eBay

berserkerplanet · ‎09-25-2017

I've seen recommendations to users on the boards here to download and use CCleaner, which implies that some are using it. If so, you need to read the following:

"Copies of the malicious software installer were distributed to CCleaner users between August 15 and September 12, 2017, using a valid certificate issued to Piriform Ltd by Symantec."

9/18/17

https://arstechnica.com/information-technology/2017/09/backdoor-malware-planted-in-legitimate-softwa...

and the followup on 9/21/17

https://arstechnica.com/information-technology/2017/09/ccleaner-malware-outbreak-is-much-worse-than-...

"Now that it's known the CCleaner backdoor actively installed a payload that went largely undetected for more than a month, Williams renewed his advice that people who installed the 32-bit version of CCleaner 5.33.6162 or CCleaner Cloud 1.07.3191 reformat their hard drives. He said simply removing the stage-one infection is insufficient given the proof now available that the second stage can survive and remain stealthy."

(It's unclear if the above was a really early kneejerk assessment or if he is referring to machines with the stage 2 infection only as far as total reformat goes. Read the rest of this before freaking out 🙂

It appears it infected 700,000 PCs (Avast says 2.27 million), may be the product of a Chinese hacking group, and is very sophisticated.

Although it infected 700k machines, the second targeted stage only activated on 20? (Avast estimates in the hundreds) high profile targets - they used the "watering hole" approach by infecting the CCleaner updates on the servers, but were really only interested in the few juicy targets (Microsoft, Cisco, Samsung, HTC, Sony, etc - see the followup article). Also, if I read it correctly, the Talos security researchers registered the C&C domains and blackholed the malware - cut off it's communications with home.

So the likelihood of your little old PC having the stage 2 infection (you're not high profile and Talos beheaded it via blackholing fairly early on?) is low, and the implication in the information on the following website is that the stage 1 infection was fully contained in the CCleaner update you may have downloaded, didn't spread, and can be mitigated (fully wiped out?) by updating CCleaner.

(That might also imply that manually ripping CCleaner out by it's roots would also remove the infestation if it never spread beyond the CCleaner install)

Also, I think I saw that the free versions DO NOT autoupdate, so if you are running an old version and didn't update to v5.3 during the period of infestation you are probably ok.

See here for FAQ and recommendations:

http://time.com/4946576/ccleaner-malware-hack/

It sounds like Avast (the new parent company of Piriform) is saying that updating CCleaner to the latest version (v5.34) will fix the problem.

southern*sweet*tea · ‎09-25-2017

Wow, thanks!

and wasn't aware that Avast bought Piriform. Just dandy....they ruined AVG and will probably ruin CCleaner as well.

The easier you are to offend the easier you are to control.

We seem to be getting closer and closer to a situation where nobody is responsible for what they did but we are all responsible for what somebody else did. - Thomas Sowell

mistwomandancing · ‎09-25-2017

Good of you to post here for those who might benefit.

Not my choice, nor will be, but I'd want to know this if I used this one.

readabouthorses · ‎09-25-2017

Good to know. I just checked and my last update to CC Cleaner was on 7/7/17 and I usually don't update it on a regular basis and don't have it set to automatically update so I guess I should just leave well enough alone?

castlemagicmemories · ‎09-25-2017

Thank you for posting this! Very thoughtful of you, OP.

berserkerplanet · ‎09-25-2017

Good to know. I just checked and my last update to CC Cleaner was on 7/7/17 and I usually don't update it on a regular basis and don't have it set to automatically update so I guess I should just leave well enough alone?

I believe that was well before the "window of infestation" , but check the version number you have anyway. If you look at the articles, I believe it is specifically v5.33.6162 that was compromised.

To play it safe, why not update to the "safe" version they tout?

"Piriform says users should update to CCleaner version 5.34 or higher."

To all: You are welcome. I stumbled across this in my routine reading on Arstechnica, recalled that CCleaner is mentioned here somewhat often, did a quick forum search and didn't find anyone else had posted about it, and there you have it.

(Now that I've racked up some Karma points I can go be bad 🙂

berserkerplanet · ‎09-28-2017

Update 9/25/17

"The tentative conclusion to be drawn from the newly available information is that the vast majority of people who installed the backdoored CCleaner version probably dodged a potentially serious bullet. Out of an abundance of caution, enterprises—including the 540 government agencies Talos said hosted stage one-infected PCs—should reimage their machines, as should consumers who have the backups and expertise to do so or who can afford to hire a professional to do it for them. Reimaging is a much more thorough response than simply running an AV scan, which can often fail to detect infections. Unless new facts come to light, consumers who don't have these resources are probably OK not reimaging their computers."

https://arstechnica.com/information-technology/2017/09/ccleaner-backdoor-infecting-millions-delivere...

Anonymous · ‎09-28-2017

Yet no one finds it strange Avast a multinational cybersecurity company Buys CCleaner and then Ccleaner is infected? I have used Ccleaner as long as I can remember, Never had this problem... All I am going to say is cyber security is doing well ... Problem( ccleaner infected) , reaction( save us), solution( buy Avast for protection) ...