Video Review The Horror of CCleaner

Discussion in 'Video Reviews' started by cruelsister, Sep 23, 2017.

  1. cruelsister

    cruelsister Level 32
    Trusted

    Apr 13, 2013
    2,131
    12,418
    NYC
    Video Uploaded by:
    cruelsister
    A real quick and dirty look-see into the CCleaner malware:

     
    seanss, Fede90, XhenEd and 29 others like this.
  2. Telos

    Telos Level 8

    Jan 29, 2017
    376
    987
    Baana
    #2 Telos, Sep 23, 2017
    Last edited: Sep 23, 2017
    Wondering now if I ever used this version... and I get my CCleaner updates through Kaspersky too. o_O

    So blocking CCleaner 'net access would have rendered this moot? Apart from update checks, there's no reason this program requires outside access AFAIK.
     
    seanss, Vasudev and Solarlynx like this.
  3. Lockdown

    Lockdown From AppGuard
    Developer

    Oct 24, 2016
    2,701
    11,826
    AppGuard LLC Virginia, U.S.
    The fundamental issue is not specific to CCleaner.

    It doesn't much matter what security software you have installed if it employs the concept of trusting files and processes based upon widely accepted criteria.
     
    seanss, shmu26, XhenEd and 9 others like this.
  4. Telos

    Telos Level 8

    Jan 29, 2017
    376
    987
    Baana
    Unfortunately, that is true, and defenses for the average/semi-advanced user are lacking.
     
    seanss, shmu26 and Solarlynx like this.
  5. L S

    L S Level 5

    Jul 16, 2014
    208
    1,178
    Windows 10
    Avast
    This happened to me, I manually deleted ''Agomo'' from the Registry Editor and updated CCleaner to the latest version.
     
  6. Lockdown

    Lockdown From AppGuard
    Developer

    Oct 24, 2016
    2,701
    11,826
    AppGuard LLC Virginia, U.S.
    The fundamental issue affects everyone regardless of their knowledge and skills. So it includes even the mightily capable.
     
    seanss, shmu26, XhenEd and 6 others like this.
  7. Lockdown

    Lockdown From AppGuard
    Developer

    Oct 24, 2016
    2,701
    11,826
    AppGuard LLC Virginia, U.S.
    Avast stated that the Agomo key was not relevant, but at the same time they have revised their statements regarding compromised CCleaner a few times already. Revisions of initial analyses and reports are generally common. Just look at Eternal Blue\Double Pulsar\SMB as a prime example.
     
    seanss, XhenEd, harlan4096 and 5 others like this.
  8. L S

    L S Level 5

    Jul 16, 2014
    208
    1,178
    Windows 10
    Avast
    Yeah ....... But, I was supposed to do something, I can not just ignore it .
     
    seanss likes this.
  9. cruelsister

    cruelsister Level 32
    Trusted

    Apr 13, 2013
    2,131
    12,418
    NYC
    LS- deleting the agomo key is pointless as it will be repopulated when the malware next starts. Deletion will not prevent subsequent connections.
     
  10. Lockdown

    Lockdown From AppGuard
    Developer

    Oct 24, 2016
    2,701
    11,826
    AppGuard LLC Virginia, U.S.
    I know. I already played with it. However, I just don't want to be involved in the "you said, but Avast said, Piriform is now saying, and Cisco Talos says everybody else is wrong, etc." As you already know these topics are generally an endeavor against misinformation or incorrect information right from the very initial report - and I'd rather just stay out of it. Just look at what was done with EB\DB\SMB - where some (actually more than just some people) insulted themselves professionally.
     
  11. L S

    L S Level 5

    Jul 16, 2014
    208
    1,178
    Windows 10
    Avast
    #11 L S, Sep 23, 2017
    Last edited: Sep 23, 2017
    Okay, ....... but whay do I left the 'agamo' key there (when I know is there), now at least I know that it is gone and if it accidentally appears again, then I will know that the malware reacted again.
    P.S. - Will you leave the 'agamo' key there ?
     
  12. Av Gurus

    Av Gurus Level 28
    Trusted AV Tester

    Sep 22, 2014
    1,713
    10,631
    Testing security programs
    Earth
    Windows 10
    Maybe you should check this reg key:
    Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WbemPerf

    Is it empty or not?
     
    Pat MacKnife, _CyberGhosT_ and L S like this.
  13. L S

    L S Level 5

    Jul 16, 2014
    208
    1,178
    Windows 10
    Avast
    Yes I check 2 days ago it's empty --- just this: = (default) - REG-SZ - (value not set)
     
    Pat MacKnife and Av Gurus like this.
  14. sunrise

    sunrise Level 2

    Aug 2, 2014
    58
    98
    So we should not be using ccleaner? How about the portable version?

