Video The Horror of CCleaner

Joined
Aug 8, 2016
Messages
32
#21
A real quick and dirty look-see into the CCleaner malware:

Hey! I had this on one of my machines. The CCleaner malware was actually pretty benign in what it did. It's freaking insane that somebody was actually able to get Piriform to sign infected versions of their software FROM THEIR WEBSITE, but that aside it wasn't too bad. First, the malware was only downloaded around August. I don't remember when exactly, but it was only on Piriform's site for a month or two. Also, the infected version was ccleaner.exe, but ccleaner installed ccleaner.exe AND ccleaner64.exe onto the computer-- ccleaner64 was not infected. So, on all 64-bit machines, clicking CCleaner from the Start menu or desktop would open ccleaner64.exe by default. Luckily I was one of those ones and didn't get infected. So, unless you had a 32-bit machine or deliberately went into ccleaer's ProgramFiles directory and clicked the 32-bit version, you wouldn't have been infected. And lastly, from what I have heard the attackers used the malware to collect personally identifiable information from machines, not drop payloads.
 
Joined
Aug 8, 2016
Messages
32
#22
The fundamental issue is not specific to CCleaner.

It doesn't much matter what security software you have installed if it employs the concept of trusting files and processes based upon widely accepted criteria.
Well, actually, even Windows Defender detected the malicious version of CCleaner, so a lot of people were protected.
 

Lockdown

From AppGuard
Developer
Verified
Joined
Oct 24, 2016
Messages
3,524
#23
Well, actually, even Windows Defender detected the malicious version of CCleaner, so a lot of people were protected.
That was a month after the malicious CCleaner was released. Embedded malicious code in a trusted & whitelisted program will bypass security softs until that program is blacklisted.

It's a foolproof bypass method.
 
Last edited:

cruelsister

Level 36
Content Creator
Verified
Joined
Apr 13, 2013
Messages
2,509
#24
There was indeed no defense for it, at least the initial installation. This was a high quality hack- a legitimately signed application was downloaded from a company specific (and also legitimate) server. This meant that those responsible had both the Private Key to sign and the FTP credentials to upload the file. Doing both is not an easy thing to do (nor inexpensive).

Creating a test of this malware versus anything is rather pointless now as everyone and their Cat knows about it, and saying "My AV detects it now!" is equally without value. Remember that the initial detection was by someone stumbling on to a connection to a California server that had hosted malware in the past, and this after a month- by this time the actual payloads had been uploaded to those targeted. From Zero day to D+30 no security product detected anything. It can't be said enough that this was a targeted attack against the likes of Samsung, Intel, VMware, etc and NOT something that peons like us need to worry about.

What we DO need to worry about (and why I did the video) is that this was the best public example of the Nightmare Scenario- that being a trusted application from a trusted source gone rogue. There is nothing at all we can do to defend ourselves form stuff like this, but instead this demonstrates the Half-assed manner in which both credentials for Trusted Certificates and FTP logon credentials are secured. That should darken anyone's day.
 

Lockdown

From AppGuard
Developer
Verified
Joined
Oct 24, 2016
Messages
3,524
#26
There was indeed no defense for it, at least the initial installation. This was a high quality hack- a legitimately signed application was downloaded from a company specific (and also legitimate) server. This meant that those responsible had both the Private Key to sign and the FTP credentials to upload the file. Doing both is not an easy thing to do (nor inexpensive).

Creating a test of this malware versus anything is rather pointless now as everyone and their Cat knows about it, and saying "My AV detects it now!" is equally without value. Remember that the initial detection was by someone stumbling on to a connection to a California server that had hosted malware in the past, and this after a month- by this time the actual payloads had been uploaded to those targeted. From Zero day to D+30 no security product detected anything. It can't be said enough that this was a targeted attack against the likes of Samsung, Intel, VMware, etc and NOT something that peons like us need to worry about.

What we DO need to worry about (and why I did the video) is that this was the best public example of the Nightmare Scenario- that being a trusted application from a trusted source gone rogue. There is nothing at all we can do to defend ourselves form stuff like this, but instead this demonstrates the Half-assed manner in which both credentials for Trusted Certificates and FTP logon credentials are secured. That should darken anyone's day.
For months people on the forums freaked out over Double Pulsar\Eternal Blue - a threat to virtually none of the people freaking out about it. In comparison, Evil Cleaner (EC) - being immensely popular and widely distributed - has been a footnote on the forums despite potentially being a much more pernicious threat. Just shows you people don't understand threat fundamentals. They don't get it (I think because they don't read and\or the only objective is playing with security softs like children play with toys).

