CCleaner: A Vast Number of Machines at Risk

NavyLCDR · 18 Sep 2017

Bwahaha! AVAST distributing malware.... I'll just stick with MS provided Defender for now.

Wiley Coyote · 18 Sep 2017

NavyLCDR said:

... AVAST distributing malware....

I knew I couldn't be the only one to see the irony in this.

lehnerus2000 · 18 Sep 2017

Josey Wales said:

No one is 100% safe, if you want to be pull your Ethernet plug and play solitaire all day.:)

Old games (like the ones I have) don't require 24/7 Internet access either. :)

It seems the installer I downloaded is clean.
Regedit can't find "Agomo" on any of my PCs or VMs (XP, W7 & W10 - 32 bit or 64 bit).

Update
It looks like the Registry Key is irrelevant!

MBAM just detected something on my main PC ("funnily enough" Avast detected nothing).

CCleaner: A Vast Number of Machines at Risk-mbam-ccleaner-malware.png

axe0 · 18 Sep 2017

lehnerus2000 said:

Old games (like the ones I have) don't require 24/7 Internet access either. :)

It seems the installer I downloaded is clean.
Regedit can't find "Agomo" on any of my PCs or VMs (XP, W7 & W10 - 32 bit or 64 bit).

Update
It looks like the Registry Key is irrelevant!

MBAM just detected something on my main PC ("funnily enough" Avast detected nothing).

The registry keys are relevant, Mbam detected the malicious code that begin everything.
The first stage of the payloader loads a dll into memory and executes the dll that contains all important functionality including the registry part.

TairikuOkami · 19 Sep 2017

OldMike65 said:

Think some of you folks are getting carried away on this......Never removed mine, and I have no issues, no threats, nothing....everything checks out just fine.

Indeed, all this malware does, that it collects some system info, pretty much every software does that.

Secondly, taking control over remote devices using cloud version, every remote software is deceptible to this, TeamViewer had been hacked and had its installer altered a few times, so that is to be expected from cloud.

First of all, the bottom line is: to the best of our knowledge, no harm was done to any CCleaner users as the threat was removed before it had a chance to fully activate.
This is really not about downplaying the issue. This is a statement based on a pretty thorough analysis, partially shared below and partially still embargoed because of the ongoing investigation.

Now, some facts:
- Avast acquired a company (Piriform) which was in the process of being hacked. We have good evidence that the attack started at least several weeks before the acquisition.
- Immediately after we first learned about something wrong with the CCleaner product (which was on September 12, i.e. 6 days ago) we started working on it and have been working on it around the clock since then.
- The #1 priority for us was to protect the CCleaner customers and minimize the actual customer impact of the incident.
- For that reason, we first focused on fully understanding the malicious code and disconnecting the bad actors from their ability to control the backdoor, i.e. taking down the CnC servers.
- The CnC server was taken down on September 15, three days after we first learned about the incident. Given how difficult these things tend to be, we consider this a very good result and I don't see how we could have done it any better. (By that time, the secondary CnC servers (the DGA domains) were already sinkholed as well, so that technically cut the attackers off their ability to control the backdoor).

CCleaner and installing avast with out permission...

Zardoc · 19 Sep 2017

TairikuOkami said:

CCleaner and installing avast with out permission...

Update to the CCleaner 5.33.6162 Security Incident September 19

Thanks TairikuOkami for the link.

It is quite obvious that the fake news syndrome is spreading fast and in every facet of life.

Hackers trying to infiltrate software is not new in any sense. I have trusted CCleaner for years and it seams that Avast also saw a great product in acquiring it. Unfortunately just as if your Equifax info were stolen by hackers, you'd have to read up to find out if you feel secure about your info.

This info from Avast is quite clear.

swarfega · 19 Sep 2017

lehnerus2000 said:

Old games (like the ones I have) don't require 24/7 Internet access either. :)

It seems the installer I downloaded is clean.
Regedit can't find "Agomo" on any of my PCs or VMs (XP, W7 & W10 - 32 bit or 64 bit).

Update
It looks like the Registry Key is irrelevant!

MBAM just detected something on my main PC ("funnily enough" Avast detected nothing).

Did you do a full or quick scan with MBM?

TairikuOkami · 19 Sep 2017

Official news release: Update to the CCleaner 5.33.6162 Security Incident

Zardoc said:

This info from Avast is quite clear.

Unfortunately the damage is done, not just to Piriform, but to Avast as well, long term.

Zardoc · 19 Sep 2017

TairikuOkami said:

Official news release: Update to the CCleaner 5.33.6162 Security Incident

Unfortunately the damage is done, not just to Piriform, but to Avast as well, long term.

I agree.

My two cents, I don't like Avast security software, I'm more of a NOD guy but that's my choice. Wouldn't be surprised that anti virus software gets hacked.

Still gonna use CCleaner until it probably gets bloated like PGP, Acronis and others that got taken over. Hope not...

Karizma · 19 Sep 2017

I'm on Win10 64 bit and CCleaner 64 bit, However I was on the hacked version and updated to the "Safe" version before any of the hacked news came out.

So I checked HKLM\SOFTWARE\Piriform\ and the only subfolder is ccleaner no Agomo of any type, and scanned with Malwarebytes and WinDefender and nothing came up. Does this mean I'm in the clear or should I be looking at anything else?