CCleaner 5.37 - Do you trust it 100%?

cruelsister

Level 42
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 13, 2013
3,133
OK- we all already know about CCleaner 5.33 which had a suspicious connection to a server farm in LA known to host malware from time to time. It is so easy to see these things after the fact, we wonder why we weren't the first to report the issue!

So let's look at the current CCleaner version 5.37.6309. After install we notice that CCUpdate will attempt to connect to servers in London as well as a server in Raleigh, North Carolina. However we may also notice that on first run we will get a request from CCleaner.exe to connect to a CloudFlare server (104.31.74.124) in San Fransisco, which in the past a certain malicious file also connected to (among quite a few other servers): Antivirus scan for 3d257ff9638b9a5acc9b62a8aab7726351c6e45d3fb293ece5292c7a2e5d3015 at 2017-11-19 13:36:20 UTC - VirusTotal

Should we be concerned? Or am I just screwing with you as I've just had 3 glasses of wine?
(Note: my last work day prior to my annual Winter sabbatical. It's good being me...)


Fun Fact- Comodo has removed PiriForm from it's Trusted vendors List. I really don't know if this matters; those that want CCleaner will allow it to run, and those that don't want CCleaner won't care if PiriForm is Trusted or not...
 

Soulbound

Moderator
Verified
Staff Member
Well-known
Jan 14, 2015
1,761
Still using a pre-malware incident version of CCleaner portable, tho I have Bleachbit on the side.

I don't always update CCleaner since there is not much need, I am ok with it (what's not broken don't fix it...), however the chances of the new version of CCleaner being yet again replaced like before are rather slim but since 70% of the users tend to be paranoid, just blocking on firewall the connection is more than enough.

Alternatively, just download a previous working version (check changelogs) or an alternative to CCleaner, which there are many floating around.
 
F

ForgottenSeer 58943

Well my APT Sandbox Appliance did catch Ccleaner back around June. I pulled it off my systems and nixed my Agomo subscription - just in case but didn't publish or discuss it other than to tell some buddies on Facebook to be aware of the hit.. Next time my APT triggers on something fun and interesting I will post it here so maybe we will catch something cool around here. We did catch Trend Core Services hijack, that was something sort of new.

Currently I pre-screen APT/Sandbox every single file coming into my network with full screening on selected indicators. Surprisingly, only 2 FP's in 3 months. Bullguard's Updater EXE (flagged as high) and Panda Protection(flagged as low) installer file.

8500 clean files in 30 days with 24 currently processing in the sandbox appliance.

sandbox.png
 
Last edited by a moderator:

upnorth

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,456
Video Review - The Horror of CCleaner

Was spooked yesterday when I again checked out the video review on v5.33 and saw AV Gurus reply so thanks for making it more clear. (y)

I belive Lockdowns comment in that thread kind of sum it up pretty well :
The fundamental issue is not specific to CCleaner.

It doesn't much matter what security software you have installed if it employs the concept of trusting files and processes based upon widely accepted criteria.
 

Overkill

Level 31
Verified
Honorary Member
Feb 15, 2012
2,128
OK- we all already know about CCleaner 5.33 which had a suspicious connection to a server farm in LA known to host malware from time to time. It is so easy to see these things after the fact, we wonder why we weren't the first to report the issue!

So let's look at the current CCleaner version 5.37.6309. After install we notice that CCUpdate will attempt to connect to servers in London as well as a server in Raleigh, North Carolina. However we may also notice that on first run we will get a request from CCleaner.exe to connect to a CloudFlare server (104.31.74.124) in San Fransisco, which in the past a certain malicious file also connected to (among quite a few other servers): Antivirus scan for 3d257ff9638b9a5acc9b62a8aab7726351c6e45d3fb293ece5292c7a2e5d3015 at 2017-11-19 13:36:20 UTC - VirusTotal

Should we be concerned? Or am I just screwing with you as I've just had 3 glasses of wine?
(Note: my last work day prior to my annual Winter sabbatical. It's good being me...)


Fun Fact- Comodo has removed PiriForm from it's Trusted vendors List. I really don't know if this matters; those that want CCleaner will allow it to run, and those that don't want CCleaner won't care if PiriForm is Trusted or not...
This is just for x86 right? x64 doesn't have any malware problems right?
 

Lightning_Brian

Level 15
Verified
Top Poster
Content Creator
Sep 1, 2017
742
Wowzers! Well, this indeed is bad news...... Well off to find many others including myself a new great cleaner! Wise Care 365 Pro might be my next stop or something else. I may consider removing this entirely from my flash drives which just have the older version of this software in the portable format.

Thanks for the heads up and update @cruelsister ! This has me alarmed for good reason!

~Brian
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top