Malware found in official Ccleaner installers

lowdetection

Level 7
Verified
Well-known
Jul 1, 2017
317
I checked the x64 version I have, look I didn't have the Gnome registry value.

dEymkGy.jpg
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
The gut reaction when reading something like this is to install some kind of HIPS and run it in ultra-paranoid mode. But that is not a solution. Because you have to be very INFORMED in order to know which actions to allow, and which to block. With HIPS in paranoid mode, you can't just block everything.
 

Deletedmessiah

Level 25
Verified
Top Poster
Content Creator
Well-known
Jan 16, 2017
1,469
The gut reaction when reading something like this is to install some kind of HIPS and run it in ultra-paranoid mode. But that is not a solution. Because you have to be very INFORMED in order to know which actions to allow, and which to block. With HIPS in paranoid mode, you can't just block everything.
Not only you have to be informed but also patient enough to not get annoyed by all those popups.
 
F

ForgottenSeer 58943

Thread author
As a general precaution, one should block outbound from programs unless explicitly needed. On our internal desktops/servers this is all done through the one of the appliances I have. For our laptops I specifically limit installation of only the absolute essentials, lock them down, install the VPN and walk away. Auto-Updating should be disabled on most things IMO, unless needed to ensure security/safety.

I don't feel there is a crucial need to update cleaner type programs. Who cares? I've seen 2 year old versions of Ccleaner on peoples machines and don't even bother to update it. This breach really impacts Ccleaner-Cloud (Agomo) pretty badly I would imagine once it gets more publicity as that auto-updates without any prompts and gathers EXTRA telemetry. I don't see how/why anyone would continue to use CCleaner after this full-on breach of their most sensitive functions.

Maybe try Glary Utilities Pro and use one of the lifetime keys floating around? By default, Glary doesn't auto-update and it only sends telemetry to a single IP address which is easy to block/blackhole. Manually update it every 6-12 months if you feel bored and call it a day. Or stick with Bleachbit (Opensource) and disable update checking (although it does not auto-install updates). If you are super paranoid, compile your own Bleachbit to use. :LOL:
 

Transhumana

Level 6
Verified
Well-known
Jul 6, 2017
271
not necessarily TM. there are plenty of ways to check & double check a software before you click on install, which you surely did not.

either you were ill informed or you knowingly chose to look the other way & in both cases it is solely a lapse on your part.

[sarcasm] Yeah, I usually completely close my eyes and play Russian roulette while choosing software. [/sarcasm] :ROFLMAO:

Of course that my computing is not perfect and I do mistakes, just like anybody else; but choosing CCleaner as a preferred piece of software prior any of this happened would hardly consider as one.
 
5

509322

Thread author
The gut reaction when reading something like this is to install some kind of HIPS and run it in ultra-paranoid mode. But that is not a solution. Because you have to be very INFORMED in order to know which actions to allow, and which to block. With HIPS in paranoid mode, you can't just block everything.

It depends upon the HIPS product and what infos it provides to the user via the alerts. Like I said, it also depends upon what the embedded malicious code does. I didn't bother to read about what was embedded, but if a user sees CCleaner attempting to execute powershell, as a single example, then that is an obvious red flag since CCleaner never launches powershell.
 
F

ForgottenSeer 58943

Thread author
Is anyone else as paranoid as me where you keep older, validated secure versions of applications for installations? I have a directory on my zero knowledge cloud with encrypted applications going back a couple of years. That way if the product tanks, I have it.
[sarcasm] Yeah, I usually completely close my eyes and play Russian roulette while choosing software. [/sarcasm] :ROFLMAO:

Of course that my computing is not perfect and I do mistakes, just like anybody else; but choosing CCleaner as a preferred piece of software prior any of this happened would hardly consider as one.

In all fairness, most people accord some level of blind trust to well established quality reputation products like CCleaner. Most of us are guilty of it.

Obviously we know now, that trust was misplaced. I think I mentioned earlier, I used to subscribe to CCleaner Cloud (Agomo) but discontinued it after I did a sweep through my network to reduce outbound telemetry. Ccleaner Cloud was sending out more information than I felt necessary so I cancelled it. Thankfully, I cancelled it before this fiasco.

Remember, this doesn't just impact the 'free' offerings from them!
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
Piriform should have their certificate revoked.
You can say it's not their fault they got hacked, but it's worse than that. They went and put their signature on a file without even checking it first! If a pharmacist would do that, he would sit in jail.
 

Transhumana

Level 6
Verified
Well-known
Jul 6, 2017
271
Is anyone else as paranoid as me where you keep older, validated secure versions of applications for installations? I have a directory on my zero knowledge cloud with encrypted applications going back a couple of years. That way if the product tanks, I have it.


In all fairness, most people accord some level of blind trust to well established quality reputation products like CCleaner. Most of us are guilty of it.

Obviously we know now, that trust was misplaced. I think I mentioned earlier, I used to subscribe to CCleaner Cloud (Agomo) but discontinued it after I did a sweep through my network to reduce outbound telemetry. Ccleaner Cloud was sending out more information than I felt necessary so I cancelled it. Thankfully, I cancelled it before this fiasco.

Remember, this doesn't just impact the 'free' offerings from them!

I completely agree with you; and that is the case with almost any piece of software, unless you can completely see it's code and have enough knowledge to inspect it. We can do only as much as we can to protect ourself, but every time we go online and download any piece of software, we are taking a certain amount of risk, no matter how well-known and reputable publisher is. And we all make decisions for ourselves where the boundaries of the risk we are willing to take are.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top