CCleaner Compromised to Distribute Malware for Almost a Month

kemical

Windows Forum Admin
Staff member
Premium Supporter
#2
All the more reason to move over to 64bit.. ;)
 


Mike

Windows Forum Admin
Staff member
Premium Supporter
#3
All the more reason to move over to 64bit.. ;)
I'd like to know where the IP address it was sending to was located.
 


Axel PC

Well-Known Member
#4
Yeah crazy, have to be extra careful now-a-days with anything online. It's not the CompuServe dial-up days of the internet anymore lol.

All the more reason to move over to 64bit.. ;)
Fortunately my laptop is 64 and version of Windows is 64 bit.

I'm curious though if we'll see that bot net come to fruition, as was could have been the point of the hack?
 


kemical

Windows Forum Admin
Staff member
Premium Supporter
#5
Even though I'm 64bit I still checked anyway for the rogue folder that's apparently supposed to appear in the registry but happily nothing there..
 


Axel PC

Well-Known Member
#6
That's a good idea I should do that too. Do you have a link that talks about where in the registry the folder is created?

Sent from my SM-G935P using Windows Forums mobile app
 


kemical

Windows Forum Admin
Staff member
Premium Supporter
#7
Sure..
If you open regedit (type it into 'run') click on:
Hkey current user, followed by,
Software, followed by,
Piriform.
There should be only be Piriform inside the Piriform folder. The 32bit variant carried another folder called Agomo:
CCleaner Malware Incident - What You Need to Know and How to Remove
 


pnamajck

Honorable Member
#9
CCleaner Malware Incident - What You Need to Know and How to Remove
subheading: Why didn't antivirus software catch the infection?
"The CCleaner binary that included the malware was signed using a valid digital certificate."


CCleaner Compromised to Distribute Malware for Almost a Month
subheading: Threat actor compromised CCleaner infrastructure
"Cisco Talos believes that a threat actor might have compromised Avast's supply chain and used its digital certificate to replace the legitimate CCleaner v5.33 app on its website with one that also contained the Floxif trojan."


basically, at this point … nobody yet knows how the certificate was breached (allegedly) … inside job or not. and our own local anti-virus and malware-sniffers were unable to spot it … simply because the digital signature was 'authentic'.

notwithstanding … could this be the tactic in the near future? could hackers start inserting their malware under the guise of valid certificates … such as what happened here? and then upload it into a secure server of a prominent security exchange?

i mean, if it happened in this scenario … it can definitely happen within a controlled environment. thereby … microsoft will need to resort with creating 2fa and 3fa when it comes to digital certificates? "yes, this certificate is authentic … let's check for the ans data-streams for a second-seal and third-seal."

i can see yet another type of security software looming on the horizon … "we will 'validate' your valid certificates by intervening with ceo within each company … i.e. is this certificate really valid, or does it just state it is valid?" oh yeah … and this new enterprising company will charge $69 for year-long subscription.

neemo … just out of curiosity, have you tried downloading that nefarious 32bit version of ccleaner-5.33 onto your computer … and did you sic webroot anti-virus on it? and what were the results? did the product question the operator about the install/certificate?

i think a consortium of some real brainiacs needs to assemble and manifest one single all-encompassing security sentry … that system will know every possibly way of exploiting any software. you mock me and say "designing such a system would never be possible" … to which i quietly challenge "you got a better idea?"

anyway … thanks for this post, mike … once again, i am enlightened.
 


Last edited:

KM Richards

Honorable Member
#10
If one simply stayed with version 501... they would be safe, right?

I usually go to the options on most software (except Firefox) and disable automatic updates so I can decide if and when it is updated.
 


nmsuk

Windows Forum Admin
Staff member
Premium Supporter
#11
You're safe now to update it. Piriform have fixed it.
 


KM Richards

Honorable Member
#12
But... if you wanted to keep using version 501, that shouldn't hurt anything right?
 


nmsuk

Windows Forum Admin
Staff member
Premium Supporter
#13
Probably not.
 


KM Richards

Honorable Member
#14
From what I was reading, the compromise was only applicable to version 5.33.6162

Nothing has been said about there being a problem for previous versions.
 


nmsuk

Windows Forum Admin
Staff member
Premium Supporter
#15
From what I was reading, the compromise was only applicable to version 5.33.6162

Nothing has been said about there being a problem for previous versions.
Was also only 32bit machines.

Sent from my Nexus 6 using Tapatalk
 


KM Richards

Honorable Member
#16
kewL... I'm running 64 bit
 


Neemobeer

Windows Forum Team
Staff member
#17
Found this very interesting. Basically CCleaner was compromised and basically did almost nothing to the general public. Specific tech companies were targeted and received 2nd and 3rd stage pay loads which based on their sophistication could be nation-state or criminal organization sponsored efforts. CCleaner backdoor infecting millions delivered mystery payload to 40 PCs
 


Axel PC

Well-Known Member
#18
Yeah I read about that too. Should be interesting to see what comes of this down the road. If any future attacks turn out to be related to it. A lot of major companies are on that IP list.

Sent from my SM-G935P using Windows Forums mobile app
 


Axel PC

Well-Known Member
#19
I think it was on Krebs? That he said September will be remembered to showing us that non of our data is safe lol.

Sent from my SM-G935P using Windows Forums mobile app
 


This website is not affiliated, owned, or endorsed by Microsoft Corporation. It is a member of the Microsoft Partner Program.
Top