Video Review The Horror of CCleaner

Discussion in 'Video Reviews' started by cruelsister, Sep 23, 2017.

  1. seanss

    seanss Level 1

    Aug 8, 2016
    32
    125
    USA
    Hey! I had this on one of my machines. The CCleaner malware was actually pretty benign in what it did. It's freaking insane that somebody was actually able to get Piriform to sign infected versions of their software FROM THEIR WEBSITE, but that aside it wasn't too bad. First, the malware was only downloaded around August. I don't remember when exactly, but it was only on Piriform's site for a month or two. Also, the infected version was ccleaner.exe, but ccleaner installed ccleaner.exe AND ccleaner64.exe onto the computer-- ccleaner64 was not infected. So, on all 64-bit machines, clicking CCleaner from the Start menu or desktop would open ccleaner64.exe by default. Luckily I was one of those ones and didn't get infected. So, unless you had a 32-bit machine or deliberately went into ccleaer's ProgramFiles directory and clicked the 32-bit version, you wouldn't have been infected. And lastly, from what I have heard the attackers used the malware to collect personally identifiable information from machines, not drop payloads.
     
  2. seanss

    seanss Level 1

    Aug 8, 2016
    32
    125
    USA
    Well, actually, even Windows Defender detected the malicious version of CCleaner, so a lot of people were protected.
     
  3. Lockdown

    Lockdown From AppGuard
    Developer

    Oct 24, 2016
    2,701
    11,829
    AppGuard LLC Virginia, U.S.
    #23 Lockdown, Oct 22, 2017
    Last edited: Oct 22, 2017
    That was a month after the malicious CCleaner was released. Embedded malicious code in a trusted & whitelisted program will bypass security softs until that program is blacklisted.

    It's a foolproof bypass method.
     
  4. cruelsister

    cruelsister Level 32
    Trusted

    Apr 13, 2013
    2,131
    12,418
    NYC
    There was indeed no defense for it, at least the initial installation. This was a high quality hack- a legitimately signed application was downloaded from a company specific (and also legitimate) server. This meant that those responsible had both the Private Key to sign and the FTP credentials to upload the file. Doing both is not an easy thing to do (nor inexpensive).

    Creating a test of this malware versus anything is rather pointless now as everyone and their Cat knows about it, and saying "My AV detects it now!" is equally without value. Remember that the initial detection was by someone stumbling on to a connection to a California server that had hosted malware in the past, and this after a month- by this time the actual payloads had been uploaded to those targeted. From Zero day to D+30 no security product detected anything. It can't be said enough that this was a targeted attack against the likes of Samsung, Intel, VMware, etc and NOT something that peons like us need to worry about.

    What we DO need to worry about (and why I did the video) is that this was the best public example of the Nightmare Scenario- that being a trusted application from a trusted source gone rogue. There is nothing at all we can do to defend ourselves form stuff like this, but instead this demonstrates the Half-assed manner in which both credentials for Trusted Certificates and FTP logon credentials are secured. That should darken anyone's day.
     
  5. 212eta

    212eta Level 7

    May 11, 2011
    304
    736
    Windows Desktop
    Windows 10
    Isolation
    #25 212eta, Oct 23, 2017
    Last edited: Oct 23, 2017
    Meanwhile, Antivirus-Fanboys are Still quarreling over their Toys...:ROFLMAO:
     
    Pelocha and XhenEd like this.
  6. Lockdown

    Lockdown From AppGuard
    Developer

    Oct 24, 2016
    2,701
    11,829
    AppGuard LLC Virginia, U.S.
    #26 Lockdown, Oct 25, 2017
    Last edited: Oct 25, 2017
    For months people on the forums freaked out over Double Pulsar\Eternal Blue - a threat to virtually none of the people freaking out about it. In comparison, Evil Cleaner (EC) - being immensely popular and widely distributed - has been a footnote on the forums despite potentially being a much more pernicious threat. Just shows you people don't understand threat fundamentals. They don't get it (I think because they don't read and\or the only objective is playing with security softs like children play with toys).

    Even if Evil Cleaner had been 100 % fully functional and included x64, poll 100 random security forum members which was worse from an overall security threat perspective - EB\DP or EC - and I can absolutely guarantee that the vast majority of people would reply EB\DP.
     
    mlnevese, XhenEd and harlan4096 like this.
  7. Windows_Security

    Windows_Security Level 13
    Content Creator Trusted

    Mar 13, 2016
    614
    2,878
    Holland
    Windows 7
    Default-Deny
    I wonder how many people stopped using CCleaner? On this forum about half of the users did not trust CCleaner any more. But in the real world outside the security forum geeks and nerds, how many people would really care and change their cleaner of choice?

