Author Topic: CCleaner and installing avast with out permission...  (Read 37457 times)

0 Members and 1 Guest are viewing this topic.

Online polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 31546
  • malware fighter
Re: CCleaner and installing avast with out permission...
« Reply #45 on: September 18, 2017, 11:11:15 PM »
Certainly have to agree with bob3160, think of this:
https://www.bleepingcomputer.com/news/security/over-36-000-computers-infected-with-nsas-doublepulsar-malware/

What defense against that do you have there, as "they", that infect,
consider themselves above the law of the land & the world actually to do their "spying implants".  :o

Always work a normal user account, never as admin, and have your back-up routine ready.

Sign of the times, alas, and avast has to adopt as well. Don't rock the boat...we are all affected.

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Vlk

  • Global Moderator
  • Serious Graphoman
  • **
  • Posts: 11665
  • Please don't send me IM's. Email only. Thx.
    • ALWIL Software
Re: CCleaner and installing avast with out permission...
« Reply #46 on: September 18, 2017, 11:13:31 PM »
Guys,

I just had a chance to read this thread and I'm a bit horrified as I think that there's quite some misconception about what actually went on.

First of all, the bottom line is: to the best of our knowledge, no harm was done to any CCleaner users as the threat was removed before it had a chance to fully activate.
This is really not about downplaying the issue. This is a statement based on a pretty thorough analysis, partially shared below and partially still embargoed because of the ongoing investigation.

Now, some facts:
- Avast acquired a company (Piriform) which was in the process of being hacked. We have good evidence that the attack started at least several weeks before the acquisition.
- Immediately after we first learned about something wrong with the CCleaner product (which was on September 12, i.e. 6 days ago) we started working on it and have been working on it around the clock since then.
- The #1 priority for us was to protect the CCleaner customers and minimize the actual customer impact of the incident.
- For that reason, we first focused on fully understanding the malicious code and disconnecting the bad actors from their ability to control the backdoor, i.e. taking down the CnC servers.
- The CnC server was taken down on September 15, three days after we first learned about the incident. Given how difficult these things tend to be, we consider this a very good result and I don't see how we could have done it any better. (By that time, the secondary CnC servers (the DGA domains) were already sinkholed as well, so that technically cut the attackers off their ability to control the backdoor).

At the same time, we wanted to understand whether the second stage payload could have already activated before the threat was discovered. Now, the good thing is that about 30% of CCleaner users also run Avast security software, which allowed us to analyze behavioral, traffic and file/registry data from those machines.  Based on this analysis, we can say with high confidence that to the best of our knowledge, the second stage payload never activated, i.e. the only malicious code present on customer machines was the one embedded in the ccleaner.exe binary itself. We also asked our colleagues from other security companies, but haven't heard anyone seeing anything suspicious either. And that's great news, as it means that despite the high sophistication of the attack, we managed to disarm the system before it was able to do any harm. To that end, we don't consider the advice to reformat and/or restore the affected machines to the pre-August 15 state to be based on facts (by similar logic, security companies are not usually advising customers to reformat their machines after a remote code execution vulnerability is identified on their computer, just because there was a hypothetical possibility that something might have gotten in).

BTW, I have to say I was quite disappointed by the approach taken by the Cisco Talos team who appears to be trying to use information about this incident to drive marketing activities and piggyback on the case to increase the visibility of their upcoming product. And, I should probably also say that it wasn't Cisco who first notified us about the problem. The threat was first discovered and reported to us by researchers in a security company called Morphisec (thank you!). The threat was real, but to the best of our knowledge, it was fortunately mitigated before it could do any harm.

We plan to be issuing more communication about this as we go. This is a very unfortunate incident and of course, it's in our highest interest to properly investigate the issue and make sure it never happens again. Unfortunately, as you can imagine, the security measures in small companies are usually not up to the standard and that's a big lesson for us in terms of what to look for in case of future acquisitions.

Thanks,
Vlk
If at first you don't succeed, then skydiving's not for you.

Offline Erroneus

  • Former recommender of Avast
  • Full Member
  • ***
  • Posts: 166
  • RIP Avast
    • Personal blog
Re: CCleaner and installing avast with out permission...
« Reply #47 on: September 18, 2017, 11:38:30 PM »
Finally some proper information, that's a step in the right direction.

While you might be pleased on how Avast has handled this and got the CnC servers shut down, you also have to understand, the lack of proper information is scary for end users, who doesn't have the details and don't know if they were infected or not. If you don't want people to restore their systems, then deliver more precise information.
Homebuild machine - Intel I5 3570K@4,3 Ghz
Lenovo T460s
Windows 10 1709 Enterprise 64bit: Panda Pro

Offline Alikhan

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2220
Re: CCleaner and installing avast with out permission...
« Reply #48 on: September 18, 2017, 11:49:56 PM »
The Payload stored information at HKLM\SOFTWARE\Piriform\Agomo but there doesn't seem to be any evidence that the second stage executed. I've got the malicious CCleaner on a spare PC without any anti-virus and waiting to see any behaviour changes. If you're feeling suspicious feel free to delete the registry entry. Most, if not all anti-virus detect CCleaner with the embedded malicious code. The 64bit version of CCleaner was also unaffected to my understanding.

The question here is simple, how did the unauthorised code appear in CCleaner software?
« Last Edit: September 18, 2017, 11:54:25 PM by Alikhan »
Windows 10 Home 64-bit • Avast Internet Security (latest stable version) • Malwarebytes 3 Premium (latest) • Google Chrome • CCleaner •

Offline Vlk

  • Global Moderator
  • Serious Graphoman
  • **
  • Posts: 11665
  • Please don't send me IM's. Email only. Thx.
    • ALWIL Software
Re: CCleaner and installing avast with out permission...
« Reply #49 on: September 18, 2017, 11:55:49 PM »
The Payload stored information at HKLM\SOFTWARE\Piriform\Agomo but there doesn't seem to be any evidence that the second stage executed. I've got the malicious CCleaner on a spare PC without any anti-virus and waiting to see any behaviour changes..

There was no second stage -- but of course, feel free to monitor the PC (we have done quite a bit of that already).

If you're feeling suspicious, feel free to delete the registry entry. Most, if not all anti-virus detect the CCleaner with the embedded malicious code. The 64bit version of CCleaner was also unaffected to my understanding.

Deleting the registry entry doesn't resolve anything, but also doesn't harm.
Yes only 32-bit Windows users were affected.

The question here is simple, how did the unauthorised code appear in CCleaner software?

See my post above.
If at first you don't succeed, then skydiving's not for you.

Offline carcarter2585

  • Newbie
  • *
  • Posts: 11
Re: CCleaner and installing avast with out permission...
« Reply #50 on: September 19, 2017, 12:14:57 AM »
I have windows 7 64-bit and today when running ccleaner my antivirus ESET Smart Security 10 notified me of this threat:


Hour; 9/18/2017 1:32:40 p.m
Scan module; Memory scan
Type of object; archive
Object; Operating Memory = CCleaner.exe (1124)
Threat; a variant of Win32 / CCleaner.B Trojan
Action; disinfected - contained infected files
User;
Information;
Hash; 38365DFEDF883AB2CF0F21434686BF58B8FAE5F6
First seen here

If it is assumed that the 64-bit version was not affected, why did eset throw me this alert when running ccleaner?
« Last Edit: September 19, 2017, 12:17:13 AM by carcarter2585 »

Offline Vlk

  • Global Moderator
  • Serious Graphoman
  • **
  • Posts: 11665
  • Please don't send me IM's. Email only. Thx.
    • ALWIL Software
Re: CCleaner and installing avast with out permission...
« Reply #51 on: September 19, 2017, 12:17:29 AM »
I have windows 7 64-bit and today when running ccleaner my antivirus ESET Smart Security 10 notified me of this threat:


Hour; 9/18/2017 1:32:40 p.m
Scan module; Memory scan
Type of object; archive
Object; Operating Memory = CCleaner.exe (1124)
Threat; a variant of Win32 / CCleaner.B Trojan
Action; disinfected - contained infected files
User;
Information;
Hash; 38365DFEDF883AB2CF0F21434686BF58B8FAE5F6
First seen here

If it is assumed that the 64-bit version was not affected, why did eset throw me this alert when running cclener?

Because both 32b and 64b binaries are present on the HDD... but the payload doesn't activate on 64-bit.
You can check the existence of the registry key HKLM\SOFTWARE\Piriform\Agomo  -- if it exists, the backdoor activated, otherwise it didn't.

Thanks
Vlk
If at first you don't succeed, then skydiving's not for you.

Offline carcarter2585

  • Newbie
  • *
  • Posts: 11
Re: CCleaner and installing avast with out permission...
« Reply #52 on: September 19, 2017, 12:28:47 AM »
I have windows 7 64-bit and today when running ccleaner my antivirus ESET Smart Security 10 notified me of this threat:


Hour; 9/18/2017 1:32:40 p.m
Scan module; Memory scan
Type of object; archive
Object; Operating Memory = CCleaner.exe (1124)
Threat; a variant of Win32 / CCleaner.B Trojan
Action; disinfected - contained infected files
User;
Information;
Hash; 38365DFEDF883AB2CF0F21434686BF58B8FAE5F6
First seen here

If it is assumed that the 64-bit version was not affected, why did eset throw me this alert when running cclener?

