Malware found in official Ccleaner installers

Entreri

Level 7
Verified
May 25, 2015
342
Second stage malware could have infected 100's of corporations.

I wonder if the malware is from North Korea, instead of China. I have seen plenty of documentaries on NK and noticed they use old software. Why execute in old 32 bit systems? Targets include Samsung and Sony.
 
  • Like
Reactions: lowdetection

paulderdash

Level 6
Verified
Well-known
Apr 28, 2015
271
Thanks @paulderdash
I hope you are right.
My problem is that I do not have a copy of my PC before 15/08/2017:(
Neither do I. Normally I would have had, but my imaging program scheduler screwed up.

I have a highly customised setup, so the thought of a clean install makes me tired already :).

I don't believe Average Joes were the target, but if they were, either of these solutions is closing the stable door after the horse has bolted.

I am not too concerned. I just updated to CCleaner 5.35; that program will be pretty safe right now with all this scrutiny.

Suggestion: If you are doing a clean install of Windows, maybe do it when the Fall Creator's Update comes out on October 17.
 
Last edited:

cruelsister

Level 42
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 13, 2013
3,133
I can't believe that they did an analysis of Blackhat Command Server uptime in the hope of determining who was responsible. As if a government sponsored group does not have listening posts elsewhere in the World (Dear Lord KMN).

Blackhat Rule #57- never use a server that can identify you.

Avast- leave the analysis to Mandiant.
 

LASER_oneXM

Level 37
Verified
Top Poster
Well-known
Feb 4, 2016
2,520
several PCs in 12 big technology companies were infected by so called "advanced second-stage payload".... Attackers had hoped to infect an additional 13 organizations.

source: CCleaner backdoor infecting millions delivered mystery payload to 40 PCs

At least 40 PCs infected by a backdoored version of the CCleaner disk-maintenance utility received an advanced second-stage payload that researchers are still scrambling to understand, officials from CCleaner's parent company said.

The 40 PCs, belonging to 12 technology companies, including Samsung, Asus, Fujitsu, Sony and Intel, is double the number previously known to have received the advanced follow-on infection. They still represent a minuscule percentage—more precisely, about 0.0018 percent—of the 2.27 million PCs that downloaded the booby-trapped CCleaner update. Avast notified most of the companies that received the stage-two malware and was attempting to contact the remaining victims.


The stage-two payload is a relatively complex piece of malware that used a completely different set of command-and-control servers. The code is heavily obfuscated and uses anti-debugging and anti-emulation tricks to conceal its inner workings. Researchers from Cisco Systems' Talos Group have said the malware contains a "fileless" third stage that's injected into computer memory without ever being written to disk, a feature that further makes analysis difficult. Since the middle of last week, researchers have been working to reverse-engineer the payload to understand precisely what it does on infected networks.

The complete list of hosting computers that received the mystery payload includes:

infected-targets.jpg

While only 12 organizations received the follow-on malware, attackers had hoped to infect an additional 13 organizations. The stage-one malware examined the domains of all 2.27 million infected PCs. It surreptitiously collected a variety of data from each one, including all installed programs, all running processes, the operating-system version, hardware information, whether the user had administrative rights, and the hostname and domain name associated with the system. If the computers were hosted inside one of the 25 targeted networks, the attackers would attempt to infect them with stage two. The list of 13 companies that were targeted but not successfully infected with stage two is below:

uninfected-targets-640x536.jpg

The tentative conclusion to be drawn from the newly available information is that the vast majority of people who installed the backdoored CCleaner version probably dodged a potentially serious bullet. Out of an abundance of caution, enterprises—including the 540 government agencies Talos said hosted stage one-infected PCs—should reimage their machines, as should consumers who have the backups and expertise to do so or who can afford to hire a professional to do it for them. Reimaging is a much more thorough response than simply running an AV scan, which can often fail to detect infections. Unless new facts come to light, consumers who don't have these resources are probably OK not reimaging their computers.
 
Last edited:

Marko :)

Level 20
Verified
Top Poster
Well-known
Aug 12, 2015
954
Hello,
I'm not sure about the interest of this event:unsure:
I have a new laptop and I'm trying ESET IS on it; when I download the last CCleaner installer, ESET blocks it:whistle:
View attachment 174043
ESET flagged CCleaner installer as PUP (potential unwanted program) because it comes with some offers.

If you read the alert, you can see that ESET classifies installer as Win32/Bundled.Toolbar.Google.D which means it comes bundled with some Google product.

I'd recommend using portable version of CCleaner because you don't have to install and it does not contain any bundled software. There used to be Slim version of CCleaner (an installer without bundled software) but I can't find it right now.
 
Last edited:

R2D2

Level 6
Verified
Well-known
Aug 7, 2017
267
I use CCleaner regularly. No PUP flags by Norton Security, Heimdal Pro & Malwarebytes Pro. Well, if it is a PUP & one that gets past these programs they deserve to be thrown into the dustbin!! But jokes aside, these are probably false positives.
 

XhenEd

Level 28
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 1, 2014
1,708
I use CCleaner regularly. No PUP flags by Norton Security, Heimdal Pro & Malwarebytes Pro. Well, if it is a PUP & one that gets past these programs they deserve to be thrown into the dustbin!! But jokes aside, these are probably false positives.
Those detections from ESET are not false positives. The detection is for the bundled PUP, not CCleaner, itself. But, because CCleaner installer, itself, is bundled with PUP, then ESET detects the whole CCleaner installer. :)
 

bribon77

Level 35
Verified
Top Poster
Well-known
Jul 6, 2017
2,392
Eset has always detected CCleaner for a long time. But it was for the Pups now I don't know why Comodo and Emsisoft detected it too. :unsure:
I have installed CCleaner and Emsisoft does not detect anything. According to cruel sister. Comodo has removed it from the list of trusted providers and VT. only Eset detects it. Now, I'm a little calmer.
Off-Topic - CCleaner 5.37 - Do you trust it 100%?
Antivirus scan for 54e4512e0bf7c8359b883d814b1a8ba587f67e62f7b07be496fccda79fd75f2d at 2017-11-22 00:11:35 UTC - VirusTotal:)
 

HarborFront

Level 71
Verified
Top Poster
Content Creator
Oct 9, 2016
6,014
I have installed CCleaner and Emsisoft does not detect anything. According to cruel sister. Comodo has removed it from the list of trusted providers and VT. only Eset detects it. Now, I'm a little calmer.
Off-Topic - CCleaner 5.37 - Do you trust it 100%?
Antivirus scan for 54e4512e0bf7c8359b883d814b1a8ba587f67e62f7b07be496fccda79fd75f2d at 2017-11-22 00:11:35 UTC - VirusTotal:)
You are right. My EAM does not detect anything peculiar for the portable CCleaner either
 

spaceoctopus

Level 16
Verified
Top Poster
Content Creator
Well-known
Jul 13, 2014
766
This detection has been their for a very long time now. :) Just remove it with ESET or during installation do not select the option to install the toolbar. Eset is agressive with pups, and sometimes it can cause a bit of anxiety if you're not used to it;)

Its the same with Auslogic products. Try to install for example their pro defrag software, Eset doesn't like Auslogic at all . Some other products detect nothing on the other side.
 

R2D2

Level 6
Verified
Well-known
Aug 7, 2017
267
Those detections from ESET are not false positives. The detection is for the bundled PUP, not CCleaner, itself. But, because CCleaner installer, itself, is bundled with PUP, then ESET detects the whole CCleaner installer. :)

Thing is, I never get an alert even when I am installing CCleaner or an update. My installer copies are old and were a direct download after I purchased a license, so I rely on the update channel to keep my copy (x64) current. Also, there's no offer to install a toolbar or any 3rd party utility.

So, what exactly does ESET detect as a PUP within the installer? If this is an ESET specific red flag/issue and no other AV or AM detects CCleaner and/or its installer contents as a PUP then to me it seems like ESET is flagging up a false positive.
 

XhenEd

Level 28
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 1, 2014
1,708
Thing is, I never get an alert even when I am installing CCleaner or an update. My installer copies are old and were a direct download after I purchased a license, so I rely on the update channel to keep my copy (x64) current. Also, there's no offer to install a toolbar or any 3rd party utility.

So, what exactly does ESET detect as a PUP/PUA within the installer? If this is an ESET specific red flag/issue and no other AV or AM detects CCleaner and/or its installer contents as a PUP then to me it seems like ESET is flagging up a false positive.
It's already well-known that the standard CCleaner installer has a bundled application (Google toolbar), which some would consider as PUP/PUA. Why do you think Piriform also offers a "Slim" version of CCleaner? :)

The detection is about PUP, not malware. So, you would expect that not all AVs would flag it. The detection now depends on the AV company. ESET has been flagging CCleaner Standard since a long time ago. For ESET, the bundled application (Google Toolbar) is a PUP. But for other AVs, it's not. :)

I also use CCleaner. But I'm impatient for the Slim version, so I usually download and install the Standard version. I use Kaspersky, and it's not detecting the bundled application. :)
 

conceptualclarity

Level 21
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Aug 23, 2013
1,072
Hello Malware Tips pals. I was away when this happened. I don't have to go through 13 pages of discussion. Could somebody catch me up?

[OOPS--a preliminary draft posted!]

I want to know just who were all the true heroes in this matter.(Obviously I don't include ClamAV doing its usual meaningless ritual of flagging everything.)

How did a wretched episode like this come about? How tainted do people feel Avast is by this?

I've had a long practice of running all my downloads past Virus Total. Would that have helped here?

ESET flagged CCleaner installer as PUP (potential unwanted program) because it comes with some offers.

If you read the alert, you can see that ESET classifies installer as Win32/Bundled.Toolbar.Google.D which means it comes bundled with some Google product.

I'd recommend using portable version of CCleaner because you don't have to install and it does not contain any bundled software. There used to be Slim version of CCleaner (an installer without bundled software) but I can't find it right now.

I've been downloading and installing CCleaner regular installer updates for years without ever encountering any piggyback programs, despite what ESET has been saying.
 
Last edited:

R2D2

Level 6
Verified
Well-known
Aug 7, 2017
267
It's already well-known that the standard CCleaner installer has a bundled application (Google toolbar), which some would consider as PUP/PUA. Why do you think Piriform also offers a "Slim" version of CCleaner? :) The detection is about PUP, not malware. So, you would expect that not all AVs would flag it.

Ah! Now that explains why. My installer does not include the Google Toolbar. :) So naturally no red/yellow flags by an AV/AM. But I do agree it may be considered by a PUP by not only an AV company but some users too.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top