Announcement: Security Notification for CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191

[Nergal]

Thanks for these suggestions Nergal but they raise a couple more questions: 1. You write "If you have 64 bit Windows, make sure you update your ccleaner to the latest version (5.35 at the time of this post)".. Are you suggesting people with 32-bit window shouldn't update to 5.35? 2, You write "If you are very worried you can follow the steps in the article you link to it says "Talos Group suggested to restore the computer system using a backup that was created prior to the infection. The new evidence reinforces this, and the researchers suggest strongly that it may not be enough to simply update CCleaner to get rid of the malware". Are you now suggesting we follow this advice (because a lot of us are, indeed, very worried)? 3. You write " the malware normally does not have the time to activate between the time ccleaner​.exe (32bit) hands off to ccleaner64.exe.". Can you please clarify what "normally" means in this context. Under what "non-normal" circumstances would the malware have been activated? ThanksRobert

1. the "if you're 64bit" the you was directed at the previous poster. Everyone should update to 5.35.

 

2. no, just meant to look for and remove the files and registry suggested in the article.

 

3. I may have been unclear. Certain researchers have discovered that the first payload did not begin until ccleaner.exe (32bit) had been open for roughly 10 minutes. I have seen this timing in action but am waiting on another piriform moderator to speak with me before posting it (s/he lives in the UK so I think it's still late there). But, my mispeak was to use normal when no evidence points to any non-normal situation.

 

I hope this cleared up those 3 questions.

[nocluez]

I've had to register in this forum just to get peace of mind. I never wanted ccleaner on my system in the first place. I missed a step to uncheck a box when installing recuva. But now I find myself with this malware on my machine.

 

I am running 64bit win 10. The Microsoft defender caught the malware and then I immediately uninstalled ccleaner as I never even wanted it in in the first place, but I never checked my registry before removing. I don't know if I was hacked, only that defender caught it.

 

I took the drastic step to completely format my machine. I did a USB boot into windows installer, deleted all c: drive partitions and created a new partition on the whole disk and installed fresh windows.

 

Does this mean I am 100% protected now? Is there a chance that there could be any hardware/bios virus or malware remaining?

[Nergal]

@nocluez there are not components thus far discovered that would survive all the steps you took. That said that's a bit overkill based on all the research that has been done (to the time of this post).

[Andavari]

In migrating to a new computer I downloaded 

CCleaner v5.33.6162

to my external drives but actually installed V5.34.

 

Do the uninstalled downloads require quarantine or can they be deleted to keep my sytem clean in the future?

 

If you never installed the infected v5.33 you can simply delete it from your external drives. If you have a file shredding/secure delete software perhaps shred it so that it can never be recovered.

[nocluez]

Nergal. I'm all for overkill. I have OCD and was losing sleep over it. I was trying to kill it with fire so that I could rest again.

[Nergal]

Nergal. I'm all for overkill. I have OCD and was losing sleep over it. I was trying to kill it with fire so that I could rest again.

Atomic weapons are not fire just kidding, but yeah nuking a pc is one way to do it. Thanks for making the rest of us feel much less OCD

[nocluez]

First time I've ever had malware/virus. I wanted to be 100% sure I could trust my system again.

[TomFace]

Nergal. I'm all for overkill. I have OCD and was losing sleep over it. I was trying to kill it with fire so that I could rest again.

Overkill can be a good thing...I restored to a backup image from 7/5/17...and then did all the Bleeping Computer clean up steps. Yes I have OCD as well.

[hazelnut]

Users might like to read these 2 posts from someone who knows what they are talking about .

 

https://www.wilderssecurity.com/threads/ccleaner-v5.370654/page-26#post-2707924

 

https://www.wilderssecurity.com/threads/ccleaner-v5.370654/page-27#post-2708085

 

After you have read those 2 posts then watch this video

 

https://www.youtube.com/watch?v=i1u0LqZLDvc&feature=youtu.be

[malika4]

Users might like to read these 2 posts from someone who knows what they are talking about .

