Author Topic: CCleaner v5.33 infected [split topic]  (Read 1859 times)

Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 531
  • I like CIS , Kali Linux , IDA Pro & Fl Studio ;)
CCleaner v5.33 infected [split topic]
« on: August 16, 2017, 02:40:41 AM »
To all who want to install the latest version of the ccleaner, I would not do that !!!

Official Installer ( Version 5.33.00.6162 ) from >>> https://www.piriform.com/ccleaner/download/standard NOW , in my defintion , the CCleaner is a PUA.Adware.Dropper !!!  ;)

"ESET-NOD32" is fully right ! >>> https://www.virustotal.com/de/file/1a4a5123d7b2c534cb3e3168f7032cf9ebf38b9a2a97226d0fdb7933cf6030ff/analysis/

- Spawned process "PF-Toolbar-2016.exe"

- Spawned process "GoogleUpdateSetup_1.3.21.169.exe" with commandline "/silent /install "appguid={F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}&appname=Google%20Toolbar&needsadmin=True&brand=PRFD&usagestats=0" /appargs "appguid={F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}&installerdata=d%3Dask%26h%3Dask2"" (UID: 00019116-00003100)
- Spawned process "GoogleUpdate.exe" with commandline "/silent /install "appguid={F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}&appname=Google%20Toolbar&needsadmin=True&brand=PRFD&usagestats=0" /appargs "appguid={F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}&installerdata=d%3Dask%26h%3Dask2" (UID: 00019312-00002860), Spawned process "chrmstp.exe" with commandline "--configure-user-settings --verbose-logging --system-level --force-configure-user-settings" (UID: 00021907-00003896), Spawned process "chrmstp.exe" with commandline "--type=crashpad-handler /prefetch:7 --database=%WINDIR%\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= -annotation=plat=Win32 --nnotation=prod=Chrome --annotation=ver=56.0.2924.87 --initial-client-data=0xe8

Google Home Calls :

POST /service/update2?w=6:lqUoHRTckXL6Jfjtry4_okCbNdn7CDvg04uDSkHFpVtdtwnMj2zqEyJUf0XIy5kwAXfdaYtyZsfj8N4MrZ3V_46gB5OopAsbaAOtSfWh97N8DkFHaV5A5BCBQtgezAkm4cK0m4pPfafZAiFcq7EswAD6UnhijPfzfWRozXC4qVP88i-5sZ6pSkQTbLdoTgEw9QqvhmVly_FB8twYmJH8KYBUTe1e0r0q4y-FPJVPJtXNlXN1PSkWRhS8R-0CBY5OK3Ixig_pq5ofZ_paTK-vdXQ048iZlB49FwvzJH4fMMjxxH9cfn4EZ3kghjbbsOwZi6B9DfQnuJEf6zDZSfC_0A HTTP/1.1
X-Old-UID: cnt=0
User-Agent: Google Update/1.3.21.169;winhttp;cup
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
If-Match: "vo8KejKBGMNrDf6Eick84_Xh_8w"
Host: tools.google.com
Content-Length: 489
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache

POST /service/update2 HTTP/1.1
X-Old-UID: cnt=0
User-Agent: Google Update/1.3.21.169;winhttp
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
Host: tools.google.com
Content-Length: 956
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache

POST /service/update2 HTTP/1.1
X-Old-UID: cnt=0
User-Agent: Google Update/1.3.21.169;winhttp
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
Host: tools.google.com
Content-Length: 559
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache

<?xml version="1.0" encoding="UTF-8"?><request protocol="3.0" version="1.3.21.169" shell_version="1.3.21.103" ismachine="1" sessionid="{BE6D1F76-A5D3-4D2E-9EF6-CC93C6D3D7BF}" installsource="otherinstallcmd" requestid="{9319C057-1D38-423A-BE42-ACFAB9B5DCAD}" dedup="cr"><os platform="win" version="5.1" sp="Service Pack 3" arch="x86"/><app appid="{430FD4D0-B729-4F61-AA34-91526481799D}" version="" nextversion="1.3.21.169" lang="" brand="PRFD" client=""><event eventtype="2" eventresult="1" errorcode="0" extracode1="0" install_time_ms="1593"/></app></request>

I don´t want that spy out behaviour and i don´t want any google apps on my Machines !!! So I will not update my CCleaner anymore !!!
« Last Edit: September 18, 2017, 09:06:15 PM by pio »
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***

Offline yigido

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 5691
  • COMODO Rocks!
    • Free Comodo Products!
Re: CCleaner v5.33 infected [split topic]
« Reply #1 on: August 16, 2017, 05:15:32 AM »
I updated my portable version and there is no problem in there  ;)
COMODO Cloud Antivirus
Firefox Quantum
Encrypt the web! Use HTTPS Everywhere..
Block spying ads and invisible trackers! Use Privacy Badger..

Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 531
  • I like CIS , Kali Linux , IDA Pro & Fl Studio ;)
Re: CCleaner v5.33 infected [split topic]
« Reply #2 on: August 16, 2017, 03:14:47 PM »
I updated my portable version and there is no problem in there  ;)

Yeah that´s right !!!  :-TU The portable version hasn't this behaviour !!! CHIP.de advertises the portable version as "adware-free-variant" !!!  ;)
« Last Edit: August 16, 2017, 03:21:02 PM by pio »
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***

Offline Cassette

  • Comodo's Hero
  • *****
  • Posts: 226
Re: CCleaner v5.33 infected [split topic]
« Reply #3 on: August 16, 2017, 06:43:45 PM »
I've personally been updating with the portable version for quite some time now because the installed version added an "Upgrade" arrow on the main UI that isn't in the portable version. I believe it's a registry setting so once it's on there, changing over to the portable version won't make it go away.

Offline JoWa

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 5577
  • I believe in doubt.
    • Evolutionary history of life
« Last Edit: September 18, 2017, 09:06:45 AM by JoWa »
Ubuntu 18.10 | Chrome 71β | HTTPS Everywhere | Privacy Badger
Forum Policy | Comodo Product Help

Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 531
  • I like CIS , Kali Linux , IDA Pro & Fl Studio ;)
Re: CCleaner v5.33 infected [split topic]
« Reply #5 on: September 18, 2017, 12:50:06 PM »
Security Notification for CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 for 32-bit Windows users

CCleaner Compromised to Distribute Malware for Almost a Month (Bleeping Computer)

CCleaner Malware Incident – What You Need to Know and How to Remove (Bleeping Computer)


One month after my first "superficial" analysis and initial assessment on VT , other analysts also seem to believe me !!!  ;) ;) ;)  :a0

To all who want to install the latest version of the ccleaner, I would not do that !!!

Official Installer ( Version 5.33.00.6162 ) from >>> https://www.piriform.com/ccleaner/download/standard NOW , in my defintion , the CCleaner is a PUA.Adware.Dropper !!!  ;) >>> https://www.virustotal.com/de/file/1a4a5123d7b2c534cb3e3168f7032cf9ebf38b9a2a97226d0fdb7933cf6030ff/analysis/
« Last Edit: September 18, 2017, 01:29:33 PM by pio »
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***

Offline yigido

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 5691
  • COMODO Rocks!
    • Free Comodo Products!
Re: CCleaner v5.33 infected [split topic]
« Reply #6 on: September 18, 2017, 06:45:04 PM »
I am not surprised but this one was very strange because a security company(!) called "Avast" buought Piriform, and then they got hacked. Their most popular software marked as "Adware/Malware" by vendors now.
This is odd! Good job Avast and Piriform  :-TU
COMODO Cloud Antivirus
Firefox Quantum
Encrypt the web! Use HTTPS Everywhere..
Block spying ads and invisible trackers! Use Privacy Badger..

Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 531
  • I like CIS , Kali Linux , IDA Pro & Fl Studio ;)
Re: CCleaner v5.33 infected [split topic]
« Reply #7 on: September 18, 2017, 08:29:39 PM »
I am not surprised but this one was very strange because a security company(!) called "Avast" buought Piriform, and then they got hacked. Their most popular software marked as "Adware/Malware" by vendors now.
This is odd! Good job Avast and Piriform  :-TU

Yeah , thats a disaster for both individual brand names and it will cost a lot of reputation . Symantec also carries a certain complicity , because they signed this Files with her company name behind it !!!!! Surely some mistakes and omissions were made , but it seems , some mistakes have happened also in the verification chain . Just very , very unpleasant !!!!!  >:(

Detailed Analysis Report what the Malware excactly does :

The suspicious code was hidden in the application’s initialization code called CRT (Common Runtime) that is normally inserted during compilation by the compiler .

This modification performed the following actions before the main application’s code:

    It decrypted and unpacked hardcoded shellcode (10 kB large) - simple XOR-based cipher was used for this.
    The result (16 kB in size) was a DLL (dynamic link library) with a missing MZ header.
    This DLL was subsequently loaded and executed in an independent thread.
    Afterwards, a normal execution of CRT code and main CCleaner continued, resulting in the thread with payload running in the background.

The code executed within that thread was heavily obfuscated to make its analysis harder (encrypted strings, indirect API calls, etc.). The suspicious code was performing the following actions:

    It stored certain information in the Windows registry key HKLM\SOFTWARE\Piriform\Agomo:
    MUID: randomly generated number identifying a particular system. Possibly also to be used as communication encryption key.
    TCID: timer value used for checking whether to perform certain actions (communication, etc.)
    NID: IP address of secondary CnC server
    Besides that, it collected the following information about the local system:
      -  Name of the computer
      -  List of installed software, including Windows updates
      -  List of running processes
      -  MAC addresses of first three network adapters
      -  Additional information whether the process is running with administrator privileges, whether it is a 64-bit system, etc.

All of the collected information was encrypted and encoded by base64 with a custom alphabet.
The encoded information was subsequently submitted to an external IP address 216.126.x.x (this address was hardcoded in the payload, and we have intentionally masked its last two octets here) via a HTTPS POST request. There was also a [fake] reference to “Host: speccy.piriform.com” in communication.
The code then read a reply from the same IP address, providing it with the functionality to download a second stage payload from the aforementioned IP address. The second stage payload is received as a custom base64-encoded string, further encrypted by the same xor-based encryption algorithm as all the strings in the first stage code. We have not detected an execution of the second stage payload and believe that its activation is highly unlikely.
In case the IP address becomes unreachable, a backup in the form of DGA (domain name generator) activates and is used to redirect communication to a different location. Fortunately, these generated domains are not under the control of the attacker and do not pose any risk.
« Last Edit: September 18, 2017, 09:51:03 PM by pio »
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***

Offline AlexNguyen

  • Newbie
  • *
  • Posts: 24
Re: CCleaner v5.33 infected [split topic]
« Reply #8 on: September 19, 2017, 02:34:51 AM »

One month after my first "superficial" analysis and initial assessment on VT , other analysts also seem to believe me !!!  ;) ;) ;)  :a0
It wasn't related to your discovery, I think. Its normal installer always bundled with 3rd apps, they also have a "slim" installer without 3rd/unwanted apps.
Edit: my bad, read your post and its slim version again and I see something wrong too =))
« Last Edit: September 19, 2017, 02:37:34 AM by AlexNguyen »

Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 531
  • I like CIS , Kali Linux , IDA Pro & Fl Studio ;)
Re: CCleaner v5.33 infected [split topic]
« Reply #9 on: September 19, 2017, 05:25:09 AM »
It wasn't related to your discovery, I think. Its normal installer always bundled with 3rd apps, they also have a "slim" installer without 3rd/unwanted apps.
Edit: my bad, read your post and its slim version again and I see something wrong too =))

NP , .... !!!  ;) I just wanted to mention that my neativ rating was a month ago . I've recognized the same as ESET . Now , ESET changes the verdict to the worse ! I have to do this too . As I mentioned, I have only carried out a fast , superficial analysis . I believe that no one ever suspected this worst case szenario ! Until 3 days ago there were only 2 recognitions at VT and the file was new for vt when I uploaded it over a month ago . And my negative judgment was the first and only one . No more and no less !!!  :)

The classification, which is now actual, was discovered only by chance by some experts from CISCO Talos .
« Last Edit: September 19, 2017, 06:13:19 PM by pio »
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***

Offline JoWa

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 5577
  • I believe in doubt.
    • Evolutionary history of life
Re: CCleaner v5.33 infected [split topic]
« Reply #10 on: September 19, 2017, 11:04:35 AM »
Ubuntu 18.10 | Chrome 71β | HTTPS Everywhere | Privacy Badger
Forum Policy | Comodo Product Help

Offline Zbc

  • Product Translator
  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 758
Re: CCleaner v5.33 infected [split topic]
« Reply #11 on: September 19, 2017, 12:59:40 PM »
Comodo removed piriform from trusted vendor list?

Check it guys.

Check attachments. Nierozpoznany - Unrecognized
« Last Edit: September 20, 2017, 04:38:27 PM by Zbc »

Offline yigido

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 5691
  • COMODO Rocks!
    • Free Comodo Products!
Re: CCleaner v5.33 infected [split topic]
« Reply #12 on: September 19, 2017, 01:54:09 PM »
Comodo removed piriform from trusted vendor list?

Check it guys.

Nierozpoznany - Unrecognized
Because the infected executable of 5.33 version uses the legit digital signature of Piriform.
There are more than 700k users of infected version. Many of them may be Comodo IS user, Comodo does the correct thing (if they removed it)
After Piriform corrections that there are no more infected user, then Comodo may think to add that digital signature again.

Anyway, how can we trust Piriform (acquired by Avast) from now on?
COMODO Cloud Antivirus
Firefox Quantum
Encrypt the web! Use HTTPS Everywhere..
Block spying ads and invisible trackers! Use Privacy Badger..

Offline mike6688

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 2105
Re: CCleaner v5.33 infected [split topic]
« Reply #13 on: September 19, 2017, 02:03:11 PM »
Comodo removed piriform from trusted vendor list?

Check it guys.

Nierozpoznany - Unrecognized

Detection has been added for the infected installer / files now also.  As Yigido has said the files were signed with a legitimate certificate, so has been removed from the Trusted Vendors - otherwise Comodo would likely allow the infected file to run if a user has Trust Applications signed by Trusted Vendors checked.
This is why the Malware escaped detection from all the other AntiVirus vendors for so long, it was trusted by everyone as it was signed so the AV's allowed it to run.
Volunteer Moderator: Opinions are my own and may not reflect those of Comodo.  Please read and abide by the forum policy!

Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 531
  • I like CIS , Kali Linux , IDA Pro & Fl Studio ;)
Re: CCleaner v5.33 infected [split topic]
« Reply #14 on: September 19, 2017, 05:04:48 PM »
Comodo removed piriform from trusted vendor list?

Check it guys.

 :-TU :-TU :-TU

Anyway, how can we trust Piriform (acquired by Avast) from now on?

It might be difficult to trust them again . If it was really an inside job, then you have to find the person first and nobody knows exactly what damage he has caused . If he had full administrator rights , the traceability of his actions can become very complex until impossible . I hope Piriform has made backups in the Past .  ;)

Detection has been added for the infected installer / files now also.  As Yigido has said the files were signed with a legitimate certificate, so has been removed from the Trusted Vendors - otherwise Comodo would likely allow the infected file to run if a user has Trust Applications signed by Trusted Vendors checked.
This is why the Malware escaped detection from all the other AntiVirus vendors for so long, it was trusted by everyone as it was signed so the AV's allowed it to run.

Yeah , Symantec and VeriSign definitely didn´t make a "good job" . It would have been their task and part of the signing verification process to thoroughly review the installer . This mission has also completely failed !!! But it should be noted , that the malware behaviour and the relevant code , was well thought out and "relatively" well hidden and protected , in a simple but effective way .
« Last Edit: September 19, 2017, 07:02:08 PM by pio »
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek