Author Topic: CCleaner v5.33 infected [split topic]  (Read 1604 times)

Offline JoWa

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 5507
  • I believe in doubt.
    • Evolutionary history of life
Ubuntu 18.04 | Chrome 70β | HTTPS Everywhere | Privacy Badger
Forum Policy | Comodo Product Help

Offline mike6688

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 2105
Re: CCleaner v5.33 infected [split topic]
« Reply #16 on: September 20, 2017, 09:42:13 AM »
Yeah , Symantec and VeriSign definitely didn´t make a "good job" . It would have been their task and part of the signing verification process to thoroughly review the installer . This mission has also completely failed !!! But it should be noted , that the malware behaviour and the relevant code , was well thought out and "relatively" well hidden and protected , in a simple but effective way .

Agreed, maybe a more thorough testing of files before assigning a certificate would have prevented this.

There is a further statement from someone from Avast here:
https://forum.avast.com/index.php?topic=208612.msg1421249#msg1421249
Volunteer Moderator: Opinions are my own and may not reflect those of Comodo.  Please read and abide by the forum policy!

Offline JoWa

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 5507
  • I believe in doubt.
    • Evolutionary history of life
Re: CCleaner v5.33 infected [split topic]
« Reply #17 on: September 20, 2017, 11:43:56 AM »
5.35.6210 (20 Sep 2017)

- All builds signed with new Digital Signatures

https://www.piriform.com/ccleaner/version-history
Ubuntu 18.04 | Chrome 70β | HTTPS Everywhere | Privacy Badger
Forum Policy | Comodo Product Help

Offline yigido

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 5690
  • COMODO Rocks!
    • Free Comodo Products!
Re: CCleaner v5.33 infected [split topic]
« Reply #18 on: September 20, 2017, 06:39:35 PM »
COMODO Cloud Antivirus
Firefox Quantum
Encrypt the web! Use HTTPS Everywhere..
Block spying ads and invisible trackers! Use Privacy Badger..

Offline yigido

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 5690
  • COMODO Rocks!
    • Free Comodo Products!
Re: CCleaner v5.33 infected [split topic]
« Reply #19 on: September 20, 2017, 06:50:04 PM »
I wonder how many of the users can trust Piriform again? 88) This was the program that liked most. I thought, it must come bundled with Windows OS.. today, here we are.. a company called Avast came and bought them. After exact 1 month, the incident happened.

Do you still trust in Avast or Piriform? Even with their brand new digital signature  :P

Trust? Easy to break, easy to lose and the hardest thing to maintain after you lost it.
COMODO Cloud Antivirus
Firefox Quantum
Encrypt the web! Use HTTPS Everywhere..
Block spying ads and invisible trackers! Use Privacy Badger..

Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 531
  • I like CIS , Kali Linux , IDA Pro & Fl Studio ;)
Re: CCleaner v5.33 infected [split topic]
« Reply #20 on: September 20, 2017, 07:49:33 PM »
ITrust? Easy to break, easy to lose and the hardest thing to maintain after you lost it.


Well said !!!  :-TU ;)



Cisco apparently seems to have adorned with false feathers !!!

Some more Avast Statments :

    "The compromised version of CCleaner was released on August 15 and went undetected by any security company for four weeks, underscoring the sophistication of the attack. In our view, it was a well-prepared operation and the fact that it didn’t cause harm to users is a very good outcome, made possible by the original notification we received from our friends at security company Morphisec (more on this below) followed by a prompt reaction of the Piriform and Avast teams working together. We continue to be actively cooperating with law enforcement units, working together to identify the source of the attack."

    [...]

    "Avast first learned about the possible malware on September 12, 8:35 AM PT from a company called Morphisec which notified us about their initial findings. We believe that Morphisec also notified Cisco. We thank Morphisec and we owe a special debt to their clever people who identified the threat and allowed us to go about the business of mitigating it. Following the receipt of this notification, we launched an investigation immediately, and by the time the Cisco message was received (September 14, 7:25AM PT), we had already thoroughly analyzed the threat, assessed its risk level and in parallel worked with law enforcement in the US to properly investigate the root cause of the issue."

    [...]

   "BTW, I have to say I was quite disappointed by the approach taken by the Cisco Talos team who appears to be trying to use information about this incident to drive marketing activities and piggyback on the case to increase the visibility of their upcoming product. And, I should probably also say that it wasn't Cisco who first notified us about the problem. The threat was first discovered and reported to us by researchers in a security company called Morphisec (thank you!). The threat was real, but to the best of our knowledge, it was fortunately mitigated before it could do any harm."

