Malware found in official Ccleaner installers

[Entreri]

Second stage malware could have infected 100's of corporations.

I wonder if the malware is from North Korea, instead of China. I have seen plenty of documentaries on NK and noticed they use old software. Why execute in old 32 bit systems? Targets include Samsung and Sony.

 

[paulderdash]

Thanks @paulderdash
I hope you are right.
My problem is that I do not have a copy of my PC before 15/08/2017

Neither do I. Normally I would have had, but my imaging program scheduler screwed up.

I have a highly customised setup, so the thought of a clean install makes me tired already .

I don't believe Average Joes were the target, but if they were, either of these solutions is closing the stable door after the horse has bolted.

I am not too concerned. I just updated to CCleaner 5.35; that program will be pretty safe right now with all this scrutiny.

Suggestion: If you are doing a clean install of Windows, maybe do it when the Fall Creator's Update comes out on October 17.

 

[paulderdash]

An update from Avast:

Additional information regarding the recent CCleaner APT security incident

 

[boredog]

An update from Avast:

Additional information regarding the recent CCleaner APT security incident

I read this earlier this morning. Only goes to show how targeted it really was. Pretty interesting write up.
Wonder how many will put CCleaner back on their machines now?

 

[IceLion36]

I think than Glary Utilities is a great alternative to Ccleaner

 

[cruelsister]

I can't believe that they did an analysis of Blackhat Command Server uptime in the hope of determining who was responsible. As if a government sponsored group does not have listening posts elsewhere in the World (Dear Lord KMN).

Blackhat Rule #57- never use a server that can identify you.

Avast- leave the analysis to Mandiant.

 

[LASER_oneXM]

several PCs in 12 big technology companies were infected by so called "advanced second-stage payload".... Attackers had hoped to infect an additional 13 organizations.

source: CCleaner backdoor infecting millions delivered mystery payload to 40 PCs

At least 40 PCs infected by a backdoored version of the CCleaner disk-maintenance utility received an advanced second-stage payload that researchers are still scrambling to understand, officials from CCleaner's parent company said.

The 40 PCs, belonging to 12 technology companies, including Samsung, Asus, Fujitsu, Sony and Intel, is double the number previously known to have received the advanced follow-on infection. They still represent a minuscule percentage—more precisely, about 0.0018 percent—of the 2.27 million PCs that downloaded the booby-trapped CCleaner update. Avast notified most of the companies that received the stage-two malware and was attempting to contact the remaining victims.

The stage-two payload is a relatively complex piece of malware that used a completely different set of command-and-control servers. The code is heavily obfuscated and uses anti-debugging and anti-emulation tricks to conceal its inner workings. Researchers from Cisco Systems' Talos Group have said the malware contains a "fileless" third stage that's injected into computer memory without ever being written to disk, a feature that further makes analysis difficult. Since the middle of last week, researchers have been working to reverse-engineer the payload to understand precisely what it does on infected networks.

The complete list of hosting computers that received the mystery payload includes:

While only 12 organizations received the follow-on malware, attackers had hoped to infect an additional 13 organizations. The stage-one malware examined the domains of all 2.27 million infected PCs. It surreptitiously collected a variety of data from each one, including all installed programs, all running processes, the operating-system version, hardware information, whether the user had administrative rights, and the hostname and domain name associated with the system. If the computers were hosted inside one of the 25 targeted networks, the attackers would attempt to infect them with stage two. The list of 13 companies that were targeted but not successfully infected with stage two is below:

The tentative conclusion to be drawn from the newly available information is that the vast majority of people who installed the backdoored CCleaner version probably dodged a potentially serious bullet. Out of an abundance of caution, enterprises—including the 540 government agencies Talos said hosted stage one-infected PCs—should reimage their machines, as should consumers who have the backups and expertise to do so or who can afford to hire a professional to do it for them. Reimaging is a much more thorough response than simply running an AV scan, which can often fail to detect infections. Unless new facts come to light, consumers who don't have these resources are probably OK not reimaging their computers.

 

[JB007]

Hello,
I'm not sure about the interest of this event
I have a new laptop and I'm trying ESET IS on it; when I download the last CCleaner installer, ESET blocks it

 

[Marko :)]

Hello,
I'm not sure about the interest of this event
I have a new laptop and I'm trying ESET IS on it; when I download the last CCleaner installer, ESET blocks it
View attachment 174043

ESET flagged CCleaner installer as PUP (potential unwanted program) because it comes with some offers.

If you read the alert, you can see that ESET classifies installer as Win32/Bundled.Toolbar.Google.D which means it comes bundled with some Google product.

I'd recommend using portable version of CCleaner because you don't have to install and it does not contain any bundled software. There used to be Slim version of CCleaner (an installer without bundled software) but I can't find it right now.

 

[Vasudev]

Use Slim version of ccleaner 5.36

 

[bribon77]

Eset has always detected CCleaner for a long time. But it was for the Pups now I don't know why Comodo and Emsisoft detected it too.

 

[R2D2]

I use CCleaner regularly. No PUP flags by Norton Security, Heimdal Pro & Malwarebytes Pro. Well, if it is a PUP & one that gets past these programs they deserve to be thrown into the dustbin!! But jokes aside, these are probably false positives.