 

https://www.wilderssecurity.com/threads/ccleaner-v5.370654/page-26#post-2707924

 

https://www.wilderssecurity.com/threads/ccleaner-v5.370654/page-27#post-2708085

 

After you have read those 2 posts then watch this video

 

https://www.youtube.com/watch?v=i1u0LqZLDvc&feature=youtu.be

Thanks so much hazelnut for The links And especially for The video.

The video explain perfectly how The Trojan And The backdoor works in conclusion without any Agomo Keys on The registry The system wasn t compromised (right?)

[jonmar]

I'm not sure I'm completely understanding how the 10 minute delay works. What I mean is that no one is ever going to keep the CCleaner app open for 10 minutes. It takes less than 30 seconds to scan and clean both the hard drive and registry and then you close the app. Does the 10 minute timer also continue ticking down while the CCleaner system tray icon is active? If it doesn't then it's a pretty useless malware. I must be missing something here.

[patrykr]

 

3. I may have been unclear. Certain researchers have discovered that the first payload did not begin until ccleaner.exe (32bit) had been open for roughly 10 minutes.

 

 

 

Hello, do you know of any researchers other than Talos Group stating this?

 

If that is true, it is worh noticing that 32-bit system CCleaner users, who were using it on as-needed basis could have avoided complete malware execution aswell. All one had to do was run and close CCleaner (without leaving in tray) within 10-minute window. It is how I've always been using it myself and 10 minute margin means it is more than doable.

The first stage was meant to be spray-and-pray, that is why I would consider the above as a flaw in the malware, limiting (possibly) its reach.

 

Talos states that the malware starts but delays/pauses its operation by ~10 minutes. If that 10 minute wait period is dependent on main CCleaner process being active, it would confirm the above. Too bad the video posted by Hazelnut does not answer this.

 

Personally I'm still hoping to officially learn that on x64 systems the malware did not execute in any capacity at all.

[hazelnut]

 

 All one had to do was run and close CCleaner (without leaving in tray) within 10-minute window. It is how I've always been using it myself and 10 minute margin means it is more than doable.

 

 

I'm afraid that isn't how it works. Things calling home are not dependent on you using the app.

[patrykr]

I'm afraid that isn't how it works. Things calling home are not dependent on you using the app.

 

Hello,

 

how it works is only dependent on how it was programmed to work and the environment (system) it works within. There is a 10-minute pause/delay programmed into the malware before it dials-out. It was stated by people who reverse-engineered it, and also proven in the video you posted link to.

 

The only question is, does the malware process gain independence after being loaded into memory, or is it still dependent on the main CCleaner process being active. It is super-easy to answer if someone wanted and had time to check. All one had to do is repeat the steps in the video, but close CCleaner before the 10 minutes elapsed. Would it still "call home" or not?

 

Believe me, I wish it did. It would mean the malware process gains independence from CCleaner and in consequence support the theory that x64 systems are safe because it (the malware part) does not execute at all.

[pearshaped]

Hi all, 

I think I have been lucky because there are no signs that my PCs were affected, but yet I am still a bit concerned because of the uncertainties in this story.

For starters, it took a full month to find out about the malware distributed with CCleaner 5.33. In a month, the hackers could have covered some of their traces on PCs and on the servers they used, so I wonder: is it possible we don't know everything about the malware effects? Also, it's not clear to me what the new CCleaner "clean" installer does in order to remove the malware. Does it delete registry keys and files left by the trojan thus removing its traces too? That has been asked many times. Please Piriform explain. If you want us users to still trust you in the future, we need a thorough official FAQ about the incident.

Besides, the announcements from Piriform and Avast turned out to be optimistic to say the least. They stated they believed that  #1) only 64-bit versions were affected and  #2) 2nd stage payload was never activated. Both statements have been put in doubt. Statement #2 was refused by later findings by Talos Intelligence: there's evidence that 2nd stage was activated at least in a limited number of instances. They may be a small number of cases, but the point is Avast's assumption was found to be mistaken. As to statement #1, it doesn't match what users wrote on this forum about their 64-bit Windows 7 being affected too, if I understand correctly.

