CCleaner Malware Incident - What You Need to Know and How to Remove

What happened?

An unknown threat group compromised the CCleaner infrastructure.

The attacker added malware to the 32-bit versions of CCleaner 5.33.6162 and CCleaner Cloud 1.07.3191.

The files were available for download between August 15 and September 12.

Who is affected?

Everybody who downloaded and installed the affected versions in that timespan.

Avast estimates the number of affected machines at 2.27 million.

https://www.bleepingcomputer.com/how-to/security/ccleaner-malware-incident-what-you-need-to-know-and-how-to-remove/

Good luck getting some answers out of Avast and Piriform. They are trying to downplay this, by not delivering adequate information. Every shred of good reputation CCleaner had, is gone now and Avast’ reputation has been hurt even more, and the more Avast and Piriform holds back information, the bigger the hole they are digging for them self.

Eh, people dramatizing it again. And I’m not saying this because I’ve been working with avast! for a long time, I’m saying it because it can happen to ANY company if it gets target attacked. And this was the case here. Blaming it on avast! which just purchased Piriform is just the lamest thing ever. If anything, they should be applauded for finding out themselves. If avast! didn’t buy Piriform, it could have been going on for months before someone noticed it. And like I’ve said, it could have happened to any company. Piriform isn’t specialized in security, so, things are more likely to go wrong with such company than with avast! itself. And we’ve seen hacks happened to security firms before, including avast! (usually to 3rd party stuff under their control).

The information is there, but I guess some people expect avast! to go back in time and change the course of history somehow…

Please see my recent statement here: https://forum.avast.com/index.php?topic=208612.msg1421249#msg1421249

So I’ve always used the 64-bit version, I’m fine, right?

Yep.

I don’t see the regedit change either for the added item.

I also set it to automatically launch the 64bit version since I have both installed.

Hi EmoHobo,

Well I was not affected either, according to the registry read out.

But know that 20% of the data breaches in the “Murica’s” today stem from cyberattacks threatening your data and privacy.
Nothing new when folks admit that privacy does not exist any longer there and all your data are for the grab (to render the new digital gold that is in data), when not showing you ads one is javascript mining monero inside your browser with or without your consent.

That is how far as how it has got, and in the case of the alleged CCleaner breach the malware injected into #CCleaner has shared code with several tools used by one of the APT groups from the #Axiom APT ‘umbrella’, an umbrella for dynamic API hackers by the so-called Lazarus group cybercriminal malware factory. They were active amongs other things from Asia and were fought in a common initiative known as Operation Blockbuster Security Coalition.

polonus (volunteer website security analyst and website error-hunter)

and what does all that mean polonus? For a regular person like me. Does it mean my data is probably already out there just floating around like some kind of floating gold mine of personal data?

See Reply #5.

More info here: https://blog.avast.com/update-to-the-ccleaner-5.33.1612-security-incident

Pls don’t add Ccleaner to AVAST.It is a request.

Why would they when there is already avast cleanup (free or paid) and even if they did, what is to stop you doing a custom install and deselecting it as you can with other components.

Presumably those that are already using ccleaner wouldn’t get it again.

This entire thread is in the wrong forum.

Who cares which forum it’s in. It’s still the Avast forum and Ccleaner is now an Avast product.
@ Be Secure,
Ccleaner is it’s own program.

I don’t want to dramatize, but what do you think of Bleeping Computer’s advice?
https://www.bleepingcomputer.com/how-to/security/ccleaner-malware-incident-what-you-need-to-know-and-how-to-remove/

Should I do anything else after the malware has been removed? As the installed Floxif infection was sending information about your computer and had the ability to download and install other programs, victims should change their passwords and perform security scans on the computer.

It is suggested that victims stop using the infected computer and then change their passwords from a computer or cell phone that did not have this version of CCleaner installed on it. This is because it is not known if other malware was installed by the Floxif infection and is currently running that may steal passwords and other information.

Once you have changed your passwords, you should perform scans using a antivirus application, if not multiple applications, to make sure that there are no other infections present on the computer. After this has been finished, and anything that may have been detected has been removed, you can begin using your computer again.

For those who want to be truly safe, the best course of action is to always reinstall Windows to be 100% safe. It goes without saying that this is not always feasible, so at a minimum, the suggested actions should be completed before you use the computer again.

No, and why is explained here

https://blog.avast.com/update-to-the-ccleaner-5.33.6162-security-incident

========================================================
Some media reports suggest that the affected systems needed to be restored to a pre-August 15th state or reinstalled/rebuilt. We do not believe this is necessary. About 30% of CCleaner users also run Avast security software, which enables us to analyze behavioral, traffic and file/registry data from those machines. Based on the analysis of this data, we believe that the second stage payload never activated, i.e. the only malicious code present on customer machines was the one embedded in the ccleaner.exe binary. Therefore, we consider restoring the affected machines to the pre-August 15 state unnecessary. By similar logic, security companies are not usually advising customers to reformat their machines after a remote code execution vulnerability is identified on their computer.

CCleaner Malware second payload discovered

https://www.ghacks.net/2017/09/21/ccleaner-malware-second-payload-discovered/

In my case WbemPerf reg key is empty and I didn’t find GeeSetup_x86.dll and TSMSISrv.dll on my system.

From Avast blog:

Based on the analysis of this data, we believe that the second stage payload never activated...

According to a new Cisco Talos report, though, it looks like Avast was wrong.
On the other hand, the new Talos Intelligence report says the second payload specifically targeted tech companies.

http://blog.talosintelligence.com/2017/09/ccleaner-c2-concern.html

In analyzing the delivery code from the C2 server, what immediately stands out is a list of organizations, including Cisco, that were specifically targeted through delivery of a second-stage loader. Based on a review of the C2 tracking database, which only covers four days in September, we can confirm that at least 20 victim machines were served specialized secondary payloads. Below is a list of domains the attackers were attempting to target.

Well if you belong to the dozen of firms that were specifically targeted by these very advanced sophisticated l33t Axiom aka Group 72 hackers from that C&C server like for instance Samsung, I would start back from stratch and turn everything upside down.

I cannot see the normal user base was as such affected, and I am certain avast will now make sure that does not happen.

I personally was very lucky to have the original version pre-dating from this whole afaire and did nothing to it, was a free version so an automatic update did not come in the way, despite of all the nagging pop-ups inside my Chrome browser.

polonus