App Review The Horror of CCleaner

It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.

seanss

Level 1
Verified
Aug 8, 2016
35
A real quick and dirty look-see into the CCleaner malware:


Hey! I had this on one of my machines. The CCleaner malware was actually pretty benign in what it did. It's freaking insane that somebody was actually able to get Piriform to sign infected versions of their software FROM THEIR WEBSITE, but that aside it wasn't too bad. First, the malware was only downloaded around August. I don't remember when exactly, but it was only on Piriform's site for a month or two. Also, the infected version was ccleaner.exe, but ccleaner installed ccleaner.exe AND ccleaner64.exe onto the computer-- ccleaner64 was not infected. So, on all 64-bit machines, clicking CCleaner from the Start menu or desktop would open ccleaner64.exe by default. Luckily I was one of those ones and didn't get infected. So, unless you had a 32-bit machine or deliberately went into ccleaer's ProgramFiles directory and clicked the 32-bit version, you wouldn't have been infected. And lastly, from what I have heard the attackers used the malware to collect personally identifiable information from machines, not drop payloads.
 

seanss

Level 1
Verified
Aug 8, 2016
35
The fundamental issue is not specific to CCleaner.

It doesn't much matter what security software you have installed if it employs the concept of trusting files and processes based upon widely accepted criteria.
Well, actually, even Windows Defender detected the malicious version of CCleaner, so a lot of people were protected.
 
5

509322

Well, actually, even Windows Defender detected the malicious version of CCleaner, so a lot of people were protected.

That was a month after the malicious CCleaner was released. Embedded malicious code in a trusted & whitelisted program will bypass security softs until that program is blacklisted.

It's a foolproof bypass method.
 
Last edited by a moderator:

cruelsister

Level 42
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 13, 2013
3,133
There was indeed no defense for it, at least the initial installation. This was a high quality hack- a legitimately signed application was downloaded from a company specific (and also legitimate) server. This meant that those responsible had both the Private Key to sign and the FTP credentials to upload the file. Doing both is not an easy thing to do (nor inexpensive).

Creating a test of this malware versus anything is rather pointless now as everyone and their Cat knows about it, and saying "My AV detects it now!" is equally without value. Remember that the initial detection was by someone stumbling on to a connection to a California server that had hosted malware in the past, and this after a month- by this time the actual payloads had been uploaded to those targeted. From Zero day to D+30 no security product detected anything. It can't be said enough that this was a targeted attack against the likes of Samsung, Intel, VMware, etc and NOT something that peons like us need to worry about.

What we DO need to worry about (and why I did the video) is that this was the best public example of the Nightmare Scenario- that being a trusted application from a trusted source gone rogue. There is nothing at all we can do to defend ourselves form stuff like this, but instead this demonstrates the Half-assed manner in which both credentials for Trusted Certificates and FTP logon credentials are secured. That should darken anyone's day.
 
5

509322

There was indeed no defense for it, at least the initial installation. This was a high quality hack- a legitimately signed application was downloaded from a company specific (and also legitimate) server. This meant that those responsible had both the Private Key to sign and the FTP credentials to upload the file. Doing both is not an easy thing to do (nor inexpensive).

Creating a test of this malware versus anything is rather pointless now as everyone and their Cat knows about it, and saying "My AV detects it now!" is equally without value. Remember that the initial detection was by someone stumbling on to a connection to a California server that had hosted malware in the past, and this after a month- by this time the actual payloads had been uploaded to those targeted. From Zero day to D+30 no security product detected anything. It can't be said enough that this was a targeted attack against the likes of Samsung, Intel, VMware, etc and NOT something that peons like us need to worry about.

What we DO need to worry about (and why I did the video) is that this was the best public example of the Nightmare Scenario- that being a trusted application from a trusted source gone rogue. There is nothing at all we can do to defend ourselves form stuff like this, but instead this demonstrates the Half-assed manner in which both credentials for Trusted Certificates and FTP logon credentials are secured. That should darken anyone's day.

For months people on the forums freaked out over Double Pulsar\Eternal Blue - a threat to virtually none of the people freaking out about it. In comparison, Evil Cleaner (EC) - being immensely popular and widely distributed - has been a footnote on the forums despite potentially being a much more pernicious threat. Just shows you people don't understand threat fundamentals. They don't get it (I think because they don't read and\or the only objective is playing with security softs like children play with toys).

Even if Evil Cleaner had been 100 % fully functional and included x64, poll 100 random security forum members which was worse from an overall security threat perspective - EB\DP or EC - and I can absolutely guarantee that the vast majority of people would reply EB\DP.
 
Last edited by a moderator:

Windows_Security

Level 24
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 13, 2016
1,298
I wonder how many people stopped using CCleaner? On this forum about half of the users did not trust CCleaner any more. But in the real world outside the security forum geeks and nerds, how many people would really care and change their cleaner of choice?

I think the closing words of a classic movie apply: Frankly my dear ...
 

mlnevese

Level 26
Verified
Top Poster
Well-known
May 3, 2015
1,531
I wonder how many people stopped using CCleaner? On this forum about half of the users did not trust CCleaner any more. But in the real world outside the security forum geeks and nerds, how many people would really care and change their cleaner of choice?

I think the closing words of a classic movie apply: Frankly my dear ...

I believe in the real world most people have not heard of it at all... I'll bet their loss of clients was minimum to non-existent. Notice I'm referring to paying customers not those using the free version.
 
Last edited:

Av Gurus

Level 29
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
Sep 22, 2014
1,767
I add CClenaer on my virtual PC and disable options: Automatically check for updates
Then install GlassWire and it show me that CCleaner is still checking for update. WTF?! :unsure:

cc.jpg
 

Lightning_Brian

Level 15
Verified
Top Poster
Content Creator
Sep 1, 2017
742
Interesting thread! I will say that I'm still using my lifetime pro version of this software. Luckily, I was not affected by the malicious version of this software. I don't always use the most updated version of the software and I mainly keep it on a thumb drive for cleanups. @Av Gurus I too have noticed that even after clicking off the auto-update something fishy was occurring. That is why I moved towards the portable version of this software.

I will mention that I'm currently looking at Wise Cleaner 365 Pro as well after the recent hickup. However, I wouldn't recommend everyone to quite "cold turkey" here. (Just my humble opinion for what it is worth.)

If people are quite worried one can get the portable version for free as well - no strings attached there. From there, you know that it is not always on your system and it cannot do anything as near as malicious - that I am aware of. If you are worried you have a bad version of it, lock down your system so the USB cannot read, write, or execute and wipe out the USB flash drive and put the latest on. Needless to say, portable versions of some software is quite nice to have - ease of use between multiple computers too. Just have to weigh the pros and cons.

It is good to be security aware and minded! Thanks for creating this thread @cruelsister !
 

TairikuOkami

Level 35
Verified
Top Poster
Content Creator
Well-known
May 13, 2017
2,452
I add CClenaer on my virtual PC and disable options: Automatically check for updates
Then install GlassWire and it show me that CCleaner is still checking for update. WTF?! :unsure:
Avast has decided to go Microsoft' way, it will check and force security updates, since checking for updates does not update the free version.
Code:
schtasks /DELETE /TN "CCleaner Update" /f
 

Peter2150

Level 7
Verified
Oct 24, 2015
280
I went back and tested this thing. There was one clue, but I doubt much would have paid attention then. I do now. The clue was after 10 minutes a firewall alert on an outbound request for which there was no valid reason.
 

cruelsister

Level 42
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 13, 2013
3,133
Paul- Even with the Portable version you will still get an initial connection to the main PiriForm site (not readily apparent- this is to verify that you are using the current version), and if CCleaner was never installed on the system in the past you will also get a One time connection to a CloudFlare server that is used for statistical purposes.

UpNorth- We should just be thankful that this was targeted. If it wasn't all CCleaner users would be toast.
 

tomdy2k

Level 1
Jul 26, 2014
14
A real quick and dirty look-see into the CCleaner malware:


A real quick and dirty look-see into the CCleaner malware:


I just got a refund on Pro version...The update feature didn't work......Manual or automatic...I think the popularity of the product comes from the fact that the basic scan excludes the registry..If you use the registry cleaner it becomes just another system Mechanic with the same negatives.....As far as I can tell any registry cleaner is unsafe..Correct me if I'm wrong..
 
  • Like
Reactions: gerinho

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top