Malware found in official Ccleaner installers

[ispx]

definitely no snake oil here : control panel > system & security > security & maintenance

 

[lowdetection]

If Kaspersky flag this, I'm quite sure it's true.

 

[LASER_oneXM]

I found a short article/how-to about the inection and how to remove it:

CCleaner Malware Incident - What You Need to Know and How to Remove.
.

.....
....
How do I remove it?
The malware was embedded in the CCleaner executable itself. Updating CCleaner to v5.34 removes the old executable and the malware. CCleaner does not have an auto-update system, so users must download and install CCleaner 5.34 manually.

Avast said it already pushed an update to CCleaner Cloud users, and they should be fine. The clean version is CCleaner Cloud 1.07.3214.

Anything else?
The malware executed only if the user was using an admin account. If you use a low-privileged account and installed CCleaner 5.33, you more not affected. Nonetheless, it is recommended that you update to version 5.34.

Why didn't antivirus software catch the infection?
The CCleaner binary that included the malware was signed using a valid digital certificate.

 

[RoboMan]

So i just booted my Windows partition (x64 Win10) and Kaspersky tells me:

I block the access and delete the file, and after a few seconds Kaspersky tells me:

 

[lowdetection]

Would be interesting to see who is $RROXFFY.exe

 

[Venustus]

So i just booted my Windows partition (x64 Win10) and Kaspersky tells me:

I block the access and delete the file, and after a few seconds Kaspersky tells me:

Because KIS deleted the file!

 

[ispx]

What does the malware do?
The malware — named Floxif — collects data from infected computers, such as computer name, a list of installed software, a list of running processes, MAC addresses for the first three network interfaces, and unique IDs to identify each computer in part.

source : CCleaner Malware Incident - What You Need to Know and How to Remove

all that floxif is doing, ccleaner has been doing all that since years :

https://malwr.com/analysis/Y2M0YTFhNGQwYWYzNDlmZTllN2I0ZGUyOGEyMzFiMjE/

 

[RoboMan]

Because KIS deleted the file!

Yes, i know A bit creepy it is detected as malware when it "shouldn't affect 64-bit systems". Or did i understand wrong?

 

[lowdetection]

You right RoboMan
The attacker added malware to the 32-bit versions of CCleaner 5.33.6162 and CCleaner Cloud 1.07.3191.

The files were available for download between August 15 and September 12.

 

[ispx]

b.t.w., neither avast nor piriform are connected to the kremlin

had this been a company from putinland doing this, god, the backlash from members on MT would have been ten times higher :devil:

 

[Sunshine-boy]

Whats the solution for dig signed malware? We all see even Kasper sky failed! I think that cisco detected it first?
Cisco's Talos Intelligence Group Blog: CCleanup: A Vast Number of Machines at Risk
just look at the address bar!
Cicso saying avast did it do you trust Cicso? I guess they hide this message to the address bar!

 

[shmu26]

Yes, i know A bit creepy it is detected as malware when it "shouldn't affect 64-bit systems". Or did i understand wrong?

The installer has both 32 and 64 version inside it, so there should be a AV detection, even if your system is x64.

 

[shmu26]

Whats the solution for dig signed malware? We all see even Kasper sky failed! I think that cisco detected it first?
Cisco's Talos Intelligence Group Blog: CCleanup: A Vast Number of Machines at Risk

If a company that you know and trust pushes a malicious update, and it is zero-day, there is not very much you can do to protect against it, other than to keep alert for strange activity, like cmd.exe and things like that. But there is no guarantee you will see a sign of malware activity.

 

[509322]

If a company that you know and trust pushes a malicious update, and it is zero-day, there is not very much you can do to protect against it, other than to keep alert for strange activity, like cmd.exe and things like that. But there is no guarantee you will see a sign of malware activity.

When the malware is embedded within the trusted software itself it is unlikely to be detected by signature. Depending upon what the malware does, HIPS\anti-executable\BB\SRP can detect\alert\block actions dependent upon settings and rules.

 

[509322]

It makes complete sense to target CCleaner since it is an immensely popular soft world-wide. Malware\attacks are a numbers game so, generally, the malc0der wants a distribution method that results in the greatest number of compromised machines. The greater the number of infected machines, the greater the probability of nasty success.

 

[Sunshine-boy]

HI Lockdown APPGUARD could block this malware?I mean if you have CCleaner on your machine and at the same time running appguard in the paranoid mode.

 

[lowdetection]

@Lockdown there were more difficulties to target the x64 version, or was only a coincidence the targeted version was the 32 bit version?

 

[Sunshine-boy]

HIPS

I guess Eset hips in paranoid mode can block this.

 

[Plebman123]

I checked mine, and it was v5.24. My strategy of only updating CCleaner once a year has paid off.

Step 1 of not getting backdoored, update slow

 

[509322]

HI Lockdown APPGUARD could block this malware?I mean if you have CCleaner on your machine and at the same time running appguard in the paranoid mode.

It depends upon what the embedded malware does.

If the user installed it to Program Files and the embedded malicious code does not trigger anything suspicious or disallowed, then the likelihood is the same as the current situation where no security softs detected it.

Forget it... there is nothing you can add to your system to protect against this specific situation.

I guess Eset hips in paranoid mode can block this.

No guarantee. It depends upon what the embedded malicious code does. If it does nothing that triggers the HIPS, then it will run.