- Joined
- Jul 22, 2005
- Messages
- 9,241
- Thread Author
-
- #1
Solution
- Joined
- Jul 22, 2005
- Messages
- 9,241
- Thread Author
-
- #3
I'd like to know where the IP address it was sending to was located.
Axel PC
Honorable Member
- Joined
- Apr 24, 2016
- Messages
- 523
Yeah crazy, have to be extra careful now-a-days with anything online. It's not the CompuServe dial-up days of the internet anymore lol.
Fortunately my laptop is 64 and version of Windows is 64 bit.
I'm curious though if we'll see that bot net come to fruition, as was could have been the point of the hack?
Fortunately my laptop is 64 and version of Windows is 64 bit.
I'm curious though if we'll see that bot net come to fruition, as was could have been the point of the hack?
Axel PC
Honorable Member
- Joined
- Apr 24, 2016
- Messages
- 523
That's a good idea I should do that too. Do you have a link that talks about where in the registry the folder is created?
Sent from my SM-G935P using Windows Forums mobile app
Sent from my SM-G935P using Windows Forums mobile app
kemical
Essential Member
- Joined
- Aug 28, 2007
- Messages
- 36,176
Sure..
If you open regedit (type it into 'run') click on:
Hkey current user, followed by,
Software, followed by,
Piriform.
There should be only be Piriform inside the Piriform folder. The 32bit variant carried another folder called Agomo:
CCleaner Malware Incident - What You Need to Know and How to Remove
If you open regedit (type it into 'run') click on:
Hkey current user, followed by,
Software, followed by,
Piriform.
There should be only be Piriform inside the Piriform folder. The 32bit variant carried another folder called Agomo:
CCleaner Malware Incident - What You Need to Know and How to Remove
Axel PC
Honorable Member
- Joined
- Apr 24, 2016
- Messages
- 523
pnamajck
Honorable Member
- Joined
- Aug 28, 2014
- Messages
- 433
CCleaner Malware Incident - What You Need to Know and How to Remove
subheading: Why didn't antivirus software catch the infection?
"The CCleaner binary that included the malware was signed using a valid digital certificate."
CCleaner Compromised to Distribute Malware for Almost a Month
subheading: Threat actor compromised CCleaner infrastructure
"Cisco Talos believes that a threat actor might have compromised Avast's supply chain and used its digital certificate to replace the legitimate CCleaner v5.33 app on its website with one that also contained the Floxif trojan."
basically, at this point … nobody yet knows how the certificate was breached (allegedly) … inside job or not. and our own local anti-virus and malware-sniffers were unable to spot it … simply because the digital signature was 'authentic'.
notwithstanding … could this be the tactic in the near future? could hackers start inserting their malware under the guise of valid certificates … such as what happened here? and then upload it into a secure server of a prominent security exchange?
i mean, if it happened in this scenario … it can definitely happen within a controlled environment. thereby … microsoft will need to resort with creating 2fa and 3fa when it comes to digital certificates? "yes, this certificate is authentic … let's check for the ans data-streams for a second-seal and third-seal."
i can see yet another type of security software looming on the horizon … "we will 'validate' your valid certificates by intervening with ceo within each company … i.e. is this certificate really valid, or does it just state it is valid?" oh yeah … and this new enterprising company will charge $69 for year-long subscription.
neemo … just out of curiosity, have you tried downloading that nefarious 32bit version of ccleaner-5.33 onto your computer … and did you sic webroot anti-virus on it? and what were the results? did the product question the operator about the install/certificate?
i think a consortium of some real brainiacs needs to assemble and manifest one single all-encompassing security sentry … that system will know every possibly way of exploiting any software. you mock me and say "designing such a system would never be possible" … to which i quietly challenge "you got a better idea?"
anyway … thanks for this post, mike … once again, i am enlightened.
subheading: Why didn't antivirus software catch the infection?
"The CCleaner binary that included the malware was signed using a valid digital certificate."
CCleaner Compromised to Distribute Malware for Almost a Month
subheading: Threat actor compromised CCleaner infrastructure
"Cisco Talos believes that a threat actor might have compromised Avast's supply chain and used its digital certificate to replace the legitimate CCleaner v5.33 app on its website with one that also contained the Floxif trojan."
basically, at this point … nobody yet knows how the certificate was breached (allegedly) … inside job or not. and our own local anti-virus and malware-sniffers were unable to spot it … simply because the digital signature was 'authentic'.
notwithstanding … could this be the tactic in the near future? could hackers start inserting their malware under the guise of valid certificates … such as what happened here? and then upload it into a secure server of a prominent security exchange?
i mean, if it happened in this scenario … it can definitely happen within a controlled environment. thereby … microsoft will need to resort with creating 2fa and 3fa when it comes to digital certificates? "yes, this certificate is authentic … let's check for the ans data-streams for a second-seal and third-seal."
i can see yet another type of security software looming on the horizon … "we will 'validate' your valid certificates by intervening with ceo within each company … i.e. is this certificate really valid, or does it just state it is valid?" oh yeah … and this new enterprising company will charge $69 for year-long subscription.
neemo … just out of curiosity, have you tried downloading that nefarious 32bit version of ccleaner-5.33 onto your computer … and did you sic webroot anti-virus on it? and what were the results? did the product question the operator about the install/certificate?
i think a consortium of some real brainiacs needs to assemble and manifest one single all-encompassing security sentry … that system will know every possibly way of exploiting any software. you mock me and say "designing such a system would never be possible" … to which i quietly challenge "you got a better idea?"
anyway … thanks for this post, mike … once again, i am enlightened.
Last edited:
KM Richards
Honorable Member
- Joined
- Sep 7, 2011
- Messages
- 65
If one simply stayed with version 501... they would be safe, right?
I usually go to the options on most software (except Firefox) and disable automatic updates so I can decide if and when it is updated.
I usually go to the options on most software (except Firefox) and disable automatic updates so I can decide if and when it is updated.
KM Richards
Honorable Member
- Joined
- Sep 7, 2011
- Messages
- 65
But... if you wanted to keep using version 501, that shouldn't hurt anything right?
KM Richards
Honorable Member
- Joined
- Sep 7, 2011
- Messages
- 65
From what I was reading, the compromise was only applicable to version 5.33.6162
Nothing has been said about there being a problem for previous versions.
Nothing has been said about there being a problem for previous versions.
nmsuk
Essential Member
- Joined
- Sep 7, 2009
- Messages
- 4,329
KM Richards
Honorable Member
- Joined
- Sep 7, 2011
- Messages
- 65
kewL... I'm running 64 bit
- Joined
- Jul 4, 2015
- Messages
- 8,998
Found this very interesting. Basically CCleaner was compromised and basically did almost nothing to the general public. Specific tech companies were targeted and received 2nd and 3rd stage pay loads which based on their sophistication could be nation-state or criminal organization sponsored efforts. CCleaner backdoor infecting millions delivered mystery payload to 40 PCs
Axel PC
Honorable Member
- Joined
- Apr 24, 2016
- Messages
- 523
Yeah I read about that too. Should be interesting to see what comes of this down the road. If any future attacks turn out to be related to it. A lot of major companies are on that IP list.
Sent from my SM-G935P using Windows Forums mobile app
Sent from my SM-G935P using Windows Forums mobile app
Axel PC
Honorable Member
- Joined
- Apr 24, 2016
- Messages
- 523
I think it was on Krebs? That he said September will be remembered to showing us that non of our data is safe lol.
Sent from my SM-G935P using Windows Forums mobile app
Sent from my SM-G935P using Windows Forums mobile app