Malware hidden in cCleaner debacle...

[TidaLWaveZ]

Hackers have successfully breached CCleaner’s security to inject malware into the antivirus app and distribute it to millions of users. Security researchers at Cisco Talos discovered that download servers used by Avast (the company that owns CCleaner) were compromised to distribute malware inside CCleaner. “For a period of time, the legitimate signed version of CCleaner 5.33 being distributed by Avast also contained a multi-stage malware payload that rode on top of the installation of CCleaner,” says the Talos team.

 

 

A lot of tech news outlets are offering simple(some nonsensical) descriptions, but the talos blog seems to be the true source of detailed information.  They seem to have all the technical information which I haven't fully deciphered at the time of this post. Through what I've seen already things don't seem to add up. Does the hidden malware itself actually consist of a means to actually access an end users computer? It doesn't really seem feasible to me that this could be accomplished and to furthermore go unnoticed.

 

I'm not sure what to think, especially when most of the dumbed down articles seem to be crying wolf by screaming BACKDOOR! RANSOMWARE! HACKERS! I still can't seem to determine if the malware is just collecting some lite system details and only the truly careless are effected or something much worse.

 

Truly scary or blown out of proportion?

Was cCleaner truly hacked or was this an inside job(quick big data grab)?

Will The Verge ever produce any semblance of an article that's not complete garbage?

 

http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html

[Sir Asvald]

LOL 

[Okjoek]

^

[captain_to_fire]

I think the last time I used CCleaner was 2012 

[Droidbot]

Yo wtf, I have CCLeaner installed on a load of computers belonging to family members. Lucky I'm wiping one of them this week.. hahah

[NrKj105]

nothing is free in free software except opensource models

[Alariel]

Well, that's a bit embarrassing for them.

[johndms]

http://www.piriform.com/news/blog/2017/9/18/security-notification-for-ccleaner-v5336162-and-ccleaner-cloud-v1073191-for-32-bit-windows-users

[johndms]

Odd, I'm actually running that version, v5.33.6162 (64-bit), but downloaded it Aug. 15. According to that post, the installer was infected on Sept. 12. I don't do the automatic update, nor have I experienced anything odd, so I guess I'm unharmed.  Will remove it regardless, however, and see how things progress with on the matter.

[Gumi Rokkaku]

Woah this is scary. I have 5.28

[captain_to_fire]

47 minutes ago, TidaLWaveZ said:

BACKDOOR! RANSOMWARE! HACKERS!

hopefully not ransomware because that shit is nasty 

[normpearii]

10 minutes ago, johndms said:

Odd, I'm actually running that version, v5.33.6162 (64-bit), but downloaded it Aug. 15. According to that post, the installer was infected on Sept. 12. I don't do the automatic update, nor have I experienced anything odd, so I guess I'm unharmed.  Will remove it regardless, however, and see how things progress with on the matter.

It's stuff like this that keeps me manually installing updates.


Microsoft on the other hand....


Edit: Hmm new default avatars.

[TidaLWaveZ]

5 minutes ago, hey_yo_ said:

hopefully not ransomware because that shit is nasty 

I'm still severely confused and the more I try to read through the detailed explanation the less sense it makes to me.

 

Seems like the malware just collects the PC's system information and sends it to back to a certain IP.

[Gumi Rokkaku]

11 minutes ago, johndms said:

Odd, I'm actually running that version, v5.33.6162 (64-bit), but downloaded it Aug. 15. According to that post, the installer was infected on Sept. 12. I don't do the automatic update, nor have I experienced anything odd, so I guess I'm unharmed.  Will remove it regardless, however, and see how things progress with on the matter.

Quote from the article "In reviewing the Version History page on the CCleaner download site, it appears that the affected version (5.33) was released on August 15, 2017. On September 12, 2017 version 5.34 was released. "

[Bouzoo]

Well shit. I installed it on my phone as well a week ago. Before 13th Sept that is.

It's gonna be funny to see conspiracy theorists use this for malware sharing by Antivirus corporations. 

[captain_to_fire]

13 minutes ago, TidaLWaveZ said:

I'm still severely confused and the more I try to read through the detailed explanation the less sense it makes to me.

I'm reading the linked article and it does show that they tampered the digital signature and have injected a code to bypass AV detection by the DLL file [CBkdr.dll]. From the article too, the malware will terminate itself if it has determined that the user is not using an administrator account. If in the unfortunate event that the user is using an admin account, it will write itself in the registry and begins gathering system information.

So it looks like a conduit for other malware. Also, collecting system information? That might range from passwords or credit card information to login credentials. It could be an instrument for an APT with the usual targets are corporations and government agencies. But then I could be wrong.

 

https://www.symantec.com/content/en/us/enterprise/white_papers/b-advanced_persistent_threats_WP_21215957.en-us.pdf

http://www.trendmicro.com.ru/media/misc/ebook-advanced-persistant-threats-and-real-time-threat-management.pdf

[PlayStation 2]

"Hold this L"

[Zodiark1593]

How very interesting. Thankfully, I do my own spring cleaning, not to mention running a standard account on the desktop.

[TidaLWaveZ]

15 minutes ago, hey_yo_ said:

-snip

It just seems like they are super detailed on the exact process of how it works but very vague on it's capabilities.

 

I don't see how it can get any sensitive information without first getting admin access. Are they grabbing usernames and collecting deeper when they can access someones admin account? If it's spreading malware wouldn't the others be caught when trying to be installed?

[captain_to_fire]

Just now, TidaLWaveZ said:

It just seems like they are super detailed on the exact process of how it works but very vague on it's capabilities.

 

I don't see how it can get any sensitive information without first getting admin access. Are they grabbing usernames and collecting deeper when they can access someones admin account?

Well it has to determine first if the user has standard or admin account because with an admin account, privileges are elevated. With a standard account, it will trigger a UAC prompt and it cannot install an executable file without the admin password.

Probably with an admin account, the user is more likely to click Yes because it won't ask for a password and the installation will proceed. So sucks for admins then. Unfortunately they haven't revealed the capabilities of the said malware just yet other than collect system information which by itself is way too broad.

[TidaLWaveZ]

7 minutes ago, hey_yo_ said:

-snip

One thing's for sure, this definitely wasn't just a guy sitting in his basement doing this for a thrill.

[NumLock21]

14 minutes ago, Arokhantos said:

Ccleaner is from the windows 95 era, why we still need app like this anyway, heck if not used it in years since the tools are all inside windows anyway to clean everything up

Cause it's easy for non techies to use, when it comes to cleaning out the junk in their computer. I use it too, for its convenience.

[captain_to_fire]

10 minutes ago, NumLock21 said:

Cause it's easy for non techies to use, when it comes to cleaning out the junk in their computer. I use it too, for its convenience.

There's a thing called Disk Cleanup. Also, I don't notice any performance difference way back in 2010-2012 when I was using it with Windows 7.

[JoostinOnline]

4 minutes ago, hey_yo_ said:

There's a thing called Disk Cleanup. Also, I don't notice any performance difference way back in 2010-2012 when I was using it with Windows 7.

It cleans up a lot more than Disk Cleanup does.

 

It doesn't boost your performance at all though.  If anything, it hinders it, depending on if you say yes to the background services.  When you're low on space it's really helpful though.  I've got an SSD in my laptop, and I can't buy a bigger one until prices drop, so it's useful.

[TidaLWaveZ]

8 minutes ago, hey_yo_ said:

There's a thing called Disk Cleanup. Also, I don't notice any performance difference way back in 2010-2012 when I was using it with Windows 7.

You've got to remember that we're severely outnumbered by people who truly couldn't accomplish the task of navigating to disk cleanup.