    I think the closing words of a classic movie apply: Frankly my dear ...
     
  8. mlnevese

    mlnevese Level 10

    May 3, 2015
    474
    1,970
    Windows 10
    Kaspersky
    #28 mlnevese, Nov 1, 2017
    Last edited: Nov 1, 2017
    I believe in the real world most people have not heard of it at all... I'll bet their loss of clients was minimum to non-existent. Notice I'm referring to paying customers not those using the free version.
     
    bribon77, Opcode and Windows_Security like this.
  9. Av Gurus

    Av Gurus Level 28
    Trusted AV Tester

    Sep 22, 2014
    1,718
    10,648
    Testing security programs
    Earth
    Windows 10
    I add CClenaer on my virtual PC and disable options: Automatically check for updates
    Then install GlassWire and it show me that CCleaner is still checking for update. WTF?! :unsure:

    cc.jpg
     
    upnorth, harlan4096 and Sunshine-boy like this.
  10. Lightning_Brian

    Lightning_Brian Level 7

    Sep 1, 2017
    334
    1,697
    Information Technology
    USA
    Windows 10
    Norton
    Interesting thread! I will say that I'm still using my lifetime pro version of this software. Luckily, I was not affected by the malicious version of this software. I don't always use the most updated version of the software and I mainly keep it on a thumb drive for cleanups. @Av Gurus I too have noticed that even after clicking off the auto-update something fishy was occurring. That is why I moved towards the portable version of this software.

    I will mention that I'm currently looking at Wise Cleaner 365 Pro as well after the recent hickup. However, I wouldn't recommend everyone to quite "cold turkey" here. (Just my humble opinion for what it is worth.)

    If people are quite worried one can get the portable version for free as well - no strings attached there. From there, you know that it is not always on your system and it cannot do anything as near as malicious - that I am aware of. If you are worried you have a bad version of it, lock down your system so the USB cannot read, write, or execute and wipe out the USB flash drive and put the latest on. Needless to say, portable versions of some software is quite nice to have - ease of use between multiple computers too. Just have to weigh the pros and cons.

    It is good to be security aware and minded! Thanks for creating this thread @cruelsister !
     
  11. TairikuOkami

    TairikuOkami Level 8
    Content Creator

    May 13, 2017
    378
    1,596
    Postal Worker
    Slovakia
    Windows 10
    Avast has decided to go Microsoft' way, it will check and force security updates, since checking for updates does not update the free version.
    Code:
    schtasks /DELETE /TN "CCleaner Update" /f
     
    upnorth and lowdetection like this.
  12. Peter2150

    Peter2150 Level 6

    Oct 24, 2015
    279
    809
    Washington DC
    Windows 7
    Emsisoft
    I went back and tested this thing. There was one clue, but I doubt much would have paid attention then. I do now. The clue was after 10 minutes a firewall alert on an outbound request for which there was no valid reason.
     
  13. boredog

    boredog Level 8

    Jul 5, 2016
    389
    814
    Retired
    usa
    Windows 10
    Malwarebytes
    I do not allow any connection for CC anymore. CCleanerupdates.jpg ScreenHunter_83 Nov. 05 14.51.jpg
     
    plat1098 and bribon77 like this.
  14. Av Gurus

    Av Gurus Level 28
    Trusted AV Tester

    Sep 22, 2014
    1,718
    10,648
    Testing security programs
    Earth
    Windows 10
    bribon77 likes this.
  15. boredog

    boredog Level 8

    Jul 5, 2016
    389
    814
    Retired
    usa
    Windows 10
    Malwarebytes
    No need my current Tiny wall blocks all connections as per Wireshark.
     
  16. paulderdash

    paulderdash Level 3

    Apr 28, 2015
    121
    331
    In the æther ...
    Those concerned about the CCUpdate..exe, just use the portable version, no CCUpdate.exe exists.
     
    plat1098, bribon77 and XhenEd like this.
  17. cruelsister

    cruelsister Level 32
    Trusted

    Apr 13, 2013
    2,131
    12,418
    NYC
    Paul- Even with the Portable version you will still get an initial connection to the main PiriForm site (not readily apparent- this is to verify that you are using the current version), and if CCleaner was never installed on the system in the past you will also get a One time connection to a CloudFlare server that is used for statistical purposes.

    UpNorth- We should just be thankful that this was targeted. If it wasn't all CCleaner users would be toast.
     
Loading...
Similar Threads Forum Date
Slasher or hacker? 2015's cyberthreats could have been horror flicks News Archive Oct 30, 2015
what's your best scary horror video games Gamers Hangout Apr 16, 2014
Update CCleaner 5.39.6399 System Utilities Yesterday at 12:33 PM