SUBSIM Radio Room Forums - View Single Post - Warning: CCleaner is malware-infested

Skybird · 09-18-17, 07:41 PM

Lets be precise here.

Somebody managed to attach a dirty package to of a valid new CCleaner version that was distributed via an official Piri server that got compromised as well by somebody.

This version dropped onto people'S system when they upgraded to the new version of CCleaner in the roughly 4 weeks when this version was distributed without Piri being informed about what went on. 4 weeks translates probably into several million people who downloaded this thing.

The attacking software scanned teh system and extracted data on the system infected, in preparation of turning it into a zombie platform for a botnet out there. This was to be done via additional software that was downloaded by the parasite on top of the CCleaner package.

However, the corrupted servers were taken out before the downloaded "warhead" could be activated. Or so they claim.

Which leaves the remains of the botnet-integrating software on peoples system, just that it has not received the activation commands.

Now if you upgrade to a later version of CCleaner, this new version no longer has this parasytical software attached to it, and replaces the corrupted CCleaner version that was previously installed. BUT: if you had been infected by the verison before, then the additonal malware that was downloaded by that intruder obviously still resides on your system. Just that it is not activated.

That is as if you hold a bomb in your hand with a fuse that gets remote controlled via radio signal. The guy controlling the remote transmitter to detonate it, has been taken out. But if you run into a frequences equal to that of the transmitter, and the receiver on that bomb picks it up, however small the random chance for this event may be - the bomb goes off nevertheless. For it is still there.

The question may be to what degree the detonation of this software still could lead to your computer turned into a zombie that gets abused in a botnet. Only that server has been shut down that has spread the initially infested CCleaner version. The botnet and the guys running it, are still there.

This is my understanding of the status quo, basing on the linked two texts and three additional German website reports.

The media coverage and reports are not fully consistent in the way the tlel the story. Talos and Avast/Piri may be driven by different interests as well.

If you have a workplace machine or productivity machine, you want to play it the safest way possible, and reinstall. If you use your system for entertainment only, you may find it affordable to take some risk. But i stick to it, the rule of reason for software attacks like this is : a system that got once compromised remains to be compromised, no matter what kind fo repairs and cleaning you have done - because you cannot be certain you indeed repaired it and cleaned the mess.

P.S. Some years ago, Malwarebytes had a major drama with an uopdate that went wrong, it prveenbted millions of system from booting and cause dmajor havor, with many mahcine sneeding to be reinstalled. Already back then I had swettings for AV and MBAM tuned so that they did not download each and every update that was released ove rthze day, usually several ones per day, but only once per day. One doe snot really need the latest updates formt he past two hours, if you do not surf highly risky sites. For every update can mean an attack, or, as it was the case in this exmaple, a risk of technical errors due to a fualty update. If there are lets say 8 upodates in a 24 hour interval, and you download only one per day, then you reduce the risk of getting hit by such bad updates by almost 90%.

Don'T be a Beta tester without your consent. Use some healthy reason. Switch from "searching for upgrades every hour" to "search for upgrades once per day".

09-18-17, 07:41 PM	#11
Skybird Soaring Join Date: Sep 2001 Location: the mental asylum named Germany Posts: 40,553 Downloads: 9 Uploads: 0	Lets be precise here. Somebody managed to attach a dirty package to of a valid new CCleaner version that was distributed via an official Piri server that got compromised as well by somebody. This version dropped onto people'S system when they upgraded to the new version of CCleaner in the roughly 4 weeks when this version was distributed without Piri being informed about what went on. 4 weeks translates probably into several million people who downloaded this thing. The attacking software scanned teh system and extracted data on the system infected, in preparation of turning it into a zombie platform for a botnet out there. This was to be done via additional software that was downloaded by the parasite on top of the CCleaner package. However, the corrupted servers were taken out before the downloaded "warhead" could be activated. Or so they claim. Which leaves the remains of the botnet-integrating software on peoples system, just that it has not received the activation commands. Now if you upgrade to a later version of CCleaner, this new version no longer has this parasytical software attached to it, and replaces the corrupted CCleaner version that was previously installed. BUT: if you had been infected by the verison before, then the additonal malware that was downloaded by that intruder obviously still resides on your system. Just that it is not activated. That is as if you hold a bomb in your hand with a fuse that gets remote controlled via radio signal. The guy controlling the remote transmitter to detonate it, has been taken out. But if you run into a frequences equal to that of the transmitter, and the receiver on that bomb picks it up, however small the random chance for this event may be - the bomb goes off nevertheless. For it is still there. The question may be to what degree the detonation of this software still could lead to your computer turned into a zombie that gets abused in a botnet. Only that server has been shut down that has spread the initially infested CCleaner version. The botnet and the guys running it, are still there. This is my understanding of the status quo, basing on the linked two texts and three additional German website reports. The media coverage and reports are not fully consistent in the way the tlel the story. Talos and Avast/Piri may be driven by different interests as well. If you have a workplace machine or productivity machine, you want to play it the safest way possible, and reinstall. If you use your system for entertainment only, you may find it affordable to take some risk. But i stick to it, the rule of reason for software attacks like this is : a system that got once compromised remains to be compromised, no matter what kind fo repairs and cleaning you have done - because you cannot be certain you indeed repaired it and cleaned the mess. P.S. Some years ago, Malwarebytes had a major drama with an uopdate that went wrong, it prveenbted millions of system from booting and cause dmajor havor, with many mahcine sneeding to be reinstalled. Already back then I had swettings for AV and MBAM tuned so that they did not download each and every update that was released ove rthze day, usually several ones per day, but only once per day. One doe snot really need the latest updates formt he past two hours, if you do not surf highly risky sites. For every update can mean an attack, or, as it was the case in this exmaple, a risk of technical errors due to a fualty update. If there are lets say 8 upodates in a 24 hour interval, and you download only one per day, then you reduce the risk of getting hit by such bad updates by almost 90%. Don'T be a Beta tester without your consent. Use some healthy reason. Switch from "searching for upgrades every hour" to "search for upgrades once per day". __________________ If you feel nuts, consult an expert. Last edited by Skybird; 09-18-17 at 08:00 PM.