Even though the new developments don't seem to affect my own Windows 10 64-bit, all the "surprises" in this story still leave me in doubt. Call me paranoid, but I would like to be *positive* that my system has not been compromised.

I also feel that the silence from Piriform and Avast on the official forums, after their first announcements and posts, is a sign that even they are not 100 percent sure that the incident caused no real harm at all, how could they be?

Thanks in advance for any *real* clarifications.

[robertcarroll6]

Hi all, 

I think I have been lucky because there are no signs that my PCs were affected, but yet I am still a bit concerned because of the uncertainties in this story....

...

 

Even though the new developments don't seem to affect my own Windows 10 64-bit, all the "surprises" in this story still leave me in doubt. Call me paranoid, but I would like to be *positive* that my system has not been compromised.

I also feel that the silence from Piriform and Avast on the official forums, after their first announcements and posts, is a sign that even they are not 100 percent sure that the incident caused no real harm at all, how could they be?

Thanks in advance for any *real* clarifications.

 

 

Excellent post pearshaped.  The paucity  of posts from Piriform/Avast employees and the lack of response to specific questions is pretty telling.  

 

Piriform/Avast seem to be hiding behind volunteer moderators who are working on partial information. The moderators are reduced to referencing blogs/articles which analyse  the problem based on research by Cisco's Talos Group.  In each blog/article Talos is quoted as saying that a restore/re-format is called for; however the volunteer moderators insist this is "overkill".  

 

Like everyone else affected by this issue, I am anxious to avoid the time and cost and risks of restoring/re-formatting.  In the absence of any coherent support from Piriform/Avast, the straw I'm grasping for at the moment is the suggestion that the hackers ignored us little guys in pursuit of bigger fry. 

[Nergal]

@robertcarroll6, @pearshaped please take some time to read the posts and watch the video that @hazelnut posted https://forum.piriform.com/index.php?showtopic=48869&page=10&&do=findComment&comment=286894

[Andavari]

I think I have been lucky because there are no signs that my PCs were affected, but yet I am still a bit concerned because of the uncertainties in this story.

 

That's why last night I loaded up Slax OS (a free Linux distribution), I seriously wanted to scan with another OS outside of the Windows environment, and I scanned with BitDefender in Slax, still absolutely nothing was found.

 

I think I've did more malware and antivirus scans than I'd normally do in a 6 month period over the last week.

[pearshaped]

@Nergal

I watched the video but I have the same question as Patrykr: if you close CCleaner before the 10 minutes elapsed, would it still "call home" or not?

 

@Andavari

Thanks for sharing.

 

Yet ars technica writes:

 

Williams renewed his advice that people who installed the 32-bit version of CCleaner 5.33.6162 or CCleaner Cloud 1.07.3191 reformat their hard drives. He said simply removing the stage-one infection is insufficient given the proof now available that the second stage can survive and remain stealthy.

 

https://arstechnica.com/information-technology/2017/09/ccleaner-malware-outbreak-is-much-worse-than-it-first-appeared/

[Nergal]

 

@NergalI watched the video but I have the same question as Patrykr: if you close CCleaner before the 10 minutes elapsed, would it still "call home" or not? 

That I am unsure of, the video shows the second ccleaner process popping up after the 10 minutes..but with monitor running (as it is in the video) it could possibly run from there (note I don't know that to be true but roughly guessed by the evidence that you have as well)

[BANGENY]

Download the slim build from that link.

There is no mention of a "slim bulid" at that link. Just one big green "download now" button. Did you even go to that link to read what's available there before recommending that?

 

Its now 48 hours since I last tried to download the latest version from the Piriform site, and McAfee still blocks any installation of it and says there's a Trojoan. That's pretty sad that Piriform can't even control how clean the file is that they're offering from their own download site? Why not shut it down until you can actually offer clean version? Sad!

