Malware found in official Ccleaner installers

Kuttz

Level 13
Verified
Top poster
Well-known
May 9, 2015
605
I download this version and Kaspersky mark it as malware:
000555.png

Last day I installed Kaspersky Free for a try. After updating it I did run a full system and the AV didn't flagged any files as malware. Since I uninstalled Kaspersky and switched back to BD Free I cannot do a scan again.

Since I have the problematic Ccleaner533.exe I now analysed it through VirusTotal and the result is shocking indeed:

VirusTotal
 
5

509322

Thread author
This kind of problem is something to be aware of - and not freak-out about. It is nothing new. Neither is it unique nor even extraordinary.

The best thing to do is to be level-headed and learn as opposed to immediately revising your security config or protection model without thought.
 
Last edited by a moderator:

Slyguy

Level 44
Jan 27, 2017
3,329
This is sort of like the thing discussed in Hacker Deterrant thread where I was finding Trend Micro itself hijacked through the update process and sending out remote telemetry.

I've been super busy today but I haven't looking into this yet, but it seems like this would bypass security measures people put in place unless by some remote chance they have outbound connectivity for CCleaner blocked, automated updates turned off OR the server IP blacklisted. All of that seems unlikely so this potentially turned much of peoples security into security theater.

I wouldn't be surprised if it was more than simple hackers behind this, and since the server is in the USA, I would be wondering if the Layer 1 security of that server was compromised. It would be quite an intelligence boon to get access to that many systems.

Ironically, I subscribed to CCleaner cloud up until 3 months ago as part of my effort to reduce the telemetry leaving my network and to close off as much of my threat surface as possible.
 

zzz00m

Level 6
Well-known
Jun 10, 2017
252
Before I shut my computer down at the end of the day I like it to clean all the temporary internet files, cache and leftover files from uninstalled programs. I also occasionlly use it to manage startup programs and scheduled tasks. So no, I don't expect any magic at all, only to do what it's supposed to do. :)

Yes, exactly!!!
 

R2D2

Level 5
Aug 7, 2017
214
Read this story a short while back. I had version 5.34 x64 (a perpetual license copy). The executable was undoubtedly updated automatically from 5.32 the last time I ran the program. Have uninstalled CCleaner for now.

Strangely I got a secure boot error yesterday (the very first time) during a cold boot that warned me of changes to some Windows files or the BIOS. The SSD was secure erased and the BIOS reflashed. And then I restored my boot/system drive from a Macrium Reflect image. This backup program has never failed me.
 

zzz00m

Level 6
Well-known
Jun 10, 2017
252
the solution now is to keep CCleaner and block all the out/inbound connections of ccleaner and its related processes

As I have done with CCleaner since day one. I only give outbound permission to programs that will not work without it, which seems like a good practice in case something like this ever comes up with a trusted, signed executable.
 

Bleak

Level 4
Verified
Well-known
Sep 5, 2017
151
Before I shut my computer down at the end of the day I like it to clean all the temporary internet files, cache and leftover files from uninstalled programs. I also occasionlly use it to manage startup programs and scheduled tasks. So no, I don't expect any magic at all, only to do what it's supposed to do. :)
You can easily do these tasks manually -- even better any browser allows you to do that - even better gives you multiple choices like deleting just cache from last x day etc.

Removing leftovers can also be done manually, in some cases you may use a specialized tool that just has that one job to do and will usually do it better.

You can manage start-up from a utility in Windows: msconfig.
You can manage scheduled tasks also in Windows: taskschd.
 

Transhumana

Level 6
Verified
Well-known
Jul 6, 2017
271
You can easily do these tasks manually -- even better any browser allows you to do that - even better gives you multiple choices like deleting just cache from last x day etc.

Removing leftovers can also be done manually, in some cases you may use a specialized tool that just has that one job to do and will usually do it better.

You can manage start-up from a utility in Windows: msconfig.
You can manage scheduled tasks also in Windows: taskschd.

I know all of that, but still this was a convenient multipurpose piece of software that covers all of those things. :)
 

zzz00m

Level 6
Well-known
Jun 10, 2017
252
What do you guys say about registry cleaning? Snake oil?

I mostly agree, and prefer to edit my registry by hand. So I have only used the registry cleaner in CCleaner sparingly, and usually take a system image first to be safe, even though the cleaner offers to back up you reg files before changing anything, which you should take advantage of anyway.

One thing I like about the registry cleaner is that it lists all the things that it thinks are wrong, prior to making any changes, which can save you some manual searching for entries. No need to have it actually remove anything, unless you want to, and you can choose to select only specific entries for removal, if desired.

But under normal operation, it is mostly unnecessary to clean the Windows registry of obsolete entries, as they are not likely to affect performance. If you are experiencing some conflicts due to a previous software install, that is another issue that you probably need to deal with the registry directly for.
 
  • Like
Reactions: shmu26 and Venustus

ispx

Level 13
Verified
Well-known
Jun 21, 2017
621
My instinct told me there would be some pesky code from Avast or something like that

wow :geek: we need to use your instinct in the malware hub for testing :LOL: your instinct works better than virus total :devil:

this was a convenient multipurpose piece of software that covers all of those things

this was a convenient malicious piece of software :ROFLMAO:
 

Deletedmessiah

Level 25
Verified
Top poster
Content Creator
Well-known
Jan 16, 2017
1,448
I know all of that, but still this was a convenient multipurpose piece of software that covers all of those things. :)
Indeed. This was a very convinient tool. Windows built in tools are too slow and inconvinient. Other third party tools I've tried either don't work well or manages to screw up something.