Ccleaner malware distribution. I got the jackpot!

Nuno

Level 2
Thread author
Feb 26, 2016
98
Well, apparently I got this lovely thing on my desktop today:

upload_2017-9-19_17-21-28.png


First, I really cannot understand how someone can inject code into an executable without changing its signature and certificate. I really cannot understand. So if anybody can explain me that, I love learning new things and I really would like to know.

Second, I had been experiencing some weird things occurring for the past week or two. My windows store broke, it uninstalled itself. And with it, every software associated to it broke too. Like for example, outlook, that has quite some sensible information in my microsoft university account. Also, from time to time, my timestamp would change to 8:00 something of the actual day we were on, despite it being on auto. I'd have to manually configure it. I'm not sure if it's to do with this, but it's somewhat likely that it has.
If you're experiencing some similar symptoms, hour change or windows store uninstall, you might want to check your ccleaner install date.

Third and even more severe, I don't even know how I got it. My machine had ccleaner installed, but I was 6 months out of my country (since february, 10) and I haven't used ccleaner (and I am sure of it), since at least January of this year.
And further than that, I revoked its rights to auto update, like I do to every other software and I revoked its rights to start up on boot in the day I installed ccleaner (more than half a year ago at least). And I just checked this, it's still disabled to boot with windows.
Well, I am the owner and only user of the machine and I still got the newer version autoinstalled! How?? I have absolutely no idea!
upload_2017-9-19_17-49-39.png


This was my semi-rant post, I am quite upset with all of this, extremely upset with Avast for everything.

If there is someone from the Avast team around, I'd love to hear what you have to say about this.
 

Slyguy

Level 44
Jan 27, 2017
3,319
I've been whispering to friends this is bigger than people think. If you are correct, then this is may be evidence of that.

Thankfully, I cancelled my Agomo/CCleaner Cloud account back in June, and since then have formatted and reinstalled every desktop/laptop in the home so I am not impacted by this. But I still feel it is bigger than they claim.
 

Nuno

Level 2
Thread author
Feb 26, 2016
98
Which means older versions of c cleaner may have had the same issue , himmmm o my .
Maybe they changed something to enable autoupdates in previous versions without having pro version, I am not sure. But I don't believe they had the malware injected.

Here What Avast Say about this - Vik -Global Moderator :
CCleaner and installing avast with out permission...
I've just checked it out. I'm not trying to doubt the guy but if piriform was in the process of being hacked, and assuming the digital certificate/signatures were changed by the hackers to achieve the injection, why didn't Avast secure them before? Why didn't they take the measures before if they already knew about it?
With that being said, it is true that Avast acted very quickly when it seemed to have gotten too late. The process of code injection and certificate forging/changing seems like quite a difficult task. Delivering the payload through the already done process seemed like the easy part for the bad guys. And apparently that didn't happen, according to Avast, thankfully.
 

Slyguy

Level 44
Jan 27, 2017
3,319
I've banned Piriform products from my network. I can't risk someone in this household installing that product after this fiasco.

If you have a UTM/NGFW with Application Control on your network you can see if it already has a signature for CCleaner. If it does, set it to block. If it doesn't create a DLP Fingerprint of their product and ban it. Barring that, add their IP addresses/Domains to your blacklist.

s1.pir.fm
www.piriform.com
service.piriform.com
license.piriform.com

Use wildcards where appropriate, such as: *pir.fm
 
  • Like
Reactions: Nuno