 

[XhenEd]

I use CCleaner regularly. No PUP flags by Norton Security, Heimdal Pro & Malwarebytes Pro. Well, if it is a PUP & one that gets past these programs they deserve to be thrown into the dustbin!! But jokes aside, these are probably false positives.

Those detections from ESET are not false positives. The detection is for the bundled PUP, not CCleaner, itself. But, because CCleaner installer, itself, is bundled with PUP, then ESET detects the whole CCleaner installer.

 

[bribon77]

Eset has always detected CCleaner for a long time. But it was for the Pups now I don't know why Comodo and Emsisoft detected it too.

I have installed CCleaner and Emsisoft does not detect anything. According to cruel sister. Comodo has removed it from the list of trusted providers and VT. only Eset detects it. Now, I'm a little calmer.
Off-Topic - CCleaner 5.37 - Do you trust it 100%?
Antivirus scan for 54e4512e0bf7c8359b883d814b1a8ba587f67e62f7b07be496fccda79fd75f2d at 2017-11-22 00:11:35 UTC - VirusTotal

 

[HarborFront]

I have installed CCleaner and Emsisoft does not detect anything. According to cruel sister. Comodo has removed it from the list of trusted providers and VT. only Eset detects it. Now, I'm a little calmer.
Off-Topic - CCleaner 5.37 - Do you trust it 100%?
Antivirus scan for 54e4512e0bf7c8359b883d814b1a8ba587f67e62f7b07be496fccda79fd75f2d at 2017-11-22 00:11:35 UTC - VirusTotal

You are right. My EAM does not detect anything peculiar for the portable CCleaner either

 

[spaceoctopus]

This detection has been their for a very long time now. Just remove it with ESET or during installation do not select the option to install the toolbar. Eset is agressive with pups, and sometimes it can cause a bit of anxiety if you're not used to it

Its the same with Auslogic products. Try to install for example their pro defrag software, Eset doesn't like Auslogic at all . Some other products detect nothing on the other side.

 

[R2D2]

Those detections from ESET are not false positives. The detection is for the bundled PUP, not CCleaner, itself. But, because CCleaner installer, itself, is bundled with PUP, then ESET detects the whole CCleaner installer.

Thing is, I never get an alert even when I am installing CCleaner or an update. My installer copies are old and were a direct download after I purchased a license, so I rely on the update channel to keep my copy (x64) current. Also, there's no offer to install a toolbar or any 3rd party utility.

So, what exactly does ESET detect as a PUP within the installer? If this is an ESET specific red flag/issue and no other AV or AM detects CCleaner and/or its installer contents as a PUP then to me it seems like ESET is flagging up a false positive.

 

[XhenEd]

Thing is, I never get an alert even when I am installing CCleaner or an update. My installer copies are old and were a direct download after I purchased a license, so I rely on the update channel to keep my copy (x64) current. Also, there's no offer to install a toolbar or any 3rd party utility.

So, what exactly does ESET detect as a PUP/PUA within the installer? If this is an ESET specific red flag/issue and no other AV or AM detects CCleaner and/or its installer contents as a PUP then to me it seems like ESET is flagging up a false positive.

It's already well-known that the standard CCleaner installer has a bundled application (Google toolbar), which some would consider as PUP/PUA. Why do you think Piriform also offers a "Slim" version of CCleaner?

The detection is about PUP, not malware. So, you would expect that not all AVs would flag it. The detection now depends on the AV company. ESET has been flagging CCleaner Standard since a long time ago. For ESET, the bundled application (Google Toolbar) is a PUP. But for other AVs, it's not.

I also use CCleaner. But I'm impatient for the Slim version, so I usually download and install the Standard version. I use Kaspersky, and it's not detecting the bundled application.

 

[conceptualclarity]

Hello Malware Tips pals. I was away when this happened. I don't have to go through 13 pages of discussion. Could somebody catch me up?

[OOPS--a preliminary draft posted!]

I want to know just who were all the true heroes in this matter.(Obviously I don't include ClamAV doing its usual meaningless ritual of flagging everything.)

How did a wretched episode like this come about? How tainted do people feel Avast is by this?

I've had a long practice of running all my downloads past Virus Total. Would that have helped here?

ESET flagged CCleaner installer as PUP (potential unwanted program) because it comes with some offers.

If you read the alert, you can see that ESET classifies installer as Win32/Bundled.Toolbar.Google.D which means it comes bundled with some Google product.

I'd recommend using portable version of CCleaner because you don't have to install and it does not contain any bundled software. There used to be Slim version of CCleaner (an installer without bundled software) but I can't find it right now.

I've been downloading and installing CCleaner regular installer updates for years without ever encountering any piggyback programs, despite what ESET has been saying.

 

[R2D2]

It's already well-known that the standard CCleaner installer has a bundled application (Google toolbar), which some would consider as PUP/PUA. Why do you think Piriform also offers a "Slim" version of CCleaner? The detection is about PUP, not malware. So, you would expect that not all AVs would flag it.

Ah! Now that explains why. My installer does not include the Google Toolbar. So naturally no red/yellow flags by an AV/AM. But I do agree it may be considered by a PUP by not only an AV company but some users too.