CCleaner v5.33 infected [split topic]

pio · August 16, 2017, 6:40am

To all who want to install the latest version of the ccleaner, I would not do that !!!

Official Installer ( Version 5.33.00.6162 ) from >>> Thanks for downloading CCleaner NOW , in my defintion , the CCleaner is a PUA.Adware.Dropper !!!

“ESET-NOD32” is fully right ! >>> VirusTotal

- Spawned process “PF-Toolbar-2016.exe”

Spawned process “GoogleUpdateSetup_1.3.21.169.exe” with commandline "/silent /install “appguid={F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}&appname=Google%20Toolbar&needsadmin=True&brand=PRFD&usagestats=0” /appargs “appguid={F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}&installerdata=d%3Dask%26h%3Dask2"” (UID: 00019116-00003100)
Spawned process “GoogleUpdate.exe” with commandline "/silent /install “appguid={F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}&appname=Google%20Toolbar&needsadmin=True&brand=PRFD&usagestats=0” /appargs “appguid={F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}&installerdata=d%3Dask%26h%3Dask2” (UID: 00019312-00002860), Spawned process “chrmstp.exe” with commandline “–configure-user-settings --verbose-logging --system-level --force-configure-user-settings” (UID: 00021907-00003896), Spawned process “chrmstp.exe” with commandline "–type=crashpad-handler /prefetch:7 --database=%WINDIR%\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= -annotation=plat=Win32 --nnotation=prod=Chrome --annotation=ver=56.0.2924.87 --initial-client-data=0xe8

Google Home Calls :

POST /service/update2?w=6:lqUoHRTckXL6Jfjtry4_okCbNdn7CDvg04uDSkHFpVtdtwnMj2zqEyJUf0XIy5kwAXfdaYtyZsfj8N4MrZ3V_46gB5OopAsbaAOtSfWh97N8DkFHaV5A5BCBQtgezAkm4cK0m4pPfafZAiFcq7EswAD6UnhijPfzfWRozXC4qVP88i-5sZ6pSkQTbLdoTgEw9QqvhmVly_FB8twYmJH8KYBUTe1e0r0q4y-FPJVPJtXNlXN1PSkWRhS8R-0CBY5OK3Ixig_pq5ofZ_paTK-vdXQ048iZlB49FwvzJH4fMMjxxH9cfn4EZ3kghjbbsOwZi6B9DfQnuJEf6zDZSfC_0A HTTP/1.1
X-Old-UID: cnt=0
User-Agent: Google Update/1.3.21.169;winhttp;cup
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
If-Match: “vo8KejKBGMNrDf6Eick84_Xh_8w”
Host: tools.google.com
Content-Length: 489
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache

POST /service/update2 HTTP/1.1
X-Old-UID: cnt=0
User-Agent: Google Update/1.3.21.169;winhttp
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
Host: tools.google.com
Content-Length: 956
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache

POST /service/update2 HTTP/1.1
X-Old-UID: cnt=0
User-Agent: Google Update/1.3.21.169;winhttp
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
Host: tools.google.com
Content-Length: 559
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache

<?xml version="1.0" encoding="UTF-8"?>

I don´t want that spy out behaviour and i don´t want any google apps on my Machines !!! So I will not update my CCleaner anymore !!!

lugo_58 · August 16, 2017, 9:15am

I updated my portable version and there is no problem in there

pio · August 16, 2017, 7:14pm

Yeah that´s right !!! :-TU The portable version hasn’t this behaviour !!! CHIP.de advertises the portable version as “adware-free-variant” !!!

Cassette · August 16, 2017, 10:43pm

I’ve personally been updating with the portable version for quite some time now because the installed version added an “Upgrade” arrow on the main UI that isn’t in the portable version. I believe it’s a registry setting so once it’s on there, changing over to the portable version won’t make it go away.

JoWa · September 18, 2017, 7:54am

Security Notification for CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 for 32-bit Windows users

CCleaner Compromised to Distribute Malware for Almost a Month (Bleeping Computer)

CCleaner Malware Incident – What You Need to Know and How to Remove (Bleeping Computer)

pio · September 18, 2017, 4:50pm

One month after my first “superficial” analysis and initial assessment on VT , other analysts also seem to believe me !!! :a0

lugo_58 · September 18, 2017, 10:45pm

I am not surprised but this one was very strange because a security company(!) called “Avast” buought Piriform, and then they got hacked. Their most popular software marked as “Adware/Malware” by vendors now.
This is odd! Good job Avast and Piriform :-TU

pio · September 19, 2017, 12:29am

Yeah , thats a disaster for both individual brand names and it will cost a lot of reputation . Symantec also carries a certain complicity , because they signed this Files with her company name behind it !!! Surely some mistakes and omissions were made , but it seems , some mistakes have happened also in the verification chain . Just very , very unpleasant !!! >:(

Detailed Analysis Report what the Malware excactly does :

The suspicious code was hidden in the application’s initialization code called CRT (Common Runtime) that is normally inserted during compilation by the compiler .

This modification performed the following actions before the main application’s code:

It decrypted and unpacked hardcoded shellcode (10 kB large) - simple XOR-based cipher was used for this.
The result (16 kB in size) was a DLL (dynamic link library) with a missing MZ header.
This DLL was subsequently loaded and executed in an independent thread.
Afterwards, a normal execution of CRT code and main CCleaner continued, resulting in the thread with payload running in the background.

The code executed within that thread was heavily obfuscated to make its analysis harder (encrypted strings, indirect API calls, etc.). The suspicious code was performing the following actions:

It stored certain information in the Windows registry key HKLM\SOFTWARE\Piriform\Agomo:
MUID: randomly generated number identifying a particular system. Possibly also to be used as communication encryption key.
TCID: timer value used for checking whether to perform certain actions (communication, etc.)
NID: IP address of secondary CnC server
Besides that, it collected the following information about the local system:
  -  Name of the computer
  -  List of installed software, including Windows updates
  -  List of running processes
  -  MAC addresses of first three network adapters
  -  Additional information whether the process is running with administrator privileges, whether it is a 64-bit system, etc.

All of the collected information was encrypted and encoded by base64 with a custom alphabet.
The encoded information was subsequently submitted to an external IP address 216.126.x.x (this address was hardcoded in the payload, and we have intentionally masked its last two octets here) via a HTTPS POST request. There was also a [fake] reference to “Host: speccy.piriform.com” in communication.
The code then read a reply from the same IP address, providing it with the functionality to download a second stage payload from the aforementioned IP address. The second stage payload is received as a custom base64-encoded string, further encrypted by the same xor-based encryption algorithm as all the strings in the first stage code. We have not detected an execution of the second stage payload and believe that its activation is highly unlikely.
In case the IP address becomes unreachable, a backup in the form of DGA (domain name generator) activates and is used to redirect communication to a different location. Fortunately, these generated domains are not under the control of the attacker and do not pose any risk.

AlexNguyen · September 19, 2017, 6:34am

It wasn’t related to your discovery, I think. Its normal installer always bundled with 3rd apps, they also have a “slim” installer without 3rd/unwanted apps.
Edit: my bad, read your post and its slim version again and I see something wrong too =))

pio · September 19, 2017, 9:25am

NP , … !!! I just wanted to mention that my neativ rating was a month ago . I’ve recognized the same as ESET . Now , ESET changes the verdict to the worse ! I have to do this too . As I mentioned, I have only carried out a fast , superficial analysis . I believe that no one ever suspected this worst case szenario ! Until 3 days ago there were only 2 recognitions at VT and the file was new for vt when I uploaded it over a month ago . And my negative judgment was the first and only one . No more and no less !!!

The classification, which is now actual, was discovered only by chance by some experts from CISCO Talos .

JoWa · September 19, 2017, 3:04pm

Avast Clarifies Details Surrounding CCleaner Malware Incident (Bleeping Computer)

scre · September 19, 2017, 4:59pm

Comodo removed piriform from trusted vendor list?

Check it guys.

Check attachments. Nierozpoznany - Unrecognized

lugo_58 · September 19, 2017, 5:54pm

Because the infected executable of 5.33 version uses the legit digital signature of Piriform.
There are more than 700k users of infected version. Many of them may be Comodo IS user, Comodo does the correct thing (if they removed it)
After Piriform corrections that there are no more infected user, then Comodo may think to add that digital signature again.

Anyway, how can we trust Piriform (acquired by Avast) from now on?

mike6688 · September 19, 2017, 6:03pm

Detection has been added for the infected installer / files now also. As Yigido has said the files were signed with a legitimate certificate, so has been removed from the Trusted Vendors - otherwise Comodo would likely allow the infected file to run if a user has Trust Applications signed by Trusted Vendors checked.
This is why the Malware escaped detection from all the other AntiVirus vendors for so long, it was trusted by everyone as it was signed so the AV’s allowed it to run.

pio · September 19, 2017, 9:04pm

:-TU :-TU :-TU

It might be difficult to trust them again . If it was really an inside job, then you have to find the person first and nobody knows exactly what damage he has caused . If he had full administrator rights , the traceability of his actions can become very complex until impossible . I hope Piriform has made backups in the Past .

Yeah , Symantec and VeriSign definitely didn´t make a “good job” . It would have been their task and part of the signing verification process to thoroughly review the installer . This mission has also completely failed !!! But it should be noted , that the malware behaviour and the relevant code , was well thought out and “relatively” well hidden and protected , in a simple but effective way .

JoWa · September 20, 2017, 4:33am

Attack on CCleaner Highlights the Importance of Securing Downloads and Maintaining User Trust (EFF)

mike6688 · September 20, 2017, 1:42pm

Agreed, maybe a more thorough testing of files before assigning a certificate would have prevented this.

There is a further statement from someone from Avast here:

JoWa · September 20, 2017, 3:43pm

5.35.6210 (20 Sep 2017)

All builds signed with new Digital Signatures

https://www.piriform.com/ccleaner/version-history

lugo_58 · September 20, 2017, 10:39pm

It is good for us. The new digital signature submitted to whitelisting team.
https://forums.comodo.com/news-announcements-feedback-cis/submit-applications-here-to-be-whitelisted-2017-t117714.0.html;msg865938#msg865938

lugo_58 · September 20, 2017, 10:50pm

I wonder how many of the users can trust Piriform again? 88) This was the program that liked most. I thought, it must come bundled with Windows OS… today, here we are… a company called Avast came and bought them. After exact 1 month, the incident happened.

Do you still trust in Avast or Piriform? Even with their brand new digital signature

Trust? Easy to break, easy to lose and the hardest thing to maintain after you lost it.