Even if Evil Cleaner had been 100 % fully functional and included x64, poll 100 random security forum members which was worse from an overall security threat perspective - EB\DP or EC - and I can absolutely guarantee that the vast majority of people would reply EB\DP.
 
Last edited:

Windows_Security

Level 18
Content Creator
Verified
Joined
Mar 13, 2016
Messages
867
OS
Windows 7
#27
I wonder how many people stopped using CCleaner? On this forum about half of the users did not trust CCleaner any more. But in the real world outside the security forum geeks and nerds, how many people would really care and change their cleaner of choice?

I think the closing words of a classic movie apply: Frankly my dear ...
 

mlnevese

Level 12
Verified
Joined
May 3, 2015
Messages
569
OS
Windows 10
Antivirus
Kaspersky
#28
I wonder how many people stopped using CCleaner? On this forum about half of the users did not trust CCleaner any more. But in the real world outside the security forum geeks and nerds, how many people would really care and change their cleaner of choice?

I think the closing words of a classic movie apply: Frankly my dear ...
I believe in the real world most people have not heard of it at all... I'll bet their loss of clients was minimum to non-existent. Notice I'm referring to paying customers not those using the free version.
 
Last edited:

Lightning_Brian

Level 11
Verified
Joined
Sep 1, 2017
Messages
514
OS
Windows 10
Antivirus
Norton
#30
Interesting thread! I will say that I'm still using my lifetime pro version of this software. Luckily, I was not affected by the malicious version of this software. I don't always use the most updated version of the software and I mainly keep it on a thumb drive for cleanups. @Av Gurus I too have noticed that even after clicking off the auto-update something fishy was occurring. That is why I moved towards the portable version of this software.

I will mention that I'm currently looking at Wise Cleaner 365 Pro as well after the recent hickup. However, I wouldn't recommend everyone to quite "cold turkey" here. (Just my humble opinion for what it is worth.)

If people are quite worried one can get the portable version for free as well - no strings attached there. From there, you know that it is not always on your system and it cannot do anything as near as malicious - that I am aware of. If you are worried you have a bad version of it, lock down your system so the USB cannot read, write, or execute and wipe out the USB flash drive and put the latest on. Needless to say, portable versions of some software is quite nice to have - ease of use between multiple computers too. Just have to weigh the pros and cons.

It is good to be security aware and minded! Thanks for creating this thread @cruelsister !
 

TairikuOkami

Level 16
Content Creator
Verified
Joined
May 13, 2017
Messages
798
OS
Windows 10
Antivirus
Default-Deny
#31
I add CClenaer on my virtual PC and disable options: Automatically check for updates
Then install GlassWire and it show me that CCleaner is still checking for update. WTF?! :unsure:
Avast has decided to go Microsoft' way, it will check and force security updates, since checking for updates does not update the free version.
Code:
schtasks /DELETE /TN "CCleaner Update" /f
 

Peter2150

Level 7
Verified
Joined
Oct 24, 2015
Messages
300
OS
Windows 7
Antivirus
Emsisoft
#32
I went back and tested this thing. There was one clue, but I doubt much would have paid attention then. I do now. The clue was after 10 minutes a firewall alert on an outbound request for which there was no valid reason.
 

cruelsister

Level 36
Content Creator
Verified
Joined
Apr 13, 2013
Messages
2,509
#38
Paul- Even with the Portable version you will still get an initial connection to the main PiriForm site (not readily apparent- this is to verify that you are using the current version), and if CCleaner was never installed on the system in the past you will also get a One time connection to a CloudFlare server that is used for statistical purposes.

UpNorth- We should just be thankful that this was targeted. If it wasn't all CCleaner users would be toast.
 
Joined
Jul 26, 2014
Messages
12
#39
A real quick and dirty look-see into the CCleaner malware:

A real quick and dirty look-see into the CCleaner malware:

I just got a refund on Pro version...The update feature didn't work......Manual or automatic...I think the popularity of the product comes from the fact that the basic scan excludes the registry..If you use the registry cleaner it becomes just another system Mechanic with the same negatives.....As far as I can tell any registry cleaner is unsafe..Correct me if I'm wrong..
 
Likes: gerinho
Joined
Apr 28, 2018
Messages
11
OS
MacOS High Sierra
Antivirus
Sophos
#40
You're right! Messing with Windows registry was never a very good option :sneaky:
 

Similar Threads

Similar Threads