CCleaner Malware Incident

[1234ava]

I don't want to dramatize, but what do you think of Bleeping Computer's advice?
https://www.bleepingcomputer.com/how-to/security/ccleaner-malware-incident-what-you-need-to-know-and-how-to-remove/

Should I do anything else after the malware has been removed?
As the installed Floxif infection was sending information about your computer and had the ability to download and install other programs, victims should change their passwords and perform security scans on the computer.

It is suggested that victims stop using the infected computer and then change their passwords from a computer or cell phone that did not have this version of CCleaner installed on it. This is because it is not known if other malware was installed by the Floxif infection and is currently running that may steal passwords and other information.

Once you have changed your passwords, you should perform scans using a antivirus application, if not multiple applications, to make sure that there are no other infections present on the computer. After this has been finished, and anything that may have been detected has been removed, you can begin using your computer again.

For those who want to be truly safe, the best course of action is to always reinstall Windows to be 100% safe. It goes without saying that this is not always feasible, so at a minimum, the suggested actions should be completed before you use the computer again.

[Pondus]

No, and why is explained here

https://blog.avast.com/update-to-the-ccleaner-5.33.6162-security-incident


========================================================
Some media reports suggest that the affected systems needed to be restored to a pre-August 15th state or reinstalled/rebuilt. We do not believe this is necessary. About 30% of CCleaner users also run Avast security software, which enables us to analyze behavioral, traffic and file/registry data from those machines. Based on the analysis of this data, we believe that the second stage payload never activated, i.e. the only malicious code present on customer machines was the one embedded in the ccleaner.exe binary. Therefore, we consider restoring the affected machines to the pre-August 15 state unnecessary. By similar logic, security companies are not usually advising customers to reformat their machines after a remote code execution vulnerability is identified on their computer.
=======================================================

[abruptum]

CCleaner Malware second payload discovered

  https://www.ghacks.net/2017/09/21/ccleaner-malware-second-payload-discovered/

In my case WbemPerf reg key is empty and I didn't find GeeSetup_x86.dll and TSMSISrv.dll on my system.

[1234ava]

From Avast blog:

Based on the analysis of this data, we believe that the second stage payload never activated...

According to a new Cisco Talos report, though, it looks like Avast was wrong.
On the other hand, the new Talos Intelligence report says the second payload specifically targeted tech companies.

http://blog.talosintelligence.com/2017/09/ccleaner-c2-concern.html

In analyzing the delivery code from the C2 server, what immediately stands out is a list of organizations, including Cisco, that were specifically targeted through delivery of a second-stage loader. Based on a review of the C2 tracking database, which only covers four days in September, we can confirm that at least 20 victim machines were served specialized secondary payloads. Below is a list of domains the attackers were attempting to target.

[polonus]

Well if you belong to the dozen of firms that were specifically targeted by these very advanced sophisticated l33t Axiom aka Group 72 hackers from that C&C server like for instance Samsung, I would start back from stratch and turn everything upside down.

I cannot see the normal user base was as such affected, and I am certain avast will now make sure that does not happen.

I personally was very lucky to have the original version pre-dating from this whole afaire and did nothing to it, was a free version so an automatic update did not come in the way, despite of all the nagging pop-ups inside my Chrome browser.

polonus

[bob3160]

From Avast:
https://blog.avast.com/progress-on-ccleaner-investigation

[1234ava]

@bob
Yes, a new post on Avast Blog admits that the 2nd stage payload WAS delivered in some instances, although the vast majority of users were uninteresting for the attacker, but select ones were.
https://blog.avast.com/progress-on-ccleaner-investigation

This is a change from our previous statement, in which we said that to the best of our knowledge, the 2nd stage payload never delivered.

@Polonus
You are probably right: luckily, normal users are not affected, as far as we know so far. Let's hope we don't run out of luck.

[bob3160]

@bob
Yes, a new post on Avast Blog admits that the 2nd stage payload WAS delivered in some instances, although the vast majority of users were uninteresting for the attacker, but select ones were.
https://blog.avast.com/progress-on-ccleaner-investigation

This is a change from our previous statement, in which we said that to the best of our knowledge, the 2nd stage payload never delivered.

