Malware found in official Ccleaner installers

Solarquest

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 22, 2014
2,525
I knew it, they didn't just "watch" ...and for 1 month ..

CCleaner Hack Carried Out In Order to Target Big Tech Companies
....

Attackers targeted a who's who list of tech companies
Cisco Talos says attackers targeted victims based on their computer's domain name. Ironic
ally, the attackers targeted Cisco itself, along with other organizations such as Singtel, HTC, Samsung, Sony, Gauselmann, Intel, VMWare, O2, Vodafone, Linksys, Epson, MSI, Akamai, DLink, Oracle (Dyn), and even the almighty Microsoft and Google (Gmail).
....
The first table contained data on over 700,000 computers, while the second on 20 — after removing duplicates. Both tables stored entries dated between September 12 and September 16.
....
"It appears the data prior to Sept 12 was erased.
....
Researchers also point out that because of the incomplete C&C server data and because attackers downloaded a silent second-stage downloader, users who ran the tainted versions of CCleaner should wipe clean or restore from backups made before August 15, when the two CCleaner tainted versions were released. The previous advice to deal with the malware was to only update the CCleaner apps.
...
 
Last edited:
D

Deleted member 65228

Thread author
64 bit would be harder to attack given patchguard and WOW64.Maybe this is why only 32 was targeted!!?
WOW64 is an emulation layer which is passed through by X86-X64 processes (because on x64 versions of Windows they are emulated). Whereas, a 64-bit process will perform a direct system call without requiring to pass through the WOW64 layer. This limitation can be revoked via using a technique called Heavens Gate, which relies on using the segment selector (0x33 for 64-bit). In fact, security solutions don't even intercept WOW64 as far as I know (you can detour functions such as X86SwitchTo64BitMode though).

PatchGuard won't cause a problem for the malicious code which was put into the affected version of CCleaner. PatchGuard is a feature implemented for 64-bit systems only, and its responsibility is to identify patches in the Windows NT Kernel and prevent unsigned device drivers from being loaded (since a Windows 10 patch there is now an Extended Validation (EV) Code Certificate Authentication requirement). If you load a kernel-mode device driver and try to patch the System Service Dispatch Table for example, you'll be hit with a BSOD (Blue Screen Of Death) from BugCheck which is part of PatchGuard (and checks regularly for changes in its scope).

All in all, WOW64 isn't going to affect Floxif (neither does it use Heavens Gate to perform x64 system calls itself) and the threat doesn't rely on any device drivers so PatchGuard is out of scope for being a cause as to why it was targeted for 32-bit systems only as well. Unless there are new pay-loads we do not know of which have not yet been identified which will perform actions such as installing device drivers. :)
 

Venustus

Level 59
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Dec 30, 2012
4,809
Hallelujah, Avast now detects the infected exe::LOL:
WOW64 is an emulation layer which is passed through by X86-X64 processes (because on x64 versions of Windows they are emulated). Whereas, a 64-bit process will perform a direct system call without requiring to pass through the WOW64 layer. This limitation can be revoked via using a technique called Heavens Gate, which relies on using the segment selector (0x33 for 64-bit). In fact, security solutions don't even intercept WOW64 as far as I know (you can detour functions such as X86SwitchTo64BitMode though).

PatchGuard won't cause a problem for the malicious code which was put into the affected version of CCleaner. PatchGuard is a feature implemented for 64-bit systems only, and its responsibility is to identify patches in the Windows NT Kernel and prevent unsigned device drivers from being loaded (since a Windows 10 patch there is now an Extended Validation (EV) Code Certificate Authentication requirement). If you load a kernel-mode device driver and try to patch the System Service Dispatch Table for example, you'll be hit with a BSOD (Blue Screen Of Death) from BugCheck which is part of PatchGuard (and checks regularly for changes in its scope).

All in all, WOW64 isn't going to affect Floxif (neither does it use Heavens Gate to perform x64 system calls itself) and the threat doesn't rely on any device drivers so PatchGuard is out of scope for being a cause as to why it was targeted for 32-bit systems only as well. :)
Thanks for the clarification!:)
 

TheMalwareMaster

Level 21
Verified
Honorary Member
Top Poster
Well-known
Jan 4, 2016
1,022
Guys, COMODO Firewall at my settings is able to block ccleaner 5.33 installation, because piriform is not in default COMODO trusted vendors (I'm running COMODO at defaut-deny with no cloud lookup)
Settings: COMODO - Maximum Security.cfgx

ccleaner.PNG

Regarding VoodooShield, all infected versions are flagged by the AI as suspicious, except for the CCleaner pro, which is flagged as safe. Basically, VoodooShield on Autopilot would have been bypassed when it had a detection of 0 on VirusTotal

My question is: how is COMODO still able to block it even if I turn on the cloud lookup?
CCleaner 5.33 shouldn't have been whitelisted in COMODO Cloud?
 
Last edited:

TheMalwareMaster

Level 21
Verified
Honorary Member
Top Poster
Well-known
Jan 4, 2016
1,022
I do not have much experience with using Comodo however maybe they removed CCleaner from their white-list after the recent events. It would be logical for them to do this. At least for now.
I tested CCleaner 3.55 with cloud ON. It's also blocked as unrecognised. Probably they don't care much about whitelisting CCleaner.
COMODO made a good job this time, but we were lucky. Piriform has never been in COMODO trusted vendors list, not even before the attack.

If you try to SUD CCleaner installer via COMODO Firewall, it says that the file is too big to be submitted. This way, nobody is submitting the file and COMODO appearently doesn't care of CCleaner, so the verdict keeps to be unrecognised.
 
Last edited:

Av Gurus

Level 29
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
Sep 22, 2014
1,767
This is the latest version ccsetup535.exe (see the first screenshot)...
 
  • Like
Reactions: Marko :)

Entreri

Level 7
Verified
May 25, 2015
342
Kaspersky has traced this to Chinese intelligence. They were likely looking to get back door access into M$, Google, Intel, AMD, Cisco etc and etc.

This consequences of this breach may not be over yet. Imagine for instance Windows updates being compromised...
 
5

509322

Thread author
Correct. When you launch CCleaner it connects to internet to check for updates. When you disable that option, it won't connect to internet anymore.

The malicious version of CCleaner pinged 224.0.0.0 on port 0 using ICMP. Followed by a delay to run the embedded malicious code. The ping was independent of CCleaner's setting to check for updates.

Disabling check for updates does not block all network access, it just disables the update query.
 
Last edited by a moderator:

Marko :)

Level 20
Verified
Top Poster
Well-known
Aug 12, 2015
954
The malicious version of CCleaner pinged 224.0.0.0 on port 0 using ICMP. Followed by a delay to run the embedded malicious code. The ping was independent of CCleaner's setting to check for updates.

Disabling check for updates does not block all network access, it just disables the update query.
I know that. I was talking about clean and latest version of CCleaner. When checking for updates is enabled, CCleaner will connect to internet every time you launch it. If it's disabled, CCleaner will not connect to internet at all. I've tested that myself.
 

L S

Level 5
Verified
Well-known
Jul 16, 2014
215
Whats the solution for dig signed malware? We all see even Kasper sky failed! I think that cisco detected it first?
Cisco's Talos Intelligence Group Blog: CCleanup: A Vast Number of Machines at Risk
just look at the address bar!
Cicso saying avast did it :Ddo you trust Cicso? I guess they hide this message to the address bar!
Actually - it wasn't Cisco who first notified Avast about the problem. The threat was first discovered and reported to Avast by researchers in a security company called Morphisec .
From AVAST :
BTW, I have to say I was quite disappointed by the approach taken by the Cisco Talos team who appears to be trying to use information about this incident to drive marketing activities and piggyback on the case to increase the visibility of their upcoming product. And, I should probably also say that it wasn't Cisco who first notified us about the problem. The threat was first discovered and reported to us by researchers in a security company called Morphisec (thank you!). The threat was real, but to the best of our knowledge, it was fortunately mitigated before it could do any harm.
 

JB007

Level 26
Verified
Top Poster
Well-known
May 19, 2016
1,574
Hello,
I was not aware about this big problem:sick:
I checked my two PC and found this on the first, but I have updated CC and I think I was previously on 5.33:
CC3.PNG
CC4.PNG


and on the other:
CC1.PNG
CC2.PNG


Both PC are Windows Pro 64 bits with Bitdefender.
Do you think I'm at risk and have to reinstall my two PC.
Sorry if my questions are redundant but I'm afraid and it is very difficult for me to read and understand all the posts...
Thanks for your help.
 

Av Gurus

Level 29
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
Sep 22, 2014
1,767
...they say that x64 version is not infected but who can you trust now...???
For 100% security re-install is the best options.

BTW: version 5.33.6162 is (only) infected...they say...
 

Transhumana

Level 6
Verified
Well-known
Jul 6, 2017
271
My dad had that infected 32-bit version on his laptop and I hoped that I'll be able to restore his machine from earlier backups, but unfortunately, he never made any kind of system backup so I had to reinstall OS. When I went through registry keys on his laptop I only found Agomo and not the keys connected with the second payload.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top