News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon
  • CCleaner back door / botnet infection updates

    Posted on September 18th, 2017 at 07:27 woody Comment on the AskWoody Lounge

    Bottom line: If you installed CCleaner any time after Aug. 15, you need to install the latest version.

    Avast bought Piriform (and CCleaner) in July. The malware was inserted into the installer in August. The botnet Command center was taken down in September.

    Oy. Don’t use registry cleaners, OK?

    Computerworld Woody on Windows.

    If that helped, take a second to support AskWoody on Patreon

    Home Forums CCleaner back door / botnet infection updates

    Tagged: ,

    This topic contains 38 replies, has 13 voices, and was last updated by

     MrBrian 1 year, 4 months ago.

    • Author
      Posts
    • #133097 Reply

      woody
      Da Boss

      Post coming momentarily in Computerworld. Bottom line: If you installed CCleaner any time after Aug. 15, you need to install the latest version. Avast
      [See the full post at: CCleaner back door / botnet infection updates]

      6 users thanked author for this post.
    • #133100 Reply

      PKCano
      Da Boss

      Version number on the bad one: v5.33

      1 user thanked author for this post.
      • #133103 Reply

        woody
        Da Boss

        Good version: v5.34

        1 user thanked author for this post.
      • #133499 Reply

        PKCano
        Da Boss

        New version released 9/20/17 CCleaner v5.35

    • #133102 Reply

      woody
      Da Boss
      • #133304 Reply

        Noel Carboni
        AskWoody_MVP

        In my humble opinion, Avast hasn’t been worth partnering with since about the start of 2015 when they decided they know better than even the most technical user. Avast is just another company who thinks they need to (and have a right to) take over your computer. No thanks.

        Caveat: They could change and become angelic. Sorry – too bad, too late, the name is spoiled. I’m never, ever going to use anything they make again, and I’m going to advise others to avoid them. What’s funny is that I used to recommend them in my books.

        -Noel

    • #133126 Reply

      John
      AskWoody Lounger

      I don’t use registry cleaners anymore. CCleaner is the one I have used, but typically I install it use it and then remove it. Really going to have to be careful about what version to use I guess.

    • #133129 Reply

      Microfix
      AskWoody MVP

      Official Response from Piriform:

      Piriform Security Notice

      | W10 Pro x64 1803 | W8.1 Pro x64 | Linux x64 Hybrids | W7/ XP Pro x64 O/L
        Can't see the wood for the trees? Look again!
      4 users thanked author for this post.
      • #133309 Reply

        Noel Carboni
        AskWoody_MVP

        Bravo to author Paul Yung in that article for getting pretty specific. That’s the kind of openness that helps win the hearts and minds of people who take security seriously. It’s a sign of respect that they’re willing to share the gory details. Not everyone will understand them, but for those who do, and who want to use those details to check for infections and to vet their security practices, they’re valuable.

        For example, given the information…

        It stored certain information in the Windows registry key HKLM\SOFTWARE\Piriform\Agomo…

        …one could look in your registry and see if the key and data exist to know whether a system has been affected by this issue.

        With…

        The encoded information was subsequently submitted to an external IP address 216.126.x.x…

        …one could look in access logs and see if any communications were attempted with any address that started with 216.126.

        -Noel

        2 users thanked author for this post.
    • #133130 Reply

      Seff
      AskWoody Plus

      I’ve always believed that registry cleaners cause more problems than they solve.

      3 users thanked author for this post.
    • #133138 Reply

      oxbridgelee
      AskWoody Lounger

      “Researchers noted that the malware only ran on 32-bit systems,”

      …according to a BleepingComputer article: ‘CCleaner Compromised to Distribute Malware for Almost a Month.’

      I’ve seen this comment in a few articles today, but by no means all of them.

      Can anyone confirm whether this is the case and if it is regardless of whether the user is using an account with administrator privileges?

      1 user thanked author for this post.
    • #133142 Reply

      Sessh
      AskWoody Lounger

      I generally don’t update software unless there’s some pressing need, so I still use an earlier version. I don’t even allow CCleaner to access the internet. Furthermore, CCleaner does many, many other things and is FAR more than just a registry cleaner. If it didn’t have a registry cleaner, it wouldn’t really affect it’s usefulness much at all. Calling it a “registry cleaner” isn’t really fair IMO. It’s like referring to your car as a radio.

      • This reply was modified 1 year, 5 months ago by
         Sessh.
      8 users thanked author for this post.
      • #133268 Reply

        woody
        Da Boss

        Fair enough. I referred to it as a registry cleaner because most readers who stumble over the name “CCleaner” will identify it with registry cleaning. I understand that it has several new tricks. And a big new owner.

        2 users thanked author for this post.
        • #133283 Reply

          anonymous

          Hi Woody, Thanks for clarifying. Many of us have used Ccleaner for well over 10 years, well back to the version 1.x days. We never thought of it as a “registry cleaner” but more of a “temporary file cleaner” like we did with .bat files decades ago.  Thanks again.

    • #133144 Reply

      Canadian Tech
      AskWoody_MVP

      Woody, it is my standard policy to prohibit Ccleaner and any and all other software that claims to make computers run faster. If I see any of them on a client computer, I remove it.

      I base this policy on many years of experience that show these things very rarely produce any benefit and almost always cause all manner of problems. A lot of the situations I run into on the Microsoft Answers forum stem from these animals.

      My client computers have ONE top end anti-virus ONLY software program, use the Win7 firewall and an occasional run of ADWcleaner. Not one of these 130+ Win7 systems has had an infection or any serious problem in 3 years.

      CT

      4 users thanked author for this post.
      • #133284 Reply

        anonymous

        Hello CT, Thanks for your insights and comments. Yes many people do grab some program claiming to make the PC faster.  Many are not worth it, even as free. But I (and others) must call exception to Ccleaner. It was designed to remove temporary files and clean up  the PC. I and others who have worked on PC every day for a living, have seen gigs of data removed when the user never ran “disk cleanup” which comes with windows. I have seen 13 gigs removed with Ccleaner in the past. The issue is not Ccleaner is an evil program but rather someone tampered with the installer. I read your comments frequently and feel your ideas are very good and worthy as are many here in woody’s forum are. Thank you CT.

         

        • #134871 Reply

          Canadian Tech
          AskWoody_MVP

          Anonymous, Again, my point is NOT that Ccleaner is a bad tool. It is just too dangerous for the average Joe/Jane. They can easily get themselves into trouble. The kind of trouble that when it ends up on my desk, it is virtually impossible to track down

          The problem is the commonly held approach that the average person is capable of managing his own computer. Sadly, this is just not true. Note that the vast majority of computers that go to the scrap heap are not worn out or defective. It is simply the cost that WorstBuy throws at them to “fix” it, which rarely really needs more than a re-install of Windows. Of course they usually throw in a new hard drive whether you need it or not.

          The average user has little more understanding of his Windows computer than they do of their electric toothbrush.

          Thank you for the very nice complement. Actually, I will be spending more time here at woody’s from now on. I have been a contributor to Microsoft Answers forum for 9 years now. They are now making changes there that make it impossible for me to consider continuing my volunteer work there.

          CT

          1 user thanked author for this post.
      • #134157 Reply

        anonymous

        This is reposted from, September 22, 2017 at 12:07 pm, since it was lost after the outage.

        Hello CT, Thanks for your insights and comments. Yes many people do grab some program claiming to make the PC faster.  Many are not worth it, even as free. But I (and others) must call exception to Ccleaner. It was designed to remove temporary files and clean up  the PC. I and others who have worked on PC every day for a living, have seen gigs of data removed when the user never ran “disk cleanup” which comes with windows. I have seen 13 gigs removed with Ccleaner in the past. The issue is not Ccleaner is an evil program but rather someone tampered with the installer. I read your comments frequently and feel your ideas are very good and worthy as are many here in woody’s forum are. Thank you CT.

        You responded kindly to me that it is OK for professionals like us to use but dangerous for average users.

        My response back  later on 9-22-17 was:

        Hello CT, Thank you for responding. It is always great to hear from one of the MVPs here!  CT you may have had some bad experience relayed from a common user with Cleaner and broke something. If so,  OK.  But I and others have used Ccleaner for well … a decade and we have all of our family members on it and common users that we work with. No one has ever said Ccleaner has harmed their computer. We HAVE had some users not follow instructions and download Ccleaner from a non reliable download site, but the program itself “Ccleaner” never has done anything wrong with my people (friends, relatives, PC users).  Basically you tell it to clean the computer say yes to do it, then close afterwards and reboot. This is much easier than trying to run “Disk Cleanup” that comes with Windows.  Note, “Disk Cleanup” is free and from Microsoft as part of the OS and will work fine after the common user figures it out. Thank you again CT.

    • #133220 Reply

      Microfix
      AskWoody MVP

      Oh the irony, internet security firm (Avast!) buys Piriform and then this happens!

      Our CCleaner is solely used for system cleaning (no registry stuff) in conjunction with a script generated by CCEnhancer a few years ago for our programs on each PC, as this opens up access to other areas for flushing/ cleaning and monitoring.

      Edit: Our CCleaner is blocked via firewall rules and set to never update.

      | W10 Pro x64 1803 | W8.1 Pro x64 | Linux x64 Hybrids | W7/ XP Pro x64 O/L
        Can't see the wood for the trees? Look again!
      • This reply was modified 1 year, 5 months ago by
         Microfix.
      3 users thanked author for this post.
    • #133305 Reply

      Noel Carboni
      AskWoody_MVP

      Woody, you wrote:

      Oy. Don’t use registry cleaners, OK?

      Heh, well said. 🙂

      I’m no fan of “cleaner” applications, but I do see how a beast such as CCleaner can be attractive to folks who don’t want to have to “get geeky” with the folders on their computers themselves, and who might choose to undertake activities that pollute their registries with junk data.

      Let me assure the readers here: It’s SIMPLY NOT NECESSARY to “clean” your registry in order for Windows to continue to perform. I don’t ever use a registry cleaner on production systems (though I did test CCleaner once thoroughly – well before Avast bought Piriform – to see how much merit was in the claims of performance improvments; I chose NOT to use it as I manage my file system myself quite thoroughly).

      Bottom line: I run Windows systems for a lot of years without reinstalls, without slowdowns, and without problems.

      Bigger picture-wise, this is precisely the kind of thing in general that illustrates why I have chosen to set up a restrictive firewall configuration that blocks both incoming AND outgoing communications that I haven’t sanctioned by default. If an application makes an unexpected attempt to communicate abroad, it’s blocked and I know it. Note that the Windows default is to allow all outgoing communications.

      When I do evaluate new software, I investigate every communication attempt it makes, and I see how many of them it can do without and still work properly. Surprisingly, the answer to that is that software can often do without most communications, and sometimes all. It’s as though every Marketing department in the world has demanded their engineers implement “cloud, cloud, cloud” but without good reasons. The times I *DO* allow communications are for things like update checks (which I try to configure to be manually-initiated only), legitimate licensing and activation activities, and for applications whose actual purpose is to communicate online (e.g., web browsers, FTP transfer applications, etc.). Telemetry? Zzzzt – blocked. Comms I can’t get to the bottom of why they’re happening? Nope, disallowed (I’ve had almost none I can’t explain; if I do see that kind of thing and it can’t be deconfigured I just shun the software).

      -Noel

      1 user thanked author for this post.
      • #133326 Reply

        anonymous

        Noel, I am like you on this so I had the same experience. I am not surprised.

        Now what would be interesting would be to try to test performance improvements on a PC that has had a lot of install and uninstall of all kind of random software by a typical user. The results might, and I say might, vary if the tool cleans a lot of remnant that have a significant impact, which I doubt.

        AlexEiffel

      • #133366 Reply

        anonymous

        Hello Noel, Well put. While we do use ccleaner and have so for well over a decade, it is a good program that does well in removing temporary files, MRU (most recently used) names and other items. We worked on PCs every single day. Yes, it also has a registry cleaner. It usually does NOT have any ill effects on windows, others do. Ccleaner also had other “tools” within that make life easy with regards to disabling/enabling windows startup programs and browser addons/plugins. I have used it for maintenance AND cleaning up malware off of peoples PCs. I and others have used it for 10 to 12 years, since version 1.x with mostly good success. Especially after a virus was removed from a PC and one wanted to clear out all histories, temp files, and other items. Ccleaner is a good program. It is not the program here to be blamed, it is the malware added! Using a firewall to stop communications is a SMART move that we have done since the early 2000’s with a good 3rd party firewall. Thank you Noel.

      • #134156 Reply

        anonymous

        This is reposted from, September 22, 2017 at 11:46 am, since it was lost after the outage.

        Hello Noel, Well put. While we do use ccleaner and have so for well over a decade, it is a good program that does well in removing temporary files, MRU (most recently used) names and other items. We worked on PCs every single day. Yes, it also has a registry cleaner. It usually does NOT have any ill effects on windows, others do. Ccleaner also had other “tools” within that make life easy with regards to disabling/enabling windows startup programs and browser addons/plugins. I have used it for maintenance AND cleaning up malware off of peoples PCs. I and others have used it for 10 to 12 years, since version 1.x with mostly good success. Especially after a virus was removed from a PC and one wanted to clear out all histories, temp files, and other items. Ccleaner is a good program. It is not the program here to be blamed, it is the malware added! Using a firewall to stop communications is a SMART move that we have done since the early 2000’s with a good 3rd party firewall. Thank you Noel.

    • #133374 Reply

      teuhasn
      AskWoody Lounger

      I have version 5.25 (December 2016) of Ccleaner installed. I used to run it daily, not to clean the registry, but to clean out the Internet cache, temp files, and cookies, etc. but I stopped doing that after I switched from IDE hard drives to SSD hard drives because of reports that that kind of aggressive cleaning can put wear and tear on SSDs.

      One good thing the earlier free version of Ccleaner is still useful for to me is secure wiping as of a flash drive or IDE hard drive no longer being used. You could set various parameters as to the type of wipe and number of passes. It was slow but seemed reliable.

    • #133475 Reply

      MrBrian
      AskWoody_MVP
    • #133498 Reply

      PKCano
      Da Boss

      CCleaner v5.35 has been released 9/20/17

    • #133578 Reply

      Kirsty
      Da Boss

      An update from @martinbrinkmann:

      CCleaner Malware second payload discovered
      https://www.ghacks.net/2017/09/21/ccleaner-malware-second-payload-discovered/

      By Martin Brinkmann on September 21, 2017 in Security

       
      A new report by Cisco’s Talos Group suggests that the CCleaner hack was more sophisticated than initially thought. The researchers found evidence of a second payload during their analysis of the malware which targeted very specific groups based on domains.

    • #133581 Reply

      Kirsty
      Da Boss

      For Powershell users, a tip from myitforum.com:

      Detection and Removal of CCleaner Using PowerShell

    • #133904 Reply

      MrBrian
      AskWoody_MVP

      From Avast Threat Labs analysis of CCleaner incident:

      “Experts at Avast Threat Labs have been analyzing the CCleaner advanced persistent threat (APT) continuously for the past few days and apart from the information in recent blog posts (Piriform and Avast posts),  we are starting a series of technical blog posts describing  details and technical information that we encountered during our analysis. Today, we will cover the ongoing analysis of the CnC server and the 2nd stage payload.”

    • #133113 Reply

      anonymous

      I use the portable version of CCleaner. Is the portable version affected?

    • #133114 Reply

      anonymous

      Hey Woody,

      Thanks for the heads up!

      Does installing the 5.34 version automatically uninstall the malware?

    • #133131 Reply

      anonymous

      I’m still using v4.19 from many years ago, but I only use it to clear the [garbage] out of my PC, not as a registry cleaner, so I suppose I don’t need to worry

    • #133279 Reply

      anonymous

      I have used cc cleaner for years for cleaning cookies & a few other odds & ends.  Never anything with cleaning registry. Current installation was 533_slim 64 bit version not 32 bit. My a/v showed nothing when I scanned but when I scanned w/Malwarebytes it showed ccsetup 533_slim and cc cleaner in program files as Trojan.Nyeta both on my win7 and win10 machines. I let Malwarebytes remove then I uninstalled program. Nothing left in registry that I can see. It was convenient for a quick clean-up and I may go back to an old version prior to Avast purchasing. Got to seriously think about it though.

      L

    • #133289 Reply

      anonymous

      I have only used 64bit version of Ccleaner (I use 64bit Windows).

      I also did a MSE and Malwarebytes scan and both came up clean.

       

      Am I safe?

    • #133330 Reply

      anonymous

      When I read this post I checked my computer and got a warning from Malwarebytes. The infected software was the ccleaner installer in downloads. I hadn’t installed it and the computer is clean – I ran Malwarebytes and McAfee to be sure.

      I usually wait before installing ccleaner because it seems to arrive around Windows Update time and that gets priority. In this case “don’t update immediately unless it’s broken” paid off.

      The article said only 32bit was compromised but the version I use is 64bit and the installer was flagged by Malwarebytes as Trojan.Floxif.

      I hate it when people call the program a registry cleaner. I have used it for years and never touch the registry. It is for cookies and temp files and other crud that can accumulate on a computer.

      One final note: I had forgotten Avast bought Piriform and this reminded me of another Avast related security issue. A few years ago somebody hacked into their forums and stole usernames and email info. Makes you wonder when a security company get compromised.

      -firemind

    • #135478 Reply

      MrBrian
      AskWoody_MVP

      From Inside the CCleaner Backdoor Attack (October 5, 2017):

      “As the investigation continues into the backdoor planted inside CCleaner, two members of parent company Avast’s threat intelligence team said today the desktop and cloud versions of the popular software contained different payloads.

      The revelation was made during a talk at Virus Bulletin 2017 during which Jakub Kroustek and Jiri Bracek shared technical details on the attack, primarily about the command and control infrastructure used for communication, as well as some insight on the targets and hinted that there may be other stages of this attack that have yet to be uncovered.”

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: CCleaner back door / botnet infection updates

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.

    Your information: