Author Topic: CCleaner Malware Incident  (Read 12324 times)

0 Members and 1 Guest are viewing this topic.

Offline 1234ava

  • Full Member
  • ***
  • Posts: 161
Re: CCleaner Malware Incident
« Reply #30 on: September 21, 2017, 08:26:37 PM »
@Polonus
Interesting read.
I've just tried downloading Avast Free from the Avast web site.
It came from http (not https), but looks like it's my ISP's proxy.
Then I tried again with the Https Everywhere extension for Chrome, so I got the direct download from https://files.avast.com/iavs9x/avast_free_antivirus_setup_offline.exe


Offline bob3160

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 48819
  • 64 Years of Happiness
    • bob3160 Protecting Yourself, Your Computer and, Your Identity
Re: CCleaner Malware Incident
« Reply #31 on: September 21, 2017, 09:23:38 PM »
@Polonus
Interesting read.
I've just tried downloading Avast Free from the Avast web site.
It came from http (not https), but looks like it's my ISP's proxy.
Then I tried again with the Https Everywhere extension for Chrome, so I got the direct download from https://files.avast.com/iavs9x/avast_free_antivirus_setup_offline.exe
If you're downloading from https://www.avast.com/free-antivirus-download
you are redirected to https://www.avast.com/download-thank-you.php?product=FAV-ONLINE&locale=en-ww
(This is really off topic for this thred.)
Free Security Seminar: https://bit.ly/bobg2023  -  Important: http://www.organdonor.gov/ -- My Web Site: http://bob3160.strikingly.com/ - Win 11 Pro v24H2 64bit, 32 Gig Ram, 1TB SSD, Avast Free 24.4.6112, How to Successfully Install Avast http://goo.gl/VLXdeRepair & Clean Install https://goo.gl/t7aJGq -- My Online Activity https://bit.ly/BobGInternet

Offline EmoHobo

  • Sr. Member
  • ****
  • Posts: 339
Re: CCleaner Malware Incident
« Reply #32 on: September 22, 2017, 01:24:16 AM »
Is there an easy way to tell if you've been effected by the second payload?  Am I fine if I missed the first one, I had the 64-bit version.

Offline bob3160

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 48819
  • 64 Years of Happiness
    • bob3160 Protecting Yourself, Your Computer and, Your Identity
Re: CCleaner Malware Incident
« Reply #33 on: September 22, 2017, 01:36:36 AM »
You're fine.
Free Security Seminar: https://bit.ly/bobg2023  -  Important: http://www.organdonor.gov/ -- My Web Site: http://bob3160.strikingly.com/ - Win 11 Pro v24H2 64bit, 32 Gig Ram, 1TB SSD, Avast Free 24.4.6112, How to Successfully Install Avast http://goo.gl/VLXdeRepair & Clean Install https://goo.gl/t7aJGq -- My Online Activity https://bit.ly/BobGInternet

Offline EmoHobo

  • Sr. Member
  • ****
  • Posts: 339
Re: CCleaner Malware Incident
« Reply #34 on: September 22, 2017, 04:56:11 AM »
You're fine.
I looked under the Regedit and I found the entry posted here

https://cdn.ghacks.net/wp-content/uploads/2017/09/ccleaner-2nd-payload.png

Doesn't that mean I'm infected?

Offline 1234ava

  • Full Member
  • ***
  • Posts: 161
Re: CCleaner Malware Incident
« Reply #35 on: September 22, 2017, 12:27:48 PM »
@EmoHobo

Do you see the registry keys reported by Talos among the indicators of compromise?

HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\001
HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\002
HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\003
HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\004

http://blog.talosintelligence.com/2017/09/ccleaner-c2-concern.html

Offline EmoHobo

  • Sr. Member
  • ****
  • Posts: 339
Re: CCleaner Malware Incident
« Reply #36 on: September 22, 2017, 12:58:53 PM »
Nope, I am way too paranoid.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 34047
  • malware fighter
Re: CCleaner Malware Incident
« Reply #37 on: September 22, 2017, 01:52:23 PM »
@1234ava,

Allthough not directly related - the download link you gave (well the technology firm - akamai was also targeted by the very Group 72 hackers during the recent incident), akamai has a embedded transparancy Symantec Class 3 Secure CA G4 intermediate certificate and tested certificate.

Here a quick and dirty report on the avast download link....

The response exceeds the maximum file size allowed by the application. VirusTotal - that is your http issue...
Netcraft risk rating 7 red out of 10: http://toolbar.netcraft.com/site_report?url=http://a23-4-13-51.deploy.static.akamaitechnologies.com
versus http://toolbar.netcraft.com/site_report?url=https://a23-4-13-51.deploy.static.akamaitechnologies.com

Certificate given as untrusted here: https://www.htbridge.com/ssl/?id=2ni4qAZQ

C-Grade status: https://tls.imirhil.fr/https/a23-4-13-51.deploy.static.akamaitechnologies.com

F-Grade status: https://securityheaders.io/?q=https%3A%2F%2Fa23-4-13-51.deploy.static.akamaitechnologies.com%2F&hide=on

Interesting for us here: https://observatory.mozilla.org/analyze.html?host=a23-4-13-51.deploy.static.akamaitechnologies.com#tls

Preferred clients: Compatible Clients:   Android 2.3.7, Apple ATS 9, Baidu Jan 2015, BingBot Dec 2013, BingPreview Dec 2013, Chrome 27, Edge 12, Firefox 21, Googlebot Oct 2013, IE 7, Java 6u45, OpenSSL 0.9.8y, Opera 12.15, Safari 5, Tor 17.0.9, Yahoo Slurp Oct 2013, YandexBot May 2014

The certificate explainer: https://tls-observatory.services.mozilla.com/static/certsplainer.html?id=13271123

Not dangerous, but leaves room for improvement, but we meet certain restriction, because it also has to run on older clients...  :P

polonus (volunteer website security analyst and website error-hunter)
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Cluster-Lizard2014

  • Sr. Member
  • ****
  • Posts: 349
Re: CCleaner Malware Incident
« Reply #38 on: September 22, 2017, 01:53:25 PM »
As somebody earlier here also mentioned even those who 'only' installed the 64bit version of the compromised release may also have had an infected EXE on their machine. That would include me as I diligently check for updates at least once a month and I still had (now thoroughly removed) that version update installer in the short term archive I keep. I'm certain I must have installed the 64bit version of that release.

I also use CCleaner portable version on a flash drive very occasionally with a 32bit OS system but luckily, and most unlike me, I'd forgotten to update that during the period in question.

The problem is CCleaner includes what I'd assume is a 32bit version (how do you tell?) as part of the 64bit package, something that is fairly common practice so it would work even if you downloaded the wrong version.

You'd hope with a 64bit OS only the 64bit EXE would have been used but can you be sure?

I've been wading through the reams of stuff here and elsewhere about this and maybe I've missed it but I'm still not certain what this means. But it would appear us 64bit OS CCleaner users may have dodged the bullet by luck and nothing else.

I've still done multiple full scans with every bit of security software I have but I'm still not happy. That an update downloaded direct from the originator actually contained malware is a pretty bad look for all concerned.       

   

Offline Cluster-Lizard2014

  • Sr. Member
  • ****
  • Posts: 349
Re: CCleaner Malware Incident
« Reply #39 on: September 22, 2017, 02:09:43 PM »
Nope, I am way too paranoid.

That had me worried too as that is what my registry shows too but from the web sites talking about this issue and the registry entry ".....WbemPerf....." it would appear that is how it should look ie. with no keys/values set.

If it has any of those ^^^ keys shown ................................ be paranoid. :)

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 34047
  • malware fighter
Re: CCleaner Malware Incident
« Reply #40 on: September 22, 2017, 02:18:25 PM »
Hi Cluster-Lizard,

When you have a payload on your low-end C2 server, like piriform had, and no one from the outside makes you aware you have, you are quite blind to it. Only thing is why avast did not do proper release management, and when they did, question is when did they realize they acquired a trojaned software, being it being wrought by an extra renowed l33t very sophisticated state hacker group like Axion or Group 72 is.

All very unfortunate. The latest version of CCleaner has now been checked by all of the AV-World and the kitchen sink, so as to put it, as anything could be trusted it is that very download now.  ;D  ;)   Remember these incidents are nasty and unfortunate but they protect us all from greater woes. There is some positive thing in everything that goes wrong initially.  ;D

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline bob3160

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 48819
  • 64 Years of Happiness
    • bob3160 Protecting Yourself, Your Computer and, Your Identity
Re: CCleaner Malware Incident
« Reply #41 on: September 22, 2017, 04:00:25 PM »
Hi Cluster-Lizard,

When you have a payload on your low-end C2 server, like piriform had, and no one from the outside makes you aware you have, you are quite blind to it. Only thing is why avast did not do proper release management, and when they did, question is when did they realize they acquired a trojaned software, being it being wrought by an extra renowed l33t very sophisticated state hacker group like Axion or Group 72 is.

All very unfortunate. The latest version of CCleaner has now been checked by all of the AV-World and the kitchen sink, so as to put it, as anything could be trusted it is that very download now.  ;D ;)   Remember these incidents are nasty and unfortunate but they protect us all from greater woes. There is some positive thing in everything that goes wrong initially.  ;D

polonus
You might say that the last release of Ccleaner is the safest version ever released. It's fortunate to have received free health care since it's been under everyone's microscope. :)
Free Security Seminar: https://bit.ly/bobg2023  -  Important: http://www.organdonor.gov/ -- My Web Site: http://bob3160.strikingly.com/ - Win 11 Pro v24H2 64bit, 32 Gig Ram, 1TB SSD, Avast Free 24.4.6112, How to Successfully Install Avast http://goo.gl/VLXdeRepair & Clean Install https://goo.gl/t7aJGq -- My Online Activity https://bit.ly/BobGInternet

Offline 1234ava

  • Full Member
  • ***
  • Posts: 161
Re: CCleaner Malware Incident
« Reply #42 on: September 22, 2017, 05:04:00 PM »
Agreed. There's no place safer than the bank the day after the robbery.
In other words, I am still going to use CCleaner and other Piriform products. I just hope they find the culprit (was it an inside job? or, where did the malware come from?) so they can stop it for good.

But, more in general, the CCleaner malware incident makes me wonder: how can I keep my Windows PC safe in a world where even software houses are compromised? It's not the first time and it won't be last.

So far, my anti-malware approach has included the following:
1. only download from developer/trusted sites,
2. always multi-scan new software before install, no matter how "trusted" the developer,
3. watch out for strange behaviors,
4. keep Windows and other programs "happy" (updated against vulnerabilities),
5. run real-time AV, use a firewall, set UAC to the max, stay behind a router whenever possible,
6. disable scripting and stuff like Flash and Java unless on a case-by-case base,
7. keep 1-2 months' backup of everything on external disks,
8. store sensitive data on offline/encrypted drives,
9. disable Windows autoplay,
10. keep myself informed about ongoing threats.
I won't mention the obvious like not clicking any mail attachment, not downloading pirated software, avoiding shady web sites, not logging on to Windows using the administrative account unless strictly necessary.

Looks like all that was not enough, because:
A. I did not check updates, especially automatic updates,
and
B. even if I checked updates, in a case like Ccleaner's the malware went undetected for a month. The same could happen to any other software company.

So, where does all this leave us now?
« Last Edit: September 22, 2017, 05:09:32 PM by 1234ava »

Offline 1234ava

  • Full Member
  • ***
  • Posts: 161
Re: CCleaner Malware Incident
« Reply #43 on: September 22, 2017, 05:25:59 PM »
According to posts #133, #134 and #135 on Piriform forum
https://forum.piriform.com/index.php?showtopic=48869&page=7
Ccleaner malware could have behaved differently on Windows 7 64-bit than on Windows 10 64-bit.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 34047
  • malware fighter
Re: CCleaner Malware Incident
« Reply #44 on: September 22, 2017, 05:39:58 PM »
Always check on your downloads with this little free tool: http://www.winmd5.com/

pol

Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!