@Polonus
You are probably right: luckily, normal users are not affected, as far as we know so far. Let's hope we don't run out of luck.

Precisely why I posted the link. That way we see the story from all sides.

[polonus]

Hi 123ava,

Well the targeted telecom firms in the Netherlands, Germany etc. come now in a complete other position than the average user of CCleaner.

It was a so-called "watering hole" attack. The firms affected should do a roll back to before the attack(s) started and do further risk managment as to an eventual data breach, but that should not be adding up to more as you can/could find through a special n-map scan for info-stealing. But there are certain rules for mitigating such a compromittal and hardening and investigating, so damage control, all hands on deck. L33t Asian state actor hackers are not an adversary to underestimate!

Keep your eyes on the avast blog for the developing story and more breaking news as they say in the States...

polonus

[polonus]

Breaking: https://www.welivesecurity.com/2017/09/21/new-finfisher-surveillance-campaigns/

Deepening drama: Internet providers from two nations are bundling downloads with state spyware known a sFinFisher.
These downloads were WhatsApp, VLC, WinRAR, Skype and  Avast.
Read: https://www.welivesecurity.com/2017/09/21/new-finfisher-surveillance-campaigns/
This state spyware was brought to the target by man-in-the-middle-attack performed by that internetprovider.

When the target of the surveillance-operation wants to download a popular app like WhatsApp, VLC, WinRAR, Skype,
the provider sends him to a server of the attackers. There a trojaned version of the software waits.

You can scan if you are affected here: https://www.eset.com/int/home/online-scanner/

The countries involved are not mentioned because of security reasons.

Very annoying and very worrying news, when it all is supported by facts.

polonus

[bob3160]

@bob
Yes, a new post on Avast Blog admits that the 2nd stage payload WAS delivered in some instances, although the vast majority of users were uninteresting for the attacker, but select ones were.
https://blog.avast.com/progress-on-ccleaner-investigation

This is a change from our previous statement, in which we said that to the best of our knowledge, the 2nd stage payload never delivered.

@Polonus
You are probably right: luckily, normal users are not affected, as far as we know so far. Let's hope we don't run out of luck.

It's not your system that determines your vulnerability but, the version of Ccleaner you installed. If you installed the 64 bit version, you're safe. If you installed the 32 bit version of CCleaner, you're not and needed to update asap.So, you could have installed a 32 bit version on your 64 bit system and had a problem.Naturally, you could not have installed the 64 bit version on your 32 bit system.

[1234ava]

Personally, there are no known indicators of compromise on my 64-bit Windows 10, so the odds are it was not affected, even though CCleaner 5.33 installed both the 64-bit .EXE (clean) and the 32-bit version (the bad guy, which was eventually detected and quarantined by antivirus). Looks like the "bad" CCleaner was on my PC all the time but was never run.


That said, according to Talos reports the stage 2 installer included a 64-bit trojanized tool, too. Why did the attackers even bother to include a 64-bit tool if only 32-bit systems were to be affected? Perhaps the 64-bit code was there just because of code reuse? (Talos mentions code being reused). I really don't know.

The stage 2 installer is GeeSetup_x86.dll. This installer checks the OS version and then drops either a 32-bit or 64-bit version of a trojanized tool. The x86 version is using a trojanized TSMSISrv.dll, which drops VirtCDRDrv (which matches the filename of a legitimate executable that is part of Corel) using a similar method to the backdoored CCleaner tool. The x64 version drops a trojanized EFACli64.dll file named SymEFA which is the filename taken from a legitimate executable that is part of "Symantec Endpoint". None of the files that are dropped are signed or legitimate.

http://blog.talosintelligence.com/2017/09/ccleaner-c2-concern.html

[bob3160]

Maybe you need to ask them.

[Be Secure]

https://www.welivesecurity.com/2017/09/21/cconsiderations-on-ccleaner-incident/

[polonus]

Here avast does not get a very high score as was proven by the present incident:

https://www.av-test.org/en/news/news-single-view/32-products-put-to-the-test-how-good-is-antivirus-software-at-protecting-itself/

pol