[Shambles]

Antivirus firm Avast has admitted inadvertently distributing a trojanised version of CCleaner, a popular PC tune-up tool, for nearly a month, infecting an estimated 2.27 million users.

Downloaded CCleaner lately? Oo, awks... it was stuffed with malware ? The Register

[CraigB]

I've been watching all this unravel over the last few days, investigations are pointing to a possible insider security breech.
Reply from Piriform Piriform - Security Notification for CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 for 32-bit Windows users 

The full coverage Full coverage - Google News

[CraigB]

If you are on a 32 bit system and concerned then uninstall CCleaner and navigate to regedit (Registry) and search for this leftover key HKLM\SOFTWARE\Piriform\Agomo and delete.

Malwarebytes will detect and remove the infection " Tojan.nyetya>  Malware   downloads\ccsetup553.exe "  Avast still hasn't added the detection

You can safely install the latest 5.34.6207 CCleaner - Builds

Remember to do a custom install and untick boxes not required or you might end up with Avast and Google Chrome installed

[Dazzler]

Jeepers! Thanks for the heads up.. I better check my versions etc.. 

Edit: Looks all ok here. 

[Dazzler]

I had that dodgy version on my main PC, but it is a 64 bit system. I just updated to the latest version and am doing a malwarebytes scan just in case...

[CraigB]

Should all be fine on the 64bit system Dazz, installing the new version over the top is all that's required there👍

[Dazzler]

Should all be fine on the 64bit system Dazz, installing the new version over the top is all that's required there👍

 

[CraigB]

Latest report by Vlk at Avast

Guys,

I just had a chance to read this thread and I'm a bit horrified as I think that there's quite some misconception about what actually went on.

First of all, the bottom line is: to the best of our knowledge, no harm was done to any CCleaner users as the threat was removed before it had a chance to fully activate.
This is really not about downplaying the issue. This is a statement based on a pretty thorough analysis, partially shared below and partially still embargoed because of the ongoing investigation.

Now, some facts:
- Avast acquired a company (Piriform) which was in the process of being hacked. We have good evidence that the attack started at least several weeks before the acquisition.
- Immediately after we first learned about something wrong with the CCleaner product (which was on September 12, i.e. 6 days ago) we started working on it and have been working on it around the clock since then.
- The #1 priority for us was to protect the CCleaner customers and minimize the actual customer impact of the incident.
- For that reason, we first focused on fully understanding the malicious code and disconnecting the bad actors from their ability to control the backdoor, i.e. taking down the CnC servers.
- The CnC server was taken down on September 15, three days after we first learned about the incident. Given how difficult these things tend to be, we consider this a very good result and I don't see how we could have done it any better. (By that time, the secondary CnC servers (the DGA domains) were already sinkholed as well, so that technically cut the attackers off their ability to control the backdoor).

At the same time, we wanted to understand whether the second stage payload could have already activated before the threat was discovered. Now, the good thing is that about 30% of CCleaner users also run Avast security software, which allowed us to analyze behavioral, traffic and file/registry data from those machines.  Based on this analysis, we can say with high confidence that to the best of our knowledge, the second stage payload never activated, i.e. the only malicious code present on customer machines was the one embedded in the ccleaner.exe binary itself. We also asked our colleagues from other security companies, but haven't heard anyone seeing anything suspicious either. And that's great news, as it means that despite the high sophistication of the attack, we managed to disarm the system before it was able to do any harm. To that end, we don't consider the advice to reformat and/or restore the affected machines to the pre-August 15 state to be based on facts (by similar logic, security companies are not usually advising customers to reformat their machines after a remote code execution vulnerability is identified on their computer, just because there was a hypothetical possibility that something might have gotten in).

BTW, I have to say I was quite disappointed by the approach taken by the Cisco Talos team who appears to be trying to use information about this incident to drive marketing activities and piggyback on the case to increase the visibility of their upcoming product. And, I should probably also say that it wasn't Cisco who first notified us about the problem. The threat was first discovered and reported to us by researchers in a security company called Morphisec (thank you!). The threat was real, but to the best of our knowledge, it was fortunately mitigated before it could do any harm.

We plan to be issuing more communication about this as we go. This is a very unfortunate incident and of course, it's in our highest interest to properly investigate the issue and make sure it never happens again. Unfortunately, as you can imagine, the security measures in small companies are usually not up to the standard and that's a big lesson for us in terms of what to look for in case of future acquisitions.

Thanks,
Vlk

[andsome]

All very disconcerting.  We rely on these companies to be absolutely scrupulous before snding stuff out.

[CraigB]

All very disconcerting.  We rely on these companies to be absolutely scrupulous before snding stuff out.

Like mentioned the second payload didn't eventuate as Avast had the server pulled down before malicious activity took place, the bigger worry is Symantec releasing a signed certificate which had been modified.

[CraigB]

Further comments from Avasts CEO https://blog.avast.com/update-to-the-ccleaner-5.33.1612-security-incident

[CraigB]

Updated CCleaner 5.35.6210 with new digital signature CCleaner - Builds

Use the slim build if you don't want added extras

[The Gonz]

I just checked and I have the 64-bit version.

[CraigB]

I just checked and I have the 64-bit version.

The pressure was off for me too, I don’t know anyone with a 32bit system these days

[andsome]

I have had notification this morning of a new version ready for download.

[CraigB]

I have had notification this morning of a new version ready for download.

See reply 11

[andsome]

I already have that version

[CraigB]

I already have that version

Yes, because it’s the lastest version as I’d already posted 

[Shambles]

More digging = more dirt...


CCleaner targeted top tech companies in attempt to lift IP ? The Register

[andsome]

I have 5.34.6207. The version I have been advised to download this morning is 5.35.6210.
I don't know why I have only just received this notification.

[CraigB]

I have 5.34.6207. The version I have been advised to download this morning is 5.35.6210.
I don't know why I have only just received this notification.

It was only released 1 day ago

[andsome]

I have just tried to download and install it ,but it would not install. I uninstalled the originaland downloaded it again and still it would not install. I deleted all references to it in the registry and still it won't install.  Any ideas anyone?

[CraigB]

I have just tried to download and install it ,but it would not install. I uninstalled the originaland downloaded it again and still it would not install. I deleted all references to it in the registry and still it won't install.  Any ideas anyone?

Which one are you trying to install, try the slim version here CCleaner - Builds I just re-downloaded it and it installs fine.

[andsome]

That won't install either, I will try a system restore

[CraigB]

That won't install either, I will try a system restore

You could also try right clicking the file and choose Run as Administrator, not sure if it'll help though

[CraigB]

Progress on CCleaner Investigation https://blog.avast.com/progress-on-ccleaner-investigation

[CraigB]

It's now been revealed the stage 2 installer is GeeSetup_x86.dll. It checks the version of the operating system and plants a 32bit or 64bit version of the Trojan on the system based on the check.

Further REG keys have been found relating to systems that received the second payload

HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\001
HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\002
HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\003
HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\004
HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\HBP

[andsome]

C Cleaner completely fouled everything up. I must have had the nasty. The system restore did not work, so I had to put a mirror image on and than do all my updates again.  All is running OK now including C Cleaner.

[Dazzler]

C Cleaner completely fouled everything up. I must have had the nasty. The system restore did not work, so I had to put a mirror image on and than do all my updates again.  All is running OK now including C Cleaner.

Well done! Not an easy job.

[AlanHo]

It's a good job you have a sensible back-up regime.

I had to use Acronis to restore My C drive last week - but it was not related to Cleaner.

I have Microsoft Office Pro 2016 installed on the computer - not the Cloud version - and after I booted the computer one morning Outlook would not open. I got some garbled error message about network resources. I then noticed that the Icons for Word, Outlook and Excel in the task bar had changed to just rectangular squares. Clicking on those failed to open the programme.

I then tried to open each from the exe file in the Programs folder - those too failed.

So I carried out a repair of Office. This too failed.

I then decided to restore my Acronis 2016 back-up dated 9th Sept.  The computer failed to boot from the Acronis emergency disc - which was resolved after I amended the boot order in the computer BIOS.

When Acronis booted the computer and I tried selecting the required back-up file - it didn't show in the list of back-ups.

By now I am getting very frustrated. The back-up was showing in File explorer but was not appearing in Acronis.

After further fiddling - I managed to get Acronis to find it - I can't recall how, after trying various things - and the restore was completed OK and MS Office was back to normal.

Acronis used to be user friendly - I have used it since when it was called True Image in about 2005. It was easy to use and a doddle to do back-ups and restores.

I now find the interface somewhat confusing and last year tried using Eusus ToDo back-up. It proved to be easy to use but the first time I tried a test restore it went tits up and I had to use Acronis to get the computer working again.

So - although Acronis frustrates me - it's the devil I know (or thought I did)