A New Ccleaner # 5.34.6207 has been released for more info and to download go to http://www.piriform.com/ccleaner/builds (link is external) (link is external) 9.5 mb in size. WATCH for the adon chrome download window check box!!! Note the slim version with out the ad on will be available in a few days
System Requirements
Windows 10, 8.1, 8, 7, Vista and XP. Including both 32-bit and 64-bit versions.
Stortman:
...This prompted me to check my 64 bit Win7Pro desktop. I found I still had CC533 installed. I have installed CC536 ...After reading this thread I am inclined to believe that I am safe as I only run 64 bit CC manually (and frequently as required). I am running full system scans. Should I take any further steps as a safeguard?
Hi Stortman:
You don't have to worry that you have an active Floxif backdoor trojan infection (detected as Trojan.Sibakdi by Norton - see the Symantec Security Response write up <here>) on your computer. The compromised code was only present in the 32-bit executable (CCleaner.exe) and not the 64-bit executable (CCleaner64.exe), and the remote command and control server used by the hackers was taken down by law enforcement on 15-Sep-2017.
The CCleaner installer (e.g. ccsetup533.exe) installs both CCleaner.exe and CCleaner64.exe so there's a remote possibility that the compromised 32-bit CCleaner.exe v5.33 was launched on your 64-bit system - see my comments <here>. If you'd like to check your system for any orphaned (but harmless) traces of this Floxif trojan in your Windows registry at HKEY_LOCAL_MACHINE\SOFTWARE\Piriform\Agomo as shown <here> then a Threat Scan with the free version of Malwarebytes v3.x (available at https://www.malwarebytes.com/free/) should be able to detect and remove them. After you install Malwarebytes just be sure to disable the 14-day trial of the Premium (real-time protection) features by going to Settings | My Account and clicking the Deactivate Premium Trial button as shown the support article How-To: Deactivