Warning: CCleaner is malware-infested

[Skybird]

http://blog.talosintelligence.com/20...s-malware.html

http://www.piriform.com/news/blog/20...-windows-users

My cold-hearted advise if you are affected: system reinstall. A system that got compromised, must still be considered to be compromised after any "cleanings", "repairs", or whatever. The only way to deal with a bug and be certain, is to nuke the whole system from orbit.

Note that Talos (first link) disagrees with Piri (second link) on the ammount of damage done. Talos says it potentially could be an immense number of users, Piri says the threat was tackled before it could do damage. Of cpourse, Piri has its own reputation to protect here, Talos is a neutral third party.

I believe I understood it like this: a completely infested version of CCleaner was spread via a manipulated servers of theirs, and so the malware must have reached millions and millionsn of users, see the link for affected version and date. The malware scanned the infested systems, extracted data and downloaded additional malware, which was probbaöly the intended "warhead" to detonate. But if Piri is right, then this malware never got activated, they switched off the rogue server fast. Which means that affected people have downloaded-for-sure, but non-activated malware on their machines now. Their systems probably got scanned and data was extracted. The additonal downloaded malware, the warhead, is still there.

Well, believing is not knowing. So expect the worst. Nuke it. From orbit.

P.S. Note that the critical version of CCleaner was distributed for almost a full month. Thats damn many systems affected.

[THEBERBSTER]

I have used CCleaner everyday for many years without any problems and also have recommended it many times here on Subsim.
Like any application on your system it is open to attack.
While this may sound alarming those at CCleaner have rectified the problem without any serious incidents having taken place.
I am running the later 6207 version but is quite likely that at some point I also have used the 6162 corrupted version.
While anti virus may give protection it is better to back it up with a specific malware/spyware program installed.

I would suggest installing this free program which was recommended and installed by my computer shop.
It will identify any threats which you can quarintine.
https://www.malwarebytes.com/mwb-download/
Peter

[aanker]

I have used Ccleaner Pro for years too. I noticed that 6207 was released fast on the heels of the previous version.

Thanks for the link Peter, and thanks for the alert Skybird.

[propbeanie]

My gosh. This is getting old, having to search through all of my computers and look for issues with a program that I've trusted and used for years... I did just recently download a newer version of it, but I do not remember which box it was... I know what I'm doing tonight... Thanks Skybird and THEBERBSTER...

[mapuc]

Earlier today I got the information from a computer page on FB-It was said, from my memory-It's only those who have a 32-bit computer system

and they should reinstall Windows.

People asked on 64-bit system and was told that they haven't heard anything about this type of system.

I don't have this CC-cleaner.

Markus

[THEBERBSTER]

Hi Mapuc
I have a 64 bit system and Malwarebytes picked up and quarantined Ccleaner malware when I ran it.
Peter

[STEED]

Looks like my laptop is in the clear.

V5.155513(64bit)

But my desktop has

V5.33.6162(64bit) Same version number that is infected but the artical states (32bit) so have I got it or not?

UPDATE

I have rolled back my system to July 31st and Removed that version of Ccleaner off my desktop.

Malwarebytes Anti rootkit. ALL CLEAR

Malwarebytes custom scan and threat scan. ALL CLEAR

Avast smart scan. ALL CLEAR

Avast rootkits full scan. ALL CLEAR

[aanker]

I don't think you need to worry now. To be safe, update to the latest release.

From: https://www.askwoody.com/

Quote:

CCleaner back door / botnet infection updates

Bottom line: If you installed CCleaner any time after Aug. 15, you need to install the latest version.

Avast bought Piriform (and CCleaner) in July. The malware was inserted into the installer in August. The botnet Command center was taken down in September.

Oy. Don’t use registry cleaners, OK?

Earlier I read if you updated to a later - the most recent version you'd be in the clear.

Furthermore the payload had been neutered before it was released in the bad version. It never phoned home and 'home' for it doesn't exist. We got lucky.

I updated past the infected version last week and users that do will be OK for sure. It is harmless now and from what I read earlier it always was. I hate it when something you trust does something like this though.

[CTU_Clay]

Quote:

Originally Posted by Skybird

http://blog.talosintelligence.com/20...s-malware.html

http://www.piriform.com/news/blog/20...-windows-users

My cold-hearted advise if you are affected: system reinstall. A system that got compromised, must still be considered to be compromised after any "cleanings", "repairs", or whatever. The only way to deal with a bug and be certain, is to nuke the whole system from orbit.

Note that Talos (first link) disagrees with Piri (second link) on the ammount of damage done. Talos says it potentially could be an immense number of users, Piri says the threat was tackled before it could do damage. Of cpourse, Piri has its own reputation to protect here, Talos is a neutral third party.

I believe I understood it like this: a completely infested version of CCleaner was spread via a manipulated servers of theirs, and so the malware must have reached millions and millionsn of users, see the link for affected version and date. The malware scanned the infested systems, extracted data and downloaded additional malware, which was probbaöly the intended "warhead" to detonate. But if Piri is right, then this malware never got activated, they switched off the rogue server fast. Which means that affected people have downloaded-for-sure, but non-activated malware on their machines now. Their systems probably got scanned and data was extracted. The additonal downloaded malware, the warhead, is still there.

Well, believing is not knowing. So expect the worst. Nuke it. From orbit.

P.S. Note that the critical version of CCleaner was distributed for almost a full month. Thats damn many systems affected.

Is CCleaner still infected as earlier reported?

[Skybird]

Don't know, don't care, I just use a very old version to easily delete temp files, and do no updates anymore.


Updates to Windows 10 and software runnign under Windows seem to be a bigger and bigger risk in temselves. I do not even use a dedicated security suite for my Windows 10 machine anymore, just the Windows 10 Defender onboard thing. But then, my W10 machine is exclusively a game console.



Compared to what the rules were 5 and 10 years ago, upsides have been turned down, and things were u-turned. Who would claim he saw it coming in this excessive level of distortion? Not before W8 was released I understood where things were heading.

[THEBERBSTER]

Hi CTU
No, as soon as it became known they updated to a clean application.
Peter