Author Topic: ccleaner contained  (Read 2117 times)

Offline lyn

  • Comodo's Hero
  • *****
  • Posts: 300
ccleaner contained
« on: September 20, 2017, 04:18:13 PM »
Hi the latest ccleaner (5.35.6210) installer is being contained any idea why?

Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 531
  • I like CIS , Kali Linux , IDA Pro & Fl Studio ;)
Re: ccleaner contained
« Reply #1 on: September 20, 2017, 04:22:18 PM »
Actual Piriform is not maintained as "Trusted Vendor" . This was necessary ,  so the malicious versions can be detected via signature , also with activated TVL .
« Last Edit: September 20, 2017, 04:24:17 PM by pio »
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***

Offline Umesh

  • Comodo Alumni
  • Comodo's Hero
  • *****
  • Posts: 3421
  • Comodo Alumni
    • COMODO
Re: ccleaner contained
« Reply #2 on: September 20, 2017, 04:24:41 PM »
That's right. We will be whitelisting latest verified versions shortly.

Actual Piriform is not maintained as an "Trusted Vendor" . This was necessary ,  so the malicious versions can also be detected with activated TVL .
We can't stop malware entering user's PC but we render them use-less when they enter PC: Welcome to Comodo's Default Deny innovation

Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 531
  • I like CIS , Kali Linux , IDA Pro & Fl Studio ;)
Re: ccleaner contained
« Reply #3 on: September 20, 2017, 04:28:31 PM »
That's right. We will be whitelisting latest verified versions shortly.

 :-TU :-TU :-TU  ;)
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***

Offline languy99

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 3981
Re: ccleaner contained
« Reply #4 on: September 20, 2017, 07:56:20 PM »
So this security breach was a major let down for me on Comodo. I had the infected file on my computer for over a month and not a peep from it. I always thought what could a security program do to protect users against signed infected files. There should still be something that coupled be done, maybe a behavior blocker?
http://www.youtube.com/languy99

Software Reviews for all.

Follow me on Twitter http://twitter.com/#!/languy99

Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 531
  • I like CIS , Kali Linux , IDA Pro & Fl Studio ;)
Re: ccleaner contained
« Reply #5 on: September 20, 2017, 08:10:55 PM »
So this security breach was a major let down for me on Comodo. I had the infected file on my computer for over a month and not a peep from it. I always thought what could a security program do to protect users against signed infected files. There should still be something that coupled be done, maybe a behavior blocker?

Comodo Products has such features already integrated . Unfortunately , with trustworthy files + activated TVL , the  CAV , HIPS and the FW is completely out of action . What Viruscope does , I don't know . But I think , it is already worked on a solution or improvement against such special cases . I am very sure of that , Umesh and the other developers will already manage this !  ;)

***Edit:***   It would be interesting to know , if there were any warnings from CIS and CCAV ,  if the malicious installer was started as untrusted or unknown . Of course , the containment should not be activated .
« Last Edit: September 20, 2017, 08:32:46 PM by pio »
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***

Offline languy99

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 3981
Re: ccleaner contained
« Reply #6 on: September 20, 2017, 08:27:18 PM »
Basically the theory of good, bad and unknown files has to go out the window. It should be bad unknown and good now but could change in the future or just bad and unknown. What is needed is a true behavior blocker that watches the whole system including safe files and everything.
http://www.youtube.com/languy99

Software Reviews for all.

Follow me on Twitter http://twitter.com/#!/languy99

Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 531
  • I like CIS , Kali Linux , IDA Pro & Fl Studio ;)
Re: ccleaner contained
« Reply #7 on: September 20, 2017, 08:35:13 PM »
I think it would be best , to find a solution that uses the still existing protection mechanisms .

This could be helpful in some cases :

Hi,Correct.

TVL is enabled by default, so any user who disables will be the only user who would see performance impact. So if one of options you propose that even if TVL is enabled, let user see actual non-TVL rating of file, it will end up putting performance overhead on all users.

But if we decide to create a server side blacklist of hashes, it will be small and scanning through that for a given file will be very quick.

Thanks
-umesh
« Last Edit: September 20, 2017, 09:00:45 PM by pio »
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***

Offline ZorKas

  • Comodo's Hero
  • *****
  • Posts: 977
Re: ccleaner contained
« Reply #8 on: September 21, 2017, 01:48:52 AM »
Hello,
In the case of a machine infected with CCleaner, the following registry key

HKEY_LOCAL_MACHINE\SOFTWARE\Piriform\Agomo
Is created

So checked in the registry editor, in case the deleted (Agomo key)
--------------------------------------
Category: Backdoor

Description: This program provides remote access to the computer on its workstation.

Recommended Action: Remove this software immediately.

Elements:
taskscheduler:C:\WINDOWS\System32\Tasks\CCleanerSkipUAC
file:C:\Program Files\CCleaner\CCleaner.exe
file:C:\WINDOWS\System32\Tasks\CCleanerSkipUAC
uninstall:HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\CCleaner
regkey:HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{5DCE4767-2B66-466F-B3D1-6F1EBE9F939E}
regkey:HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\CCleanerSkipUAC
regkey:HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\CCleaner
« Last Edit: September 21, 2017, 01:53:51 AM by ZorKas »

Offline mike6688

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 2105
Re: ccleaner contained
« Reply #9 on: September 21, 2017, 10:15:18 AM »
So this security breach was a major let down for me on Comodo. I had the infected file on my computer for over a month and not a peep from it. I always thought what could a security program do to protect users against signed infected files. There should still be something that coupled be done, maybe a behavior blocker?
I think it would be best , to find a solution that uses the still existing protection mechanisms .

This could be helpful in some cases :


Not just Comodo though.  All other AVs also allowed this file to run without checking, including Kaspersky, Avira etcetera.  In fact, I think the only AV that detected the CCleaner.exe installer was Eset - and that was only because the installer has a bundled toolbar.  This is a downside of  automatically trusting signed files, a malware that has a trusted certificate will run.  I know it's difficult for these companies to analyse every single file by a human, which is why a lot of  the file ratings are automated.  Perhaps antivirus vendors need to be more thorough when analysing files from 'trusted' vendors.   You never know when they can no longer be trusted, or their systems are compromised as in this case.

Hello,
In the case of a machine infected with CCleaner, the following registry key

HKEY_LOCAL_MACHINE\SOFTWARE\Piriform\Agomo
Is created

So checked in the registry editor, in case the deleted (Agomo key)
--------------------------------------
Category: Backdoor

Description: This program provides remote access to the computer on its workstation.

Recommended Action: Remove this software immediately.

Elements:
taskscheduler:C:\WINDOWS\System32\Tasks\CCleanerSkipUAC
file:C:\Program Files\CCleaner\CCleaner.exe
file:C:\WINDOWS\System32\Tasks\CCleanerSkipUAC
uninstall:HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\CCleaner
regkey:HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{5DCE4767-2B66-466F-B3D1-6F1EBE9F939E}
regkey:HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\CCleanerSkipUAC
regkey:HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\CCleaner

If you have that registry key, the malware has executed.   If that key isn't present the malware never executed.  Uninstalling or updating CCleaner won't remove that registry key however, although will remove the backdoor contained in the program.
Volunteer Moderator: Opinions are my own and may not reflect those of Comodo.  Please read and abide by the forum policy!

Offline languy99

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 3981
Re: ccleaner contained
« Reply #10 on: September 21, 2017, 11:03:19 AM »
Not just Comodo though.  All other AVs also allowed this file to run without checking, including Kaspersky, Avira etcetera.  In fact, I think the only AV that detected the CCleaner.exe installer was Eset - and that was only because the installer has a bundled toolbar.  This is a downside of  automatically trusting signed files, a malware that has a trusted certificate will run.  I know it's difficult for these companies to analyse every single file by a human, which is why a lot of  the file ratings are automated.  Perhaps antivirus vendors need to be more thorough when analysing files from 'trusted' vendors.   You never know when they can no longer be trusted, or their systems are compromised as in this case.

If you have that registry key, the malware has executed.   If that key isn't present the malware never executed.  Uninstalling or updating CCleaner won't remove that registry key however, although will remove the backdoor contained in the program.

I heard the first to diagnose it is was clamAV but anyway. Maybe a module in the Firewall that alerts the user when the program wants to make a connection to a website to send data and shows through whoisIP the likely owner of that site? Maybe like a white list for IP.addressed? and it could show percentage of users who allowed or who denied the connection.

Yes it could not stop the file from getting on but at least it could stop it from communicating to keep your data safe.
http://www.youtube.com/languy99

Software Reviews for all.

Follow me on Twitter http://twitter.com/#!/languy99

Offline EricJH

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 24707
Re: ccleaner contained
« Reply #11 on: September 21, 2017, 11:49:08 AM »
The problem with the infected build of CCleaner is also discussed in CCleaner v5.33 infected [split topic].

The cloud and the 64 bit versions were not affected; only the 32 bits version. Notice that CCleaner will install the 64 bits version automatically when you are using a 64 bits version of Windows.

Avast, the new owner, believes that a malicious payload was never downloaded to the users. It is best to update to the latest version v 5.35 which also has new signatures.

Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 531
  • I like CIS , Kali Linux , IDA Pro & Fl Studio ;)
Re: ccleaner contained
« Reply #12 on: September 21, 2017, 12:56:00 PM »
Not just Comodo though.  All other AVs also allowed this file to run without checking, including Kaspersky, Avira etcetera.

Yes of course , this is  true for every AV Company ! I didn't want to ignore this fact !  :)

I think the only AV that detected the CCleaner.exe installer was Eset - and that was only because the installer has a bundled toolbar.

Yes again , i have given the same verdict on VT , also for the NEW Version ! A lot of famous download sites , describe this version as "Adware" ! The integrated "google-updater" collects also  possibly sensitive informations and send it back to google ! The portable , slim version , is free of such unwanted "Add-ons"and such a behaviour . >:-D So ... >>> https://www.virustotal.com/#/file/cbc2f423d035cf315ac724e61287420013c517cf3d95dbdfa673179436184e64/community

 
Perhaps antivirus vendors need to be more thorough when analysing files from 'trusted' vendors.

For the 3rd time YES !  ;)  But the companies who signing files, simply must have to be even more attentive when they assign their Certificates !!! So the whole unsightly thing could have been prevented . The daily routine of verifying files , can become very dangerous in the It security .
« Last Edit: September 21, 2017, 06:47:20 PM by pio »
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***

Offline Jamin4u

  • Comodo Family Member
  • ***
  • Posts: 94
Re: ccleaner contained
« Reply #13 on: September 23, 2017, 08:41:39 AM »
Is Piriform going to be added to the trusted vendors list anytime soon?

Offline EricJH

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 24707
Re: ccleaner contained
« Reply #14 on: September 23, 2017, 09:47:27 AM »
Is Piriform going to be added to the trusted vendors list anytime soon?
That depends:
Hi yigido,

This company was recently compromised. As a security measure we decided to keep it out of TVL until all security aspects will be clarified and all compromised certs revoked.

Thanks,
Bogdan

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek