cruelsister

Level 36
Verified
Trusted
Content Creator
OK- we all already know about CCleaner 5.33 which had a suspicious connection to a server farm in LA known to host malware from time to time. It is so easy to see these things after the fact, we wonder why we weren't the first to report the issue!

So let's look at the current CCleaner version 5.37.6309. After install we notice that CCUpdate will attempt to connect to servers in London as well as a server in Raleigh, North Carolina. However we may also notice that on first run we will get a request from CCleaner.exe to connect to a CloudFlare server (104.31.74.124) in San Fransisco, which in the past a certain malicious file also connected to (among quite a few other servers): Antivirus scan for 3d257ff9638b9a5acc9b62a8aab7726351c6e45d3fb293ece5292c7a2e5d3015 at 2017-11-19 13:36:20 UTC - VirusTotal

Should we be concerned? Or am I just screwing with you as I've just had 3 glasses of wine?
(Note: my last work day prior to my annual Winter sabbatical. It's good being me...)


Fun Fact- Comodo has removed PiriForm from it's Trusted vendors List. I really don't know if this matters; those that want CCleaner will allow it to run, and those that don't want CCleaner won't care if PiriForm is Trusted or not...
 

Soulweave

Moderator
Verified
Content Creator
Staff member
Still using a pre-malware incident version of CCleaner portable, tho I have Bleachbit on the side.

I don't always update CCleaner since there is not much need, I am ok with it (what's not broken don't fix it...), however the chances of the new version of CCleaner being yet again replaced like before are rather slim but since 70% of the users tend to be paranoid, just blocking on firewall the connection is more than enough.

Alternatively, just download a previous working version (check changelogs) or an alternative to CCleaner, which there are many floating around.
 

Slyguy

Level 42
Verified
Well my APT Sandbox Appliance did catch Ccleaner back around June. I pulled it off my systems and nixed my Agomo subscription - just in case but didn't publish or discuss it other than to tell some buddies on Facebook to be aware of the hit.. Next time my APT triggers on something fun and interesting I will post it here so maybe we will catch something cool around here. We did catch Trend Core Services hijack, that was something sort of new.

Currently I pre-screen APT/Sandbox every single file coming into my network with full screening on selected indicators. Surprisingly, only 2 FP's in 3 months. Bullguard's Updater EXE (flagged as high) and Panda Protection(flagged as low) installer file.

8500 clean files in 30 days with 24 currently processing in the sandbox appliance.

 
Last edited:

upnorth

Level 34
Verified
Trusted
Content Creator
Video Review - The Horror of CCleaner

Was spooked yesterday when I again checked out the video review on v5.33 and saw AV Gurus reply so thanks for making it more clear. (y)

I belive Lockdowns comment in that thread kind of sum it up pretty well :
The fundamental issue is not specific to CCleaner.

It doesn't much matter what security software you have installed if it employs the concept of trusting files and processes based upon widely accepted criteria.
 

Overkill

Level 31
Verified
Trusted
OK- we all already know about CCleaner 5.33 which had a suspicious connection to a server farm in LA known to host malware from time to time. It is so easy to see these things after the fact, we wonder why we weren't the first to report the issue!

So let's look at the current CCleaner version 5.37.6309. After install we notice that CCUpdate will attempt to connect to servers in London as well as a server in Raleigh, North Carolina. However we may also notice that on first run we will get a request from CCleaner.exe to connect to a CloudFlare server (104.31.74.124) in San Fransisco, which in the past a certain malicious file also connected to (among quite a few other servers): Antivirus scan for 3d257ff9638b9a5acc9b62a8aab7726351c6e45d3fb293ece5292c7a2e5d3015 at 2017-11-19 13:36:20 UTC - VirusTotal

Should we be concerned? Or am I just screwing with you as I've just had 3 glasses of wine?
(Note: my last work day prior to my annual Winter sabbatical. It's good being me...)


Fun Fact- Comodo has removed PiriForm from it's Trusted vendors List. I really don't know if this matters; those that want CCleaner will allow it to run, and those that don't want CCleaner won't care if PiriForm is Trusted or not...
This is just for x86 right? x64 doesn't have any malware problems right?
 

Lightning_Brian

Level 13
Verified
Content Creator
Wowzers! Well, this indeed is bad news...... Well off to find many others including myself a new great cleaner! Wise Care 365 Pro might be my next stop or something else. I may consider removing this entirely from my flash drives which just have the older version of this software in the portable format.

Thanks for the heads up and update @cruelsister ! This has me alarmed for good reason!

~Brian