App Review The Horror of CCleaner

[seanss]

A real quick and dirty look-see into the CCleaner malware:

Hey! I had this on one of my machines. The CCleaner malware was actually pretty benign in what it did. It's freaking insane that somebody was actually able to get Piriform to sign infected versions of their software FROM THEIR WEBSITE, but that aside it wasn't too bad. First, the malware was only downloaded around August. I don't remember when exactly, but it was only on Piriform's site for a month or two. Also, the infected version was ccleaner.exe, but ccleaner installed ccleaner.exe AND ccleaner64.exe onto the computer-- ccleaner64 was not infected. So, on all 64-bit machines, clicking CCleaner from the Start menu or desktop would open ccleaner64.exe by default. Luckily I was one of those ones and didn't get infected. So, unless you had a 32-bit machine or deliberately went into ccleaer's ProgramFiles directory and clicked the 32-bit version, you wouldn't have been infected. And lastly, from what I have heard the attackers used the malware to collect personally identifiable information from machines, not drop payloads.

 

[seanss]

The fundamental issue is not specific to CCleaner.

It doesn't much matter what security software you have installed if it employs the concept of trusting files and processes based upon widely accepted criteria.

Well, actually, even Windows Defender detected the malicious version of CCleaner, so a lot of people were protected.

 

[509322]

Well, actually, even Windows Defender detected the malicious version of CCleaner, so a lot of people were protected.

That was a month after the malicious CCleaner was released. Embedded malicious code in a trusted & whitelisted program will bypass security softs until that program is blacklisted.

It's a foolproof bypass method.

 

[cruelsister]

There was indeed no defense for it, at least the initial installation. This was a high quality hack- a legitimately signed application was downloaded from a company specific (and also legitimate) server. This meant that those responsible had both the Private Key to sign and the FTP credentials to upload the file. Doing both is not an easy thing to do (nor inexpensive).

Creating a test of this malware versus anything is rather pointless now as everyone and their Cat knows about it, and saying "My AV detects it now!" is equally without value. Remember that the initial detection was by someone stumbling on to a connection to a California server that had hosted malware in the past, and this after a month- by this time the actual payloads had been uploaded to those targeted. From Zero day to D+30 no security product detected anything. It can't be said enough that this was a targeted attack against the likes of Samsung, Intel, VMware, etc and NOT something that peons like us need to worry about.

What we DO need to worry about (and why I did the video) is that this was the best public example of the Nightmare Scenario- that being a trusted application from a trusted source gone rogue. There is nothing at all we can do to defend ourselves form stuff like this, but instead this demonstrates the Half-assed manner in which both credentials for Trusted Certificates and FTP logon credentials are secured. That should darken anyone's day.

 

[212eta]

From Zero day to D+30, no security product detected anything.

Meanwhile, Antivirus-Fanboys are Still quarreling over their Toys...

 

[509322]

There was indeed no defense for it, at least the initial installation. This was a high quality hack- a legitimately signed application was downloaded from a company specific (and also legitimate) server. This meant that those responsible had both the Private Key to sign and the FTP credentials to upload the file. Doing both is not an easy thing to do (nor inexpensive).

Creating a test of this malware versus anything is rather pointless now as everyone and their Cat knows about it, and saying "My AV detects it now!" is equally without value. Remember that the initial detection was by someone stumbling on to a connection to a California server that had hosted malware in the past, and this after a month- by this time the actual payloads had been uploaded to those targeted. From Zero day to D+30 no security product detected anything. It can't be said enough that this was a targeted attack against the likes of Samsung, Intel, VMware, etc and NOT something that peons like us need to worry about.

What we DO need to worry about (and why I did the video) is that this was the best public example of the Nightmare Scenario- that being a trusted application from a trusted source gone rogue. There is nothing at all we can do to defend ourselves form stuff like this, but instead this demonstrates the Half-assed manner in which both credentials for Trusted Certificates and FTP logon credentials are secured. That should darken anyone's day.

For months people on the forums freaked out over Double Pulsar\Eternal Blue - a threat to virtually none of the people freaking out about it. In comparison, Evil Cleaner (EC) - being immensely popular and widely distributed - has been a footnote on the forums despite potentially being a much more pernicious threat. Just shows you people don't understand threat fundamentals. They don't get it (I think because they don't read and\or the only objective is playing with security softs like children play with toys).

Even if Evil Cleaner had been 100 % fully functional and included x64, poll 100 random security forum members which was worse from an overall security threat perspective - EB\DP or EC - and I can absolutely guarantee that the vast majority of people would reply EB\DP.

 

[Windows_Security]

I wonder how many people stopped using CCleaner? On this forum about half of the users did not trust CCleaner any more. But in the real world outside the security forum geeks and nerds, how many people would really care and change their cleaner of choice?

I think the closing words of a classic movie apply: Frankly my dear ...

 

[mlnevese]

I wonder how many people stopped using CCleaner? On this forum about half of the users did not trust CCleaner any more. But in the real world outside the security forum geeks and nerds, how many people would really care and change their cleaner of choice?

I think the closing words of a classic movie apply: Frankly my dear ...

I believe in the real world most people have not heard of it at all... I'll bet their loss of clients was minimum to non-existent. Notice I'm referring to paying customers not those using the free version.

 

[Av Gurus]

I add CClenaer on my virtual PC and disable options: Automatically check for updates
Then install GlassWire and it show me that CCleaner is still checking for update. WTF?!

 

[Lightning_Brian]

Interesting thread! I will say that I'm still using my lifetime pro version of this software. Luckily, I was not affected by the malicious version of this software. I don't always use the most updated version of the software and I mainly keep it on a thumb drive for cleanups. @Av Gurus I too have noticed that even after clicking off the auto-update something fishy was occurring. That is why I moved towards the portable version of this software.

I will mention that I'm currently looking at Wise Cleaner 365 Pro as well after the recent hickup. However, I wouldn't recommend everyone to quite "cold turkey" here. (Just my humble opinion for what it is worth.)

If people are quite worried one can get the portable version for free as well - no strings attached there. From there, you know that it is not always on your system and it cannot do anything as near as malicious - that I am aware of. If you are worried you have a bad version of it, lock down your system so the USB cannot read, write, or execute and wipe out the USB flash drive and put the latest on. Needless to say, portable versions of some software is quite nice to have - ease of use between multiple computers too. Just have to weigh the pros and cons.

It is good to be security aware and minded! Thanks for creating this thread @cruelsister !

 

[TairikuOkami]

I add CClenaer on my virtual PC and disable options: Automatically check for updates
Then install GlassWire and it show me that CCleaner is still checking for update. WTF?!

Avast has decided to go Microsoft' way, it will check and force security updates, since checking for updates does not update the free version.

schtasks /DELETE /TN "CCleaner Update" /f

 

[Peter2150]

I went back and tested this thing. There was one clue, but I doubt much would have paid attention then. I do now. The clue was after 10 minutes a firewall alert on an outbound request for which there was no valid reason.

 

[boredog]

I add CClenaer on my virtual PC and disable options: Automatically check for updates
Then install GlassWire and it show me that CCleaner is still checking for update. WTF?!

View attachment 171947

I do not allow any connection for CC anymore.

 

[Av Gurus]

I do not allow any connection for CC anymore. View attachment 171948 View attachment 171949

I think you should add CCUpdate.exe to the Firewall block, as this is try to go out (by GlassWire)

 

[boredog]

I think you should add CCUpdate.exe to the Firewall block, as this is try to go out (by GlassWire)

View attachment 171952 View attachment 171953

No need my current Tiny wall blocks all connections as per Wireshark.

 

[paulderdash]

Those concerned about the CCUpdate..exe, just use the portable version, no CCUpdate.exe exists.

 

[upnorth]

Updated information from Talos : Cisco's Talos Intelligence Group Blog: CCleaner Command and Control Causes Concern

 

[cruelsister]

Paul- Even with the Portable version you will still get an initial connection to the main PiriForm site (not readily apparent- this is to verify that you are using the current version), and if CCleaner was never installed on the system in the past you will also get a One time connection to a CloudFlare server that is used for statistical purposes.

UpNorth- We should just be thankful that this was targeted. If it wasn't all CCleaner users would be toast.

 

[tomdy2k]

A real quick and dirty look-see into the CCleaner malware:

A real quick and dirty look-see into the CCleaner malware:

I just got a refund on Pro version...The update feature didn't work......Manual or automatic...I think the popularity of the product comes from the fact that the basic scan excludes the registry..If you use the registry cleaner it becomes just another system Mechanic with the same negatives.....As far as I can tell any registry cleaner is unsafe..Correct me if I'm wrong..

 

[gerinho]

You're right! Messing with Windows registry was never a very good option