Because both 32b and 64b binaries are present on the HDD... but the payload doesn't activate on 64-bit.
You can check the existence of the registry key HKLM\SOFTWARE\Piriform\Agomo  -- if it exists, the backdoor activated, otherwise it didn't.

Thanks
Vlk

Thank you very much, no, I do not have any keys with that name.

Offline Franco90

  • Newbie
  • *
  • Posts: 2
Re: CCleaner and installing avast with out permission...
« Reply #53 on: September 19, 2017, 08:02:40 AM »
Because both 32b and 64b binaries are present on the HDD... but the payload doesn't activate on 64-bit.
You can check the existence of the registry key HKLM\SOFTWARE\Piriform\Agomo  -- if it exists, the backdoor activated, otherwise it didn't.

Thanks
Vlk
I have this registry key on my Windows 10 (x86) machine. What can I do now?

I have already:
1) upgraded Ccleaner 5.34
2) deleted this registry key
3) done several system scans with Kaspersky Internet Security 2018 and Malwarebytes 3.2.2.2018 (nothing was found)

Is it enough or I must to format my machine?

Thank you in advice

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 59925
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: CCleaner and installing avast with out permission...
« Reply #54 on: September 19, 2017, 08:07:01 AM »
Is it enough or I must to format my machine?

Thank you in advice
You're good to go, no need to format.
Windows 8.1 [x64] - Avast Premier 19.7.2384.B1 - CC 5.60 - EEK - Firefox ESR 60.8 [NS/AOS/uBO] - TB 60.8 [EM] - ACP/ASB/ASL.BC
Deutschsprachiger Bereich -> Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523

Offline Erroneus

  • Former recommender of Avast
  • Full Member
  • ***
  • Posts: 166
  • RIP Avast
    • Personal blog
Re: CCleaner and installing avast with out permission...
« Reply #55 on: September 19, 2017, 09:07:39 AM »
Because both 32b and 64b binaries are present on the HDD... but the payload doesn't activate on 64-bit.

On 64bit systems, the 32bit binary is executed on login via TaskScheduler and the job CCleanerSkipUAC. Can you confirm the payload is not executed when the CCleanerSkipUAC job is executed.

Thanks
Homebuild machine - Intel I5 3570K@4,3 Ghz
Lenovo T460s
Windows 10 1709 Enterprise 64bit: Panda Pro

Offline Eddy

  • Avast Evangelist
  • Maybe Bot
  • ***
  • Posts: 31366
  • Watching (over?) you
    • Malware removal, Biljart and other things.
Re: CCleaner and installing avast with out permission...
« Reply #56 on: September 19, 2017, 09:20:54 AM »
Think this thread should be splitted in two as it has gone off topic way to long.

Offline Franco90

  • Newbie
  • *
  • Posts: 2
Re: CCleaner and installing avast with out permission...
« Reply #57 on: September 19, 2017, 09:29:30 AM »
Is it enough or I must to format my machine?

Thank you in advice
You're good to go, no need to format.
Thank you  ;)

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 59925
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: CCleaner and installing avast with out permission...
« Reply #58 on: September 19, 2017, 09:37:18 AM »
Is it enough or I must to format my machine?

Thank you in advice
You're good to go, no need to format.
Thank you  ;)
You're welcome. :)
Windows 8.1 [x64] - Avast Premier 19.7.2384.B1 - CC 5.60 - EEK - Firefox ESR 60.8 [NS/AOS/uBO] - TB 60.8 [EM] - ACP/ASB/ASL.BC
Deutschsprachiger Bereich -> Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523

Offline sloshnmosh1

  • Jr. Member
  • **
  • Posts: 37
Re: CCleaner and installing avast with out permission...
« Reply #59 on: September 19, 2017, 10:30:33 AM »
I just scanned the "tainted" CC Cleaner in question through Virustotal and  while most AV engines are now flagging it as a Trojan or modified CC Cleaner all of Avast's products running on Virustotal are still giving the specimen a "pass".

(But as Eddy said on another thread, perhaps Virustotal hasn't updated the Avast's VPS detections recently?)

https://www.virustotal.com/#/file/1a4a5123d7b2c534cb3e3168f7032cf9ebf38b9a2a97226d0fdb7933cf6030ff/detection

But Cisco (and others) made a good point, why hasn't the Symantec signing certificate been revoked?

I see that the newest (safe) release of CC Cleaner (534) is still using the same exact Symantec signing key as the version with the backdoor?