announcement has been made from the team investigating the attack. Importantly, it reveals that the second-stage payload was delivered to select IP addresses and seems to be targeted at select large technology and telecommunication companies in Japan, Taiwan, UK, Germany and the US. I would encourage you to read this blog and I have added it to the threadstarter.

 

 

Avast blog: Investigation Progress Update by Avast Threat Labs team (Thursday, 21 September 2017)

https://blog.avast.c...r-investigation

[Emrah]

You don't have to reinstall your windows. The trojan was embedded in the ccleaner​.exe as soon as you upgrade to ccleaner 5.35 the trojan is gone. Also the recipient server, to which data was being sent, has been shutdown.

Thirdly your usernames and passwords were not at risk in this attack.

 

Thank you for the reply!! 

 

So I'm 100% safe then? I have a 64 bit OS pc and i was using 64bit Ccleaner version and my windows 10 defender still detected it and quarantined it.

 

On authority sites like Tom's hardware and bleeping computer.com etc etc they're all quoting from Piriform that we all need to re install windows to make sure we're safe and also Microsoft Support told me this over support chat (even though win 10 defender detected it on my pc)....

 

So you're 100% confident I don't need to do anything?

 

I hope you're right and thank you so much!

 

Emrah

[robertcarroll6]

Hello everyone,

 

Yesterday I updated the first post in this thread to give a better overview of events to any new reader, and as a handy reference for anyone wishing to fact-check.

 

This morning another official announcement has been made from the team investigating the attack. Importantly, it reveals that the second-stage payload was delivered to select IP addresses and seems to be targeted at select large technology and telecommunication companies in Japan, Taiwan, UK, Germany and the US. I would encourage you to read this blog and I have added it to the threadstarter.

 

 

Avast blog: Investigation Progress Update by Avast Threat Labs team (Thursday, 21 September 2017)

https://blog.avast.c...r-investigation

 

 

Seems we're getting a bit of  "severity creep" here.  

1.  The second-stage payload was delivered after all but  us little people are okay because the hackers only aimed it at selected corporate targets?

2.   Does the 32-bit bad,  64-bit safe distinction still hold?

 

There is more information - including list of targeted corporates -  at:

https://www.bleepingcomputer.com/news/security/ccleaner-hack-carried-out-in-order-to-target-big-tech-companies/

and 

http://blog.talosintelligence.com/2017/09/ccleaner-c2-concern.html

[login]

Sorry for my bad english, this is not my native language.

 

In connection with the latest events, I'm very nervous:

https://www.ghacks.net/2017/09/21/ccleaner-malware-second-payload-discovered/

 

I'm using Windows 10 x64 and CCleaner Free x64, but I do not remember if I installed version 5.33.6162 or not...

 

I have a few questions:

1. Whence the virus was installed? From CCleaner.exe (x32), CCleaner64.exe, or from the installer?

2. How can I check if I have ever had an infected version?

3. How can I check if I had a virus on my computer?

4. Does the last update (5.35) remove the virus?

5. Where to look for trojans, which is written in the news (32-bit trojan is TSMSISrv.dll, the 64-bit trojan is EFACli64.dll)?

 

 

PS: Forgive me if questions have already been asked, but it's difficult for me to navigate in a non-native language even with Google translator. 

[malika4]

 

 

I have a few questions:

1. Whence the virus was installed? From CCleaner.exe (x32), CCleaner64.exe, or from the installer?

2. How can I check if I have ever had an infected version?

3. How can I check if I had a virus on my computer?

4. Does the last update (5.35) remove the virus?

5. Where to look for trojans, which is written in the news (32-bit trojan is TSMSISrv.dll, the 64-bit trojan is EFACli64.dll)?

 

if You have 64bit pc You're not infected because if You have installed the 5.33 version runs only the 64bit version on Your sistem (the 32bits is infected and the cloud version). You can check in the registry folder to check if there are the registry key on the pc. Scan the pc with an antivirus like Malwearbytes, Kaspersky. Check for the files TSMSISrv.dll, the 64-bit trojan is EFACli64.dll on Windows C

[login]

if You have 64bit pc You're not infected because if You have installed the 5.33 version runs only the 64bit version on Your sistem (the 32bits is infected and the cloud version).

 

Does the Trojan work only when running the 32-bit version? The CCleaner installer does not start the Trojan? I correctly understand that the Trojan could get into the 64-bit system only if you manually run the CCleaner.exe (x32)?

 

You can check in the registry folder to check if there are the registry key on the pc.

 

In what registry folder can this be checked?

 

Check for the files TSMSISrv.dll, the 64-bit trojan is EFACli64.dll on Windows C

 

Files are in the root of folder C, or are you talking about searching the entire directory? Can there be a specific folder where the Trojan is saved?