1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

CCleaner version 5.33 hacked and distributing malware

Discussion in 'General Security' started by dvk01, Sep 18, 2017.

Thread Status:
Not open for further replies.
Advertisement
  1. dvk01

    dvk01 Moderator Malware Specialist Thread Starter

    Joined:
    Dec 14, 2002
    Messages:
    56,222
    First Name:
    Derek
    simian likes this.
  2. dvk01

    dvk01 Moderator Malware Specialist Thread Starter

    Joined:
    Dec 14, 2002
    Messages:
    56,222
    First Name:
    Derek
  3. 2twenty2

    2twenty2

    Joined:
    Jul 17, 2003
    Messages:
    27,679
    Thanks for the heads up Derek
     
  4. simian

    simian Account Closed

    Joined:
    Sep 10, 2017
    Messages:
    150
    :/ Nothing is safe these days, hide your grandmothers, kittens and babies.
     
  5. Johnny b

    Johnny b

    Joined:
    Nov 6, 2016
    Messages:
    3,915
    First Name:
    John
    Thanks, Derek.
     
  6. flavallee

    flavallee Trusted Advisor

    Joined:
    May 12, 2002
    Messages:
    78,625
    First Name:
    Frank
    I'm good. (y)

    Capture.JPG

    I'm also using Windows 7/10 64-bit.

    ---------------------------------------------------------------
     
  7. TOGG

    TOGG

    Joined:
    Apr 2, 2002
    Messages:
    5,862
    Eset Smart Security has been warning me about a PUP on the Piriform download page since early July so I haven't upgraded anything of theirs since then.

    "04/07/2017 13:49:13;HTTP filter;file;http://download.piriform.com/spsetup131.exe;Win32/Bundled.Toolbar.Google.D potentially unsafe application;connection terminated;;Threat was detected upon access to web by the application: C:\Program Files\Opera\46.0.2597.32\opera.exe"
     
  8. simian

    simian Account Closed

    Joined:
    Sep 10, 2017
    Messages:
    150
    Thats normal, because the full installer for CCleaner bundles Google Chrome or whatever it is now... Its unrelated to the issue reported here.

    If you want clean CCleaner packages without added anything (PUP free) you should try the portable located at http://www.piriform.com/ccleaner/builds

    Personally this is what I use, sure doesn't auto-update but according to was was reported here, it was the reason why I skipped that bad file and doesn't bundle anything.

    They used to offer a slim installer Adware free, but looks like they done away with that.
     
  9. Deke40

    Deke40

    Joined:
    Jun 27, 2002
    Messages:
    6,008
    My MBAM caught the Trojan. Floxif and quarantined it. I thought this was a mistake until I checked google and there were many
    threads about it. Downloaded the 5.34 version and will wait and see. Also didn't get any of the add-ons other people have seen.

    PS-I will go back to scanning the download file before installing but figured CCleaner was okay. My MBAM doesn't scan until
    4PM everyday, thus the delay.
     

    Attached Files:

  10. dvk01

    dvk01 Moderator Malware Specialist Thread Starter

    Joined:
    Dec 14, 2002
    Messages:
    56,222
    First Name:
    Derek
  11. simian

    simian Account Closed

    Joined:
    Sep 10, 2017
    Messages:
    150
    This is precisely the reason why, when providing support replies to users in these or ANY other boards, where we are suggesting and offering a link to ANY piece of software for download, we shouldn't offer ANY direct download links to ANY software we recommend and take extra precautions to ensure that user is at least verifying any program checksums or able to review the program in question.

    I just came across a this thread where a trusted advisor not only recommended a 3rd party program but the link offered was direct link starting a automatic download.

    There should be no presumption or assumptions made about this type of scenario, ignore at own peril.
     
  12. Deke40

    Deke40

    Joined:
    Jun 27, 2002
    Messages:
    6,008
    I keep reading about only the 32bit version was vulnerable not the 64bit(which I use) yet as I stated previously my MBAM caught it and quarantined it.

    Also there was a new version available this morning-5.35.6210.
     
  13. dvk01

    dvk01 Moderator Malware Specialist Thread Starter

    Joined:
    Dec 14, 2002
    Messages:
    56,222
    First Name:
    Derek
    There is going to be debate & discussion about this for weeks ( if not months ) to come. The general consensus is that ANYBODY who installed version 5.33 is potentially at risk.
    However investigations ( not yet concluded) are suggesting that these were more targeted at larger companies in certain disciplines or industries. The list so far published is NOT the entire list of affected or potentially affected companies or industries. Logs from before 12 September were deleted by the attackers.

    We "know" about 700,000 computers sent some information back to the server. We only "know" that a small handful of less than 50 computers had the second stage malware installed. We do not know how many other computers were compromised or what information was sent back to the attackers that will allow a future compromise to take place.

    It is less likely that a home user will be seriously at risk. but it cannot be ruled out.
    Please read the latest blog post from talos completely to understand what risk you or your company might be under and take appropriate steps.
     
  14. Deke40

    Deke40

    Joined:
    Jun 27, 2002
    Messages:
    6,008
    Found this statement from one of their honchos.

    In that blogpost there is a quote from the CTO of Avast that says:


    Quote

    Some media reports suggest that the affected systems needed to be restored to a pre-August 15th state or reinstalled/rebuilt. We do not believe this is necessary. About 30% of CCleaner users also run Avast security software, which enables us to analyze behavioral, traffic and file/registry data from those machines. Based on the analysis of this data, we believe that the second stage payload never activated, i.e. the only malicious code present on customer machines was the one embedded in the ccleaner.exe binary. Therefore, we consider restoring the affected machines to the pre-August 15 state unnecessary. By similar logic, security companies are not usually advising customers to reformat their machines after a remote code execution vulnerability is identified on their computer.

    Customers are advised to update to the latest version of CCleaner, which will remove the backdoor code from their systems. As of now, CCleaner 5.33 users are receiving a notification advising them to perform the update.

    I really hate the idea of formatting and I don't ever know if I have an image of my pc.
     
  15. dvk01

    dvk01 Moderator Malware Specialist Thread Starter

    Joined:
    Dec 14, 2002
    Messages:
    56,222
    First Name:
    Derek
    Lots of experts are saying that Avast CTO is understating the risk

    Your individual status or risk is up to you to decide, but as I stated earlier, it is less likely that a domestic user will be seriously at risk.
    I cannot guarantee the same low level of risk for any user inside any company, Government department, Human rights body, Journalist, media company etc who all might have been targeted
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/1196535

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice