From Avast:
https://blog.avast.com/progress-on-ccleaner-investigation
@bob
Yes, a new post on Avast Blog admits that the 2nd stage payload WAS delivered in some instances, although the vast majority of users were uninteresting for the attacker, but select ones were.
https://blog.avast.com/progress-on-ccleaner-investigation
This is a change from our previous statement, in which we said that to the best of our knowledge, the 2nd stage payload never delivered.
@Polonus
You are probably right: luckily, normal users are not affected, as far as we know so far. Let’s hope we don’t run out of luck.
Precisely why I posted the link. That way we see the story from all sides.
Hi 123ava,
Well the targeted telecom firms in the Netherlands, Germany etc. come now in a complete other position than the average user of CCleaner.
It was a so-called “watering hole” attack. The firms affected should do a roll back to before the attack(s) started and do further risk managment as to an eventual data breach, but that should not be adding up to more as you can/could find through a special n-map scan for info-stealing. But there are certain rules for mitigating such a compromittal and hardening and investigating, so damage control, all hands on deck. L33t Asian state actor hackers are not an adversary to underestimate!
Keep your eyes on the avast blog for the developing story and more breaking news as they say in the States…
polonus
Breaking: https://www.welivesecurity.com/2017/09/21/new-finfisher-surveillance-campaigns/
Deepening drama: Internet providers from two nations are bundling downloads with state spyware known a sFinFisher.
These downloads were WhatsApp, VLC, WinRAR, Skype and Avast.
Read: https://www.welivesecurity.com/2017/09/21/new-finfisher-surveillance-campaigns/
This state spyware was brought to the target by man-in-the-middle-attack performed by that internetprovider.
When the target of the surveillance-operation wants to download a popular app like WhatsApp, VLC, WinRAR, Skype,
the provider sends him to a server of the attackers. There a trojaned version of the software waits.
You can scan if you are affected here: https://www.eset.com/int/home/online-scanner/
The countries involved are not mentioned because of security reasons.
Very annoying and very worrying news, when it all is supported by facts.
polonus
It’s not your system that determines your vulnerability but, the version of Ccleaner you installed. If you installed the 64 bit version, you’re safe. If you installed the 32 bit version of CCleaner, you’re not and needed to update asap.So, you could have installed a 32 bit version on your 64 bit system and had a problem.Naturally, you could not have installed the 64 bit version on your 32 bit system.
Personally, there are no known indicators of compromise on my 64-bit Windows 10, so the odds are it was not affected, even though CCleaner 5.33 installed both the 64-bit .EXE (clean) and the 32-bit version (the bad guy, which was eventually detected and quarantined by antivirus). Looks like the “bad” CCleaner was on my PC all the time but was never run.
That said, according to Talos reports the stage 2 installer included a 64-bit trojanized tool, too. Why did the attackers even bother to include a 64-bit tool if only 32-bit systems were to be affected? Perhaps the 64-bit code was there just because of code reuse? (Talos mentions code being reused). I really don’t know.
The stage 2 installer is GeeSetup_x86.dll. This installer checks the OS version and then drops either a 32-bit or 64-bit version of a trojanized tool. The x86 version is using a trojanized TSMSISrv.dll, which drops VirtCDRDrv (which matches the filename of a legitimate executable that is part of Corel) using a similar method to the backdoored CCleaner tool. The x64 version drops a trojanized EFACli64.dll file named SymEFA which is the filename taken from a legitimate executable that is part of "Symantec Endpoint". None of the files that are dropped are signed or legitimate.http://blog.talosintelligence.com/2017/09/ccleaner-c2-concern.html
Maybe you need to ask them. 
Here avast does not get a very high score as was proven by the present incident:
pol
@Polonus
Interesting read.
I’ve just tried downloading Avast Free from the Avast web site.
It came from http (not https), but looks like it’s my ISP’s proxy.
Then I tried again with the Https Everywhere extension for Chrome, so I got the direct download from https://files.avast.com/iavs9x/avast_free_antivirus_setup_offline.exe
If you’re downloading from https://www.avast.com/free-antivirus-download
you are redirected to https://www.avast.com/download-thank-you.php?product=FAV-ONLINE&locale=en-ww
(This is really off topic for this thred.)
Is there an easy way to tell if you’ve been effected by the second payload? Am I fine if I missed the first one, I had the 64-bit version.
You’re fine.
I looked under the Regedit and I found the entry posted here
https://cdn.ghacks.net/wp-content/uploads/2017/09/ccleaner-2nd-payload.png
Doesn’t that mean I’m infected?
@EmoHobo
Do you see the registry keys reported by Talos among the indicators of compromise?
HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\001
HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\002
HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\003
HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\004
http://blog.talosintelligence.com/2017/09/ccleaner-c2-concern.html
Nope, I am way too paranoid.
@1234ava,
Allthough not directly related - the download link you gave (well the technology firm - akamai was also targeted by the very Group 72 hackers during the recent incident), akamai has a embedded transparancy Symantec Class 3 Secure CA G4 intermediate certificate and tested certificate.
Here a quick and dirty report on the avast download link…
The response exceeds the maximum file size allowed by the application. VirusTotal - that is your http issue…
Netcraft risk rating 7 red out of 10: http://toolbar.netcraft.com/site_report?url=http://a23-4-13-51.deploy.static.akamaitechnologies.com
versus http://toolbar.netcraft.com/site_report?url=https://a23-4-13-51.deploy.static.akamaitechnologies.com
Certificate given as untrusted here: https://www.htbridge.com/ssl/?id=2ni4qAZQ
C-Grade status: https://tls.imirhil.fr/https/a23-4-13-51.deploy.static.akamaitechnologies.com
F-Grade status: https://securityheaders.io/?q=https%3A%2F%2Fa23-4-13-51.deploy.static.akamaitechnologies.com%2F&hide=on
Interesting for us here: https://observatory.mozilla.org/analyze.html?host=a23-4-13-51.deploy.static.akamaitechnologies.com#tls
Preferred clients: Compatible Clients: Android 2.3.7, Apple ATS 9, Baidu Jan 2015, BingBot Dec 2013, BingPreview Dec 2013, Chrome 27, Edge 12, Firefox 21, Googlebot Oct 2013, IE 7, Java 6u45, OpenSSL 0.9.8y, Opera 12.15, Safari 5, Tor 17.0.9, Yahoo Slurp Oct 2013, YandexBot May 2014
The certificate explainer: https://tls-observatory.services.mozilla.com/static/certsplainer.html?id=13271123
Not dangerous, but leaves room for improvement, but we meet certain restriction, because it also has to run on older clients… 
polonus (volunteer website security analyst and website error-hunter)
As somebody earlier here also mentioned even those who ‘only’ installed the 64bit version of the compromised release may also have had an infected EXE on their machine. That would include me as I diligently check for updates at least once a month and I still had (now thoroughly removed) that version update installer in the short term archive I keep. I’m certain I must have installed the 64bit version of that release.
I also use CCleaner portable version on a flash drive very occasionally with a 32bit OS system but luckily, and most unlike me, I’d forgotten to update that during the period in question.
The problem is CCleaner includes what I’d assume is a 32bit version (how do you tell?) as part of the 64bit package, something that is fairly common practice so it would work even if you downloaded the wrong version.
You’d hope with a 64bit OS only the 64bit EXE would have been used but can you be sure?
I’ve been wading through the reams of stuff here and elsewhere about this and maybe I’ve missed it but I’m still not certain what this means. But it would appear us 64bit OS CCleaner users may have dodged the bullet by luck and nothing else.
I’ve still done multiple full scans with every bit of security software I have but I’m still not happy. That an update downloaded direct from the originator actually contained malware is a pretty bad look for all concerned.
That had me worried too as that is what my registry shows too but from the web sites talking about this issue and the registry entry “…WbemPerf…” it would appear that is how it should look ie. with no keys/values set.
If it has any of those ^^^ keys shown … be paranoid.