CCleaner 5.33 is infected.Post Date: 2017-09-18 |
Post Reply
|
Author | |
Snaike
Moderator Group Just a dude trying to keep the spam away Joined: 23 Jan 2014 Online Status: Offline Posts: 9462 |
Quote Reply
Topic: CCleaner 5.33 is infected. Posted: 18 Sep 2017 at 2:39pm |
If you use CCleaner, please make sure that you're not using version 5.33.
Download 5.34 ASAP. This CCleaner version is infected with malware. https://forum.piriform.com/index.php?s=89944a59369b1a64c7d30bb0901943a2&showtopic=48869 |
|
ArkansasWoman777
DS Veteran Joined: 19 Aug 2012 Online Status: Offline Posts: 4314 |
Quote Reply Posted: 18 Sep 2017 at 5:05pm |
I'm currently running V5.24
|
|
"Captain Sirius Black"
Storm Trooper i5 3570k Ordered: 11-27-12 Stage 1: 11-29-12 Stage 2: 12-2-12 Stage 3: 12-2-12 Stage 4: 12-4-12 Stage 5: 12-4-12 Stage 6: 12-10-12 Stage 7: 12-12-12 |
|
DST4ME
DS ELITE Joined: 14 Apr 2008 Online Status: Offline Posts: 36758 |
Quote Reply Posted: 18 Sep 2017 at 5:39pm |
Keep in mind it was tge 32bit that was infected so those of you that have 64bit don't freak out, everyone regardless of 32bit or 64 bit should uninstall, do a scan with upto date MB and AV and then reinstall 5.34
Edited by DST4ME - 18 Sep 2017 at 10:50pm |
|
Tidgxor
DS ELITE The Kokopelli kid Joined: 17 Sep 2010 Online Status: Offline Posts: 13000 |
Quote Reply Posted: 19 Sep 2017 at 12:38am |
Thanks for the heads up. I was wondering why it had a warning pop-up box telling me that I needed to update to 3.34 immediately, as I had never seen that before.
Edited by Tidgxor - 19 Sep 2017 at 12:41am |
|
My Two Digital Storm Rigs: Mr. Bojangles (HAF-X, 2010) & Mrs. Bojingles (Bolt I, 2013).
|
|
forrest74
DS Veteran Joined: 15 Feb 2013 Online Status: Offline Posts: 2642 |
Quote Reply Posted: 19 Sep 2017 at 6:30am |
Here is the official word from Piriform, who makes CCleaner. ================================= Dear CCleaner customers, users and supporters, We would like to apologize for a security incident that we have recently found in CCleaner version 5.33.6162 and CCleaner Cloud version 1.07.3191. A suspicious activity was identified on September 12th, 2017, where we saw an unknown IP address receiving data from software found in version 5.33.6162 of CCleaner, and CCleaner Cloud version 1.07.3191, on 32-bit Windows systems. Based on further analysis, we found that the 5.33.6162 version of CCleaner and the 1.07.3191 version of CCleaner Cloud was illegally modified before it was released to the public, and we started an investigation process. We also immediately contacted law enforcement units and worked with them on resolving the issue. Before delving into the technical details, let me say that the threat has now been resolved in the sense that the rogue server is down, other potential servers are out of the control of the attacker, and we’re moving all existing CCleaner v5.33.6162 users to the latest version. Users of CCleaner Cloud version 1.07.3191 have received an automatic update. In other words, to the best of our knowledge, we were able to disarm the threat before it was able to do any harm. Technical description The suspicious code was hidden in the application’s initialization code called CRT (Common Runtime) that is normally inserted during compilation by the compiler. This code modification was executed by the following function calls (functions marked by red represent the CRT modifications): This modification performed the following actions before the main application’s code: Illustration of patched CRT code (see the added call to a payload-decryption routine in the modified version): The code executed within that thread was heavily obfuscated to make its analysis harder (encrypted strings, indirect API calls, etc.). The suspicious code was performing the following actions:
At this stage, we don’t want to speculate how the unauthorized code appeared in the CCleaner software, where the attack originated from, how long it was being prepared and who stood behind it. The investigation is still ongoing. We want to thank the Avast Threat Labs for their help and assistance with this analysis. Again, we would like to apologize for any inconvenience this incident could have caused to our clients; we are taking detailed steps internally so that this does not happen again, and to ensure your security while using any of our Piriform products. Users of our cloud version have received an automated update. For all other users, if you have not already done so, we encourage you to update your CCleaner software to version 5.34 or higher, the latest version is available for download here. Thank you, Paul Yung Edited by forrest74 - 19 Sep 2017 at 6:33am |
|
DST4ME
DS ELITE Joined: 14 Apr 2008 Online Status: Offline Posts: 36758 |
Quote Reply Posted: 19 Sep 2017 at 8:31am |
From malwarebytes:
[Updated] Infected CCleaner downloads from official servers Posted: September 18, 2017 by Pieter Arntz Last updated: September 19, 2017 Update (9/19/2017): Avast posted a clarification explaining what happened and giving a timeline of the events. One point we should take note of is that the breach preceded the take-over of Piriform by Avast. Users that are unsure whether they were affected by this and whether their data may have been sent to the C2 server can check for the presence of the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Piriform\Agomo This key is not created by any clean versions of CCleaner, just by the infected ones. Malwarebytes will detect the presence of that said key and flag it as Trojan.Floxif.Trace Original post: In a supply chain attack that may be unprecedented in the number of downloads, servers hosting CCleaner, a popular tool for cleaning up the PC, has been delivering a version of the said software with malware. What happened? Threat actors have managed to change the files that were being delivered by Avast servers hosting CCleaner updates. In case you are wondering why they were on those servers, Avast acquired Piriform, the original publishers of CCleaner, a few months ago. The incident was discovered and reported by Talos. Piriform is aware of the situation and is acting to prevent further damage. They are also investigating how the files coming from their servers were modified before being released to the public. compromised version Possible impact It is difficult to say at this moment how many users might have been affected, but the numbers could be huge. From the statistics brought out by Piriform, CCleaner has been downloaded 2 billion times in total, 5 million times every week. The modified version, 5.33, is made available from August 15 until September 12 when version 5.34 was released. In a press statement the company estimates that 2.27 million people used the affected software. The malware The malware collects the following information about the infected system: Computer name A list of installed software, including Windows updates A list of the currently running processes The MAC addresses of the first three network adapters Other system information that is relevant for the malware like admin privileges, whether it is a 64-bit system, etc. The malware uses a hardcoded C2 server and a domain generating algorithm (DGA) as a backup, to send information about the affected system and fetch the final payload. blocked IP What to do if you think you are affected? First of all, check the version of CCleaner on your system. If you suspect you may have downloaded CCleaner version 5.33.6162 or CCleaner Cloud version 1.07.3191, scan your system for malware. Detection and Protection CCleaner users that are running older versions or that do not trust the one they are using now are encouraged to update their CCleaner software to version 5.34 or higher. The latest version is available for download here. Affected versions: CCleaner version 5.33.6162 and CCleaner Cloud version 1.07.3191 Malwarebytes blocks the IP and domains related to this malware. We also remove the malicious installer. Stay safe! source Edited by DST4ME - 19 Sep 2017 at 8:58am |
|
FR3SHM3AT
Groupie Joined: 12 Feb 2011 Online Status: Offline Posts: 494 |
Quote Reply Posted: 19 Sep 2017 at 1:22pm |
When Installing 5.33 ...If you chose no the install of google chrome and it's infected updater...The registry key was not created... Most likely why they left it out of 5.34 Well At least in my experiment... [On my laptop, lol not experimenting on my DS] To the point...You can't trust any software anymore Can't remember how many people I have recommended CCleaner too. Edited by FR3SHM3AT - 19 Sep 2017 at 1:22pm |
|
DST4ME
DS ELITE Joined: 14 Apr 2008 Online Status: Offline Posts: 36758 |
Quote Reply Posted: 19 Sep 2017 at 11:40pm |
Also not all versions of 5.33 were infected, only build 6162
|
|
oldlady RPGer
DS Veteran One of the cool kids Joined: 09 Sep 2011 Online Status: Offline Posts: 1080 |
Quote Reply Posted: 21 Sep 2017 at 10:44pm |
My Malwarebytes caught the Trojan before it did damage and then I got the CC update. Whew. I also got hacked through Ebay/PayPal and they hit my Amazon account. THAT was a huge mess. Amazon stopped everything, rebooted my account through Amazon Canada and payed for all damage. Even got a $500 gift card from Amazon. I've been an Amazon customer from the beginning in the 1990s with never an issue.
|
|
Me sitting my ECMO in PICU. Now you know why I like LC. ;)
|
|
Post Reply |
Forum Jump | Forum Permissions You cannot post new topics in this forum You cannot reply to topics in this forum You cannot delete your posts in this forum You cannot edit your posts in this forum You cannot create polls in this forum You can vote in polls in this forum |