CCleaner: A Vast Number of Machines at Risk

Page 2 of 14 FirstFirst 123412 ... LastLast
  1. Josey Wales's Avatar
    Posts : 24,731
    Win 10 Pro 19043.928
       #10

    CCleaner Hacked


    CCleaner Hacked - Malware Spread to 2.2 Million Users - MajorGeeks

    Here is the official summary and apology:

    "We would like to apologize for a security incident that we have recently found in CCleaner version 5.33.6162 and CCleaner Cloud version 1.07.3191. A suspicious activity was identified on September 12th, 2017, where we saw an unknown IP address receiving data from software found in version 5.33.6162 of CCleaner, and CCleaner Cloud version 1.07.3191, on 32-bit Windows systems. Based on further analysis, we found that the 5.33.6162 version of CCleaner and the 1.07.3191 version of CCleaner Cloud was illegally modified before it was released to the public, and we started an investigation process. We also immediately contacted law enforcement units and worked with them on resolving the issue. Before delving into the technical details, let me say that the threat has now been resolved in the sense that the rogue server is down, other potential servers are out of the control of the attacker, and we’re moving all existing CCleaner v5.33.6162 users to the latest version. Users of CCleaner Cloud version 1.07.3191 have received an automatic update. In other words, to the best of our knowledge, we were able to disarm the threat before it was able to do any harm.

    Technical description
    An unauthorized modification of the CCleaner.exe binary resulted in an insertion of a two-stage backdoor capable of running code received from a remote IP address on affected systems.

    The malware was also programmed to collect a bunch of user data, including:

    Name of the computer
    List of installed software, including Windows updates
    List of running processes
    MAC addresses of first three network adapters
    Additional information whether the process is running with administrator privileges, whether it is a 64-bit system, etc.

    Talos’ report warns that the malware was found in CCleaner version 5.33, which was actively distributed between August 15 and September 12. What is particularly jarring is that it appears the infected app was signed with a valid certificate Symantec issued to Piriform (recently acquired by Avast)."


    Be sure to update your CCleaner immediately with version 5.34.6207 or better yet, get a better drive cleaner and replace it with Wise Disk Cleaner. It would also be a good idea to scan your system with a trusted application like Malwarebytes.

    CCleaner: A Vast Number of Machines at Risk-ccleaner-1.jpg
      My Computer

  2. Fisher Mann's Avatar
    Posts : 477
    Win 10 Pro x64 19645 Fast
       #11

    I just ran a scan on my 64 bit machine and this is what I got:
    This is CC Pro version.

    CCleaner: A Vast Number of Machines at Risk-cc-cleaner.jpg

    CCleaner: A Vast Number of Machines at Risk-cc-version.jpg
      My Computers

  3. axe0's Avatar
    Posts : 14,785
    Windows 10 Pro
       #12

    For some easier ID'ing if you've been infected, search in HKEY_LOCAL_MACHINE\SOFTWARE\Piriform\CCleaner\Agomo for the following keys values
    - MUID: randomly generated number identifying a particular system. Possibly also to be used as communication encryption key.
    - TCID: timer value used for checking whether to perform certain actions (communication, etc.)
    - NID: IP address of secondary CnC server
    If they are present, you're infected!

    Addionally, the Agomo key should not be present in your registry.
    Last edited by axe0; 18 Sep 2017 at 09:30. Reason: Correction
      My Computers

  4. Wiley Coyote's Avatar
    Posts : 1,097
    Windows 10 Home x64 Version 1809 (OS Build 17763.437)
       #13

    HUMPH! My complaint about the last CCleaner update installing AVAST even after I declined pales in comparison to this.
      My Computer

  5. Josey Wales's Avatar
    Posts : 24,731
    Win 10 Pro 19043.928
       #14

    axe0 said:
    For some easier ID'ing if you've been infected, search in HKEY_LOCAL_MACHINE\SOFTWARE\Piriform\CCleaner\Agomo for the following keys


    If they are present, you're infected!
    Thanks for the info Mine is clean.
      My Computer

  6. D4ni3l's Avatar
    Posts : 307
    Microsoft Windows 10 x64
       #15

    having CCleaner 5.34.6207 (64bits) Tech Edition
    Just run MalwareByte 3.2.2.2029

    nothing detected
      My Computer

  7. Berton's Avatar
    Posts : 10,519
    Win10 Pro Versions 2004 and 2009/20H2, Win10 Pro IP_Dev, Win10 Home 1909
       #16

    I use the Portable versions of Piriform's programs, nothing installed.
      My Computers

  8. ignatzatsonic's Avatar
    Posts : 2,397
    Windows 10 Home, 64-bit
       #17

    Berton said:
    I use the Portable versions of Piriform's programs, nothing installed.
    Probably a good idea.

    Are there any possible downsides to that?

    Wondering if Speccy is next?

    A buyout by Avast can't be good in the long run. Maybe a reduction in the features of the free versions as they attempt to get paid for their buyout.
      My Computer

  9. swarfega's Avatar
    Posts : 7,087
    Windows 10 Pro 64-bit
    Thread Starter
       #18

    Speccy isn't as well known as ccleaner so there won't be so many victims for them.
      My Computers

  10. Josey Wales's Avatar
    Posts : 24,731
    Win 10 Pro 19043.928
       #19

    No one is 100% safe, if you want to be pull your Ethernet plug and play solitaire all day.:)
      My Computer


 
Page 2 of 14 FirstFirst 123412 ... LastLast

  Related Discussions
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 05:25.
Find Us




Windows 10 Forums