 

Please send an update when a Trojan-free version is available to download from the Piriform site. Otherwise, please advise how I might get refund from the payment I made for the Pro verion of CCleaner.

 

Thanks!

[patrykr]

the straw I'm grasping for at the moment is the suggestion that the hackers ignored us little guys in pursuit of bigger fry. 

 

But, what if they didn't fry the bigger ones? Wouldn't that live them in pursuit of smaller fry? Just sayin!

 

What if Craig Williams of Talos is right about stealthiness and sophistication, and, I dont know, the malware left some huge black gaping hole in affected systems just waiting for someone to exploit

 

 

 

[nocluez]

Annnnnnndddd that's why I nuked my system

[Andavari]

There is no mention of a "slim bulid" at that link. Just one big green "download now" button.

 

 

Slim build is available here, just scroll down a little:

https://www.piriform.com/ccleaner/builds

[patrykr]

Dear Piriform/Avast Administrators/Programmers/Employees,

I am really sorry you got hacked, I truly am. I have no idea what it must be like for you trying to scramble in the wake of huge corporations being affected.

That being said, considerable base of smaller users is affected as well. These are likely users of all sorts, home users, power users, maybe even experts. Some might still be using trojanized v5.33 version and be completely unaffected (like for example my grandma would be, as she doesn't even own an email account). Some might just not care at all. Some might suffer from OCD and want to nuke their systems because of the sheer thought of having your products installed.

The spreading misinformation is hurting everyone. Some people say everything is just fine, while other, like Craig Williams of Talos, recommend re-installing systems and claim you're affected just by running the installer (see comments @ Talos blogpost).

The whole situation has even spawned vultures trying to plug in as many programs into their removal-guides as possible. Like in bleepingcomputer.com guide they use 5 apps to quote remove Floxif CCleaner Trojan unquote. Like, seriously? That's the pinnacle of irresponsibility.

I personally think it is your responsibility to end speculation and provide as much information as possible to satisfy users of all levels. That responsibility is so much more pronounced, given the fact that Avast now owns Piriform.

Me myself, I own 3 separate CCleaner Business Edition licenses, each valid for one computer.

Yes, like many other users, I too want to avoid all the work and hassle associated with having to reinstall my systems. However, I also do important work and can't afford to risk it.

So it all boils down to the fact, that most of all, I would like to make an informed decision about it, one way or another.


Again, here are my concerns/questions, I am using 64 bit system:

1. Installer (ccsetup533_be.exe, MD5: 60f18d92353d46dfc715ffd9fbefecfc).

On one of my licenses was bought just recently, and I was using different (Business Edition), I assume less popular installer than most users.

Is that installer affected the same way as the other, more popular ones, i.e. the executable of the installer itself is malware-free, and only installs trojanized CCleaner.exe file.
Businesses were the main target, so now I worry, that the executable of business installer itself might have been compromised aswell.

2. CCleaner.exe/CCleaner64.exe files.

I run 64 bit systems. I do know (easy to check with SysInternals Process Monitor, which I did) that no matter what file I run, or what file the shortcut points to - both are being executed. I don't know how this works, but assume it has something to do with auto-privilege elevation.

So, on x64 systems, is the execution of CCleaner.exe "deep enough" to reach the embedded malware code or not?

3. x64 systems safety in case of malware code execution.

If the malware code executes on x64 systems, what exactly is it, that makes x64 systems safe? Is it the fact that the malware is dependant on CCleaner.exe being active, and since CCleaner.exe is short-lived, so is the malware?
Also, can I be 100% sure that during this presumed partial malware execution, it (the malware) has done no changes to my filesystem/registry etc?
If any changes were made, what were they? Are they easy to fix like deleting a file or registry entry, or are they more complex than that.



I believe my questions are clear, valid and have not been properly addressed thus far. I would really, really appreciate an answer.

Thank you very much for your work and support.

 

Patryk R.