« Last Edit: September 20, 2017, 07:55:54 PM by pio »
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***

Offline yigido

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 5690
  • COMODO Rocks!
    • Free Comodo Products!
Re: CCleaner v5.33 infected [split topic]
« Reply #21 on: September 21, 2017, 12:10:12 PM »
CCleaner Malware second payload discovered
Quote
and the researchers suggest strongly that it may not be enough to simply update CCleaner to get rid of the malware.

 >:-D Attention!

Quote
The following information helps identify if a stage 2 payload has been planted on the system.

The 32-bit trojan is TSMSISrv.dll, the 64-bit trojan is EFACli64.dll.

Identifying Stage 2 Payloads


Registry Keys:


    HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\001
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\002
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\003
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\004
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\HBP

Files:

    GeeSetup_x86.dll (Hash: dc9b5e8aa6ec86db8af0a7aa897ca61db3e5f3d2e0942e319074db1aaccfdc83)
    EFACli64.dll (Hash: 128aca58be325174f0220bd7ca6030e4e206b4378796e82da460055733bb6f4f )
    TSMSISrv.dll (Hash: 07fb252d2e853a9b1b32f30ede411f2efbb9f01e4a7782db5eacf3f55cf34902 )

    DLL in Registry: f0d1f88c59a005312faad902528d60acbf9cd5a7b36093db8ca811f763e1292a
    Stage 2 Payload: dc9b5e8aa6ec86db8af0a7aa897ca61db3e5f3d2e0942e319074db1aaccfdc83

"I had a panic attack because I do have WbemPerf in registry"  ;D it is empty.

It seems Symantec added signatures of 2nd payload 50mins ago
https://www.symantec.com/security_response/earthlink_writeup.jsp?docid=2017-092113-1734-99
« Last Edit: September 21, 2017, 12:20:41 PM by yigido »
COMODO Cloud Antivirus
Firefox Quantum
Encrypt the web! Use HTTPS Everywhere..
Block spying ads and invisible trackers! Use Privacy Badger..

Offline ZorKas

  • Comodo's Hero
  • *****
  • Posts: 955
Re: ccleaner contained
« Reply #22 on: September 22, 2017, 03:25:40 AM »
Hello,
Still on the same subject:

Cisco Talos Intelligence researchers have discovered a second malware in the corrupted version of CCleaner. In addition to updating the software, they recommend restoring your PC.
Like a second layer inside. The second floor of a particularly vicious rocket. Earlier this week, security researchers at Cisco Talos Intelligence revealed that CCleaner's widely used "cleaning" software has been stealing a backdoor since mid-August. The malicious code appeared to have been placed there after an intrusion on Piriform's network, publisher of the software. An upgrade to a cleaner and more recent version was strongly recommended.
Today, these same researchers are publishing a new document that contains the fruit of their ongoing investigation. Bad surprise, there was not one but two malicious "loads" in CCleaner. If Piriform strongly encourages the users of its program to carry out a new update, the advice of the researchers of Talos Intelligence goes a little further than that.
Go back, emergency

"Those affected by this attack should not simply remove the affected version of CCleaner or update it for the latest version," they explain. Why ? Because after a first, then a second stage, the descent to the Underworld could continue. In fact, the contaminated computers may be by more than two malware now.
CCleaner users concerned "must restore from a backup or a system image to ensure that they have completely removed not only the version of CCleaner containing the backdoor but any other malware that may reside on the system."

In other words, the message is clear, it will have to go back in time, before August 15 and before you have installed the corrupted update (v 5.33 and following). Taking into account the figures provided by Pirifom, CCleaner records five million installations a week. It can therefore be estimated that about 30 million corrupted versions have been installed. Precautions are therefore necessary.
For September 12-16 alone, the Main Malware Control Center database indicated that just over 700,000 contaminated machines had logged in to take their orders. On the other hand, only about 20 PCs would have received the second malware, still during this period.

Some evidence of contamination
For the most worried of you, it is possible to find clues that will allow you to know if your machine is contaminated. First, registry keys are added by the Trojan from the second task.

HKLM \ Software \ Microsoft \ Windows NT \ CurrentVersion \ WbemPerf \ 001
HKLM \ Software \ Microsoft \ Windows NT \ CurrentVersion \ WbemPerf \ 002
HKLM \ Software \ Microsoft \ Windows NT \ CurrentVersion \ WbemPerf \ 003
HKLM \ Software \ Microsoft \ Windows NT \ CurrentVersion \ WbemPerf \ 004
HKLM \ Software \ Microsoft \ Windows NT \ CurrentVersion \ WbemPerf \ HBP

Moreover, you should also find traces of the specific files below.

GeeSetup_x86.dll dc9b5e8aa6ec86db8af0a7aa897ca61db3e5f3d2e0942e319074db1aaccfdc83
EFACli64.dll (Trojan horse in 64 bit version) 128aca58be325174f0220bd7ca6030e4e206b4378796e82da460055733bb6f4f
TSMSISrv.dll (the 32-bit Trojan horse) 07fb252d2e853a9b1b32f30ede411f2efbb9f01e4a7782db5eacf3f55cf34902
f0d1f88c59a005312faad902528d60acbf9cd5a7b36093db8ca811f763e1292a

DLL in the registry:
f0d1f88c59a005312faad902528d60acbf9cd5a7b36093db8ca811f763e1292a
Second charge:
dc9b5e8aa6ec86db8af0a7aa897ca61db3e5f3d2e0942e319074db1aaccfdc83

In order to determine if a machine is infected, the following should be checked:
If an affected version is installed on the machine, the presence of the Windows registry key HKLM \ SOFTWARE \ Piriform can be verified on the system.
In case of compromise the machine will have communicated to the address ip 216.126.225.148_BAD_ or to one of the following domains:

• ab6d54340c1a [.] Com._BAD_
• aba9a949bc1d [.] Com._BAD_
• ab2da3d400c20 [.] Com._BAD_
• ab3520430c23 [.] Com._BAD_
• ab1c403220c27 [.] Com._BAD_
• ab1abad1d0c2a [.] Com._BAD_
• ab8cee60c2d [.] Com._BAD_
• ab1145b758c30 [.] Com._BAD_
• ab890e964c34 [.] Com._BAD_
• ab3d685a0c37 [.] Com._BAD_
• ab70a139cc3a [.] Com._BAD_

If this is the case, the machine must be considered as potentially compromised and restored to a state prior to August 15, 2017, or preferably completely re-imaged

If these items are on your machine, you can only restore a backup or image of your operating system that was established before August 15th.

prior to 15 August.

A whole new dimension
The second discovery load also revealed that the malware targets specific companies, in order to steal sensitive data, according to all logic. The names of Cisco, Microsoft, Samsung, HTC and Sony are also found. But this list would have evolved over time and the life of this malware, advances Talos Intelligence, which specifies that several hundred machines dependent on government domain names have also been targeted.

This new information is even more worrying to security researchers because it identifies a "possibly unknown" actor with significant resources. Is this a group of hackers backed by a state or a big industrialist? Talos Intelligence does not say so. It is just stated in its communication that one of the files found on malware control center servers refers to the time zone of the People's Republic of China.

Engineers are careful not to say that this can not be enough to attribute this attack to Chinese hackers. Obviously.
« Last Edit: September 22, 2017, 04:44:06 AM by ZorKas »

Offline EricJH

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 24578
Re: CCleaner v5.33 infected [split topic]
« Reply #23 on: September 23, 2017, 10:10:40 AM »
Zorkas, I spilt and merged your topic with this topic. It's better suited here.
Agreed, maybe a more thorough testing of files before assigning a certificate would have prevented this.

There is a further statement from someone from Avast here:
https://forum.avast.com/index.php?topic=208612.msg1421249#msg1421249
In this forum post from the Avast forums Avast explains the situation and why a reformat was not deemed necessary:
Quote
At the same time, we wanted to understand whether the second stage payload could have already activated before the threat was discovered. Now, the good thing is that about 30% of CCleaner users also run Avast security software, which allowed us to analyze behavioral, traffic and file/registry data from those machines.  Based on this analysis, we can say with high confidence that to the best of our knowledge, the second stage payload never activated, i.e. the only malicious code present on customer machines was the one embedded in the ccleaner.exe binary itself. We also asked our colleagues from other security companies, but haven't heard anyone seeing anything suspicious either. And that's great news, as it means that despite the high sophistication of the attack, we managed to disarm the system before it was able to do any harm. To that end, we don't consider the advice to reformat and/or restore the affected machines to the pre-August 15 state to be based on facts (by similar logic, security companies are not usually advising customers to reformat their machines after a remote code execution vulnerability is identified on their computer, just because there was a hypothetical possibility that something might have gotten in).

BTW, I have to say I was quite disappointed by the approach taken by the Cisco Talos team who appears to be trying to use information about this incident to drive marketing activities and piggyback on the case to increase the visibility of their upcoming product. And, I should probably also say that it wasn't Cisco who first notified us about the problem. The threat was first discovered and reported to us by researchers in a security company called Morphisec (thank you!). The threat was real, but to the best of our knowledge, it was fortunately mitigated before it could do any harm.

Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 531
  • I like CIS , Kali Linux , IDA Pro & Fl Studio ;)
Re: CCleaner v5.33 infected [split topic]
« Reply #24 on: November 15, 2017, 03:43:12 PM »
In-Depth Analysis of the CCleaner Backdoor Stage 2 Dropper and Its Payload !

https://www.crowdstrike.com/blog/in-depth-analysis-of-the-ccleaner-backdoor-stage-2-dropper-and-its-payload/
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek