Crap Cleaner was hacked, update now (Don't Panic?)

[Babel-17]

http://fortune.com/2017/09/18/ccleaner-hack-what-you-should-know/
http://time.com/4946576/ccleaner-malware-hack/
https://it.slashdot.org/story/17/09...ree-windows-application-infected-with-malware

https://blog.avast.com/update-to-the-ccleaner-5.33.6162-security-incident

Customers are advised to update to the latest version of CCleaner, which will remove the backdoor code from their systems. As of now, CCleaner 5.33 users are receiving a notification advising them to perform the update.

We deeply understand the seriousness of the situation, as we do with all security threats. We regret the inconvenience experienced by Piriform’s customers. To reiterate, we accept responsibility for the breach and have implemented the following actions and precautions:

The server was taken down before any harm was done to customers
We worked immediately with law enforcement to identify the source of the attack
We took multiple steps to update our customers who had the affected software version
We disclosed everything that happened in a blog when we were cleared to do so
We migrated the Piriform build environment to the Avast infrastructure, and are in the process of moving the entire Piriform staff onto Avast internal IT system.

We plan to be issuing more updates on this as we go. We have made it our highest priority to properly investigate this unfortunate incident and to take all possible measures to ensure that it never happens again.

This blog post has been updated here.

https://blog.avast.com/progress-on-ccleaner-investigation


Large technology and telecommunications companies were targeted

Following the take-down of the CnC server and getting access to its data, the Avast Security Threat Labs team has been working around the clock to investigate the source and other details of the recent Piriform CCleaner attack. To recap, the attack affected a total of 2.27M computers between August 15, 2017 and September 15, 2017 and used the popular PC cleaning software CCleaner version 5.33.6162 as a distribution vehicle. Today, we would like to report on the progress so far.

First of all, analysis of the data from the CnC server has proven that this was an APT (Advanced Persistent Threat) programmed to deliver the 2nd stage payload to select users. Specifically, the server logs indicated 20 machines in a total of 8 organizations to which the 2nd stage payload was sent, but given that the logs were only collected for little over three days, the actual number of computers that received the 2nd stage payload was likely at least in the order of hundreds. This is a change from our previous statement, in which we said that to the best of our knowledge, the 2nd stage payload never delivered.

 

[Babel-17]

Hmm, it seems this affected only 32-bit users. I have a 64-bit version of Windows and CCleaner is installed under Program Files, not Program Files (x86), so I guess the installer chooses which version to install. I didn't see an option to download either/or 32-bit/64-bit ones.

https://www.piriform.com/news/relea...eaner-cloud-v1073191-for-32-bit-windows-users

 

[Bludd]

Yeah, you can delete the 32 bit exe on 64 bit os and the software will still work, though there's a UAC elevation scheduled task which probably won't run if you delete the exe.

Still it is a very concerning issue and I expect Piriform to revise their internal routines

 

[Babel-17]

How can I tell if I was infected?
When an infected version of CCleaner was installed it would have created a Windows Registry key located at HKEY_LOCAL_MACHINE\SOFTWARE\Piriform\Agomo. Under this key will be two data values named MUID and TCID, which are used by the installed Floxif infection.

You can use Registry Editor to navigate to the Agomo key and see if it exists. If it does, then you are infected with this malware.

Please note. as seen below, upgrading to version 5.34 will not remove the Agomo key from the Windows registry. It will only replace the malicious executables with legitimate ones so that the malware is no longer present.

https://www.bleepingcomputer.com/ho...dent-what-you-need-to-know-and-how-to-remove/

 

[Grall]

I would say that this is why you cryptographically sign your installation packages, so shit like this can't happen.

Considering that CCleaner's owners are in the computer securityware industry (or so I recall reading anyway), I'm fucking surprised they're not doing this already.

 

[Otto Dafe]

Apparently the infected installer was signed.

 

[Grall]

Apparently the infected installer was signed.

Ok, so then hold on better to your crypto keys so badguys can't modify your install packages and then sign their payload with your keys.