CCleaner Malware

[Ed P]

If you downloaded CCleaner recently BEWARE! If you have not run it yet then delete it, if you have then do an offline scan of your PC. I said offline scan as many root-kits have defensive routines that disable A/V programs.

More info here.

[Alan Wood]

Tom at Piriform has posted this which contradicts the info that you have posted regarding update.

 

Hi all,

 

The only version affected is the 32-bit binary of CCleaner v5.33.6162. It was the application that was the issue, not the installer. If you’re using a 64-bit version of CCleaner, then you’re unaffected although we recommend updating to the latest version. There is also no effect to the Mac or Android versions.

At this time, we won’t be releasing a detection tool as the issue was in CCleaner itself, so uninstalling or updating the software removes the risk. You can download directly for free from here: http://www.piriform.com/ccleaner/download/standard

For those interested, the MD5 hash of the affected CCleaner.exe is: ef694b89ad7addb9a16bb6f26f1efaf7

 

Thanks – Tom

[Bob Williams]

I haven’t used Ccleaner for at least 5 years, it was news to me that Avast had bought it. I found that I could use Windows itself to do everything that CC did, and also Kaspersky has the “More Tools” tab and functions built into that, to do more. If I find that a programme has been made redundant, I uninstall it.

Not saying that it is not a fine programme, it is. However, I used it almost from the first version and liked it until I dumped it as no longer needed.

When the Thought Police arrive at your door, think -
I'm out.

[wasbit]

I’m of the opposite opinion.

CCleaner is one of the first programmes that I install on any new PC, whether mine or others, & has been since it’s early days when it was called Crap Cleaner.

The cleaner is one that does no harm thus can be used by those not computer savy, unlike some others where you have to scan every item to be removed diligently.

The uninstal list populates immediately whilst you have to wait for Windows. No mucking about with MSconfig & having to reboot or trying to remember where to find System Restore. It’s all built in to the GUI of the programme.

The less said about registry cleaners the better, but if you really must use one, then Eusing Free is the one to go for
– http://www.eusing.com/free_registry_cleaner/registry_cleaner.htm

I always get CCleaner from the builds page because the installers didn’t carry the additional PUPs. I see the slim build is no longer available but I generally chose the portable version anyway. I also turn off the notifications & use it without any updates
– https://www.piriform.com/ccleaner/builds

--
Regards
wasbit

Rig 1: Optiplex 3050 SFF
Rig 2: Asus ROG G20CB (rebuilt wreck)
Rig 3: HP Elitebook 8440P

Dear Starfleet, hate you, hate the Federation, taking Voyager. - Janeway

[The Duke]

Not used it for a few years. It does nothing that you can’t do with windows.

I’m sure it was only a few weeks ago we was discovered using the merits and/or lack of for cc. It was once on my must list for all pc’s. That was a long time ago.

[Tippon]

I just tried to open Ccleaner to check the version, and Defender stopped it immediately. I updated Defender and ran a scan, then opened Ccleaner again. It opened this time and advised me to update straight away. I said yes, and I’m now running the 64 bit version.

Usual scans going ahead just in case ?

[wasbit]

What Avast, the new owners, had to say on the matter
– https://blog.avast.com/update-to-the-ccleaner-5.33.1612-security-incident

--
Regards
wasbit

Rig 1: Optiplex 3050 SFF
Rig 2: Asus ROG G20CB (rebuilt wreck)
Rig 3: HP Elitebook 8440P

Dear Starfleet, hate you, hate the Federation, taking Voyager. - Janeway

[Ed P]

Apparently Avast was not telling the whole story. For 95%+ of CCleaner customers what they said was true, but if you are a tech company or someone with valuable IP then you may well have picked up some nasties on your networked system.

Another Talos report here.

[Bob Williams]

I read that whole interesting link, Ed. Specifically targetted, high-end Tech companies, leaving “Sleepers” behind to be woken and operated at the attacker’s leisure. Scary, actually. Wonder if the (implied) Chinese connection is true? Whoever it is, they are not amateurs.

When the Thought Police arrive at your door, think -
I'm out.

[Ed P]

I guess we will never know but I found the inclusion of Singapore Telecomms in the list extremely interesting. Not the top-tier hi-tech company that most people would stick on a list together with Intel etc. I’m not meaning to demean Singapore in any way as they have some real cutting-edge top-tier research going on there. However because of their inclusion, I’d dismiss the PRC as the rogue element as there are probably enough dedicated humint PRC sleepers already embedded in most Singapore top-tier companies from my past experience, and the million or so highly educated Chinese immigrants who have since arrived during the last twenty years.

[wasbit]

Progress on CCleaner Investigation
– https://blog.avast.com/progress-on-ccleaner-investigation

--
Regards
wasbit

Rig 1: Optiplex 3050 SFF
Rig 2: Asus ROG G20CB (rebuilt wreck)
Rig 3: HP Elitebook 8440P

Dear Starfleet, hate you, hate the Federation, taking Voyager. - Janeway

[Ed P]

It looks like Avast has underestimated the numbers of infected computers yet again. Apparently the Malware Server infected so many users that it ran out of disk space and deleted the list of those initially infected.

Bleeping Computer

I think if you installed CCleaner any time after July this year then a full off-line scan would be a sensible precaution. The early advice on using an off-line scan looks good as the malware does incorporate A/V evasion techniques.

A number of A/V companies offer off-line scanning software, some such as Kaspersky call them rescue disks – for example Sophos . (probably best not to use Avast in these circumstances!)

 

[Author]

Posts