    If we don't use ccleaner, what should we use in it's place?
     
    seanss likes this.
  15. L S

    L S Level 5

    Jul 16, 2014
    208
    1,178
    Windows 10
    Avast
    CCleaner was infected but only version 5.33.6162 & (also) the CCleaner Cloud version 1.07.3191 .
    ....... BUT NOW It's Okay to use it - Updated Version 5.35 and UP , the same is for CCleaner Cloud .......
    ....... - I Use It and there is no more infections in CCleaner - It's Clean ! ! ! (Portable Version Too) = Also the Millions of Users still Use CCleaner !!! Yes !!! (y)
    Here Some Alternatives for CCleaner :
    - Wise Care 365
    - AVG PC TuneUP
    - Glary Utilities
    - Win Optimizer
    - BleachBit
    - Private Eraser
    - KCleaner
    - PrivaZer
    - Wise Disk Cleaner
    & Here You Have This:
    - The best free alternatives to CCleaner 2017 | TechRadar
    & Plus You Have (to look for info) :
    - www.google.com/
    & Some Extra Courtesy :
    - Piriform - Security Notification for CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 for 32-bit Windows users
     
  16. Fede90

    Fede90 Level 2

    Aug 16, 2013
    61
    209
    Employee
    Venice
    Windows 10
    I had the infected installer on my laptop. Fortunatley the infected one was 32 bit. 64bit was clear. Microsoft Security has detected and deleted it in the same moment i was reading news about server violation of Ccleaner Software house. I was surprised because i don't trust at all that program. After that i installed Emsisoft anti-malware just in case :p
     
    frogboy likes this.
  17. cruelsister

    cruelsister Level 32
    Trusted

    Apr 13, 2013
    2,131
    12,418
    NYC
    Hi Fede! The issue with the 2nd opinion scanners was that they only detected this thing after the MD5 was released by Cisco/Talos.

    I did a video (unpublished because I didn't think anyone would care) testing the big three (MB, HMP, Zemana) against the most common CCleaner malware and was surprised that even after 30 days only 1 of the 3 detected the malware, and none detected the reg entry.

    Also, I keep reading that some folk think they would never have an issue with stuff like this as they would deny Network access to it. Although quite true in this case, understand that other software may require Internet access to work. Consider that the Group (this was no script Kiddie malware!) needed to acquire BOTH the Private Signing key to legitimize the false CCleaner as well as getting the FTP credentials to upload the malware to the Server. Getting either of these things is not easy or inexpensive.

    Fortunately Peasants like us would never be bothered by such high quality stuff- as soon as those responsible detected that we were just plain folk the secondary malware would never have been uploaded to our systems. This malware was created for Corporate Espionage, but could also be used for Military Cyber Attacks. But still we should not feel good that we as individuals would have been unaffected. Personally I would rather have my personal info stolen then living in a Country where the Defense C&C Severs were taken down as the missiles fly in, or having the Electrical Grid crash as the Tanks barrel across the border (btw, this was the rationale of why the US questions the use of K in critical infrastructure. Thank God there are FINALLY Ears that Hear and Minds that actually Think).
     
    seanss, XhenEd, mlnevese and 8 others like this.
  18. shmu26

    shmu26 Level 53

    Jul 3, 2015
    4,248
    13,489
    Utopia
    Indeed, we should not waste our time and energy trying to protect ourselves from super-advanced attacks that are not targeting us anyway. Our time would be better spent brushing our teeth or doing other similar things that have known benefits.
     
    bribon77, seanss, Telos and 1 other person like this.
  19. HarborFront

    HarborFront Level 33
    Content Creator

    Oct 9, 2016
    2,295
    5,751
    Far East
    That infected CCleaner is not a horror

    The horror is when your AV/AM software in your system cannot automatically detect and clean it
     
  20. TairikuOkami

    TairikuOkami Level 8
    Content Creator

    May 13, 2017
    376
    1,592
    Postal Worker
    Slovakia
    Windows 10
    That is a good point, I am sure that many AVs exclude it even from a behavioural scanning because it is a trusted software. How many others are also neglected?! :unsure:
     
Loading...
Similar Threads Forum Date
Slasher or hacker? 2015's cyberthreats could have been horror flicks News Archive Oct 30, 2015
what's your best scary horror video games Gamers Hangout Apr 16, 2014
Q&A Do I really need to use CCleaner? General Security Discussions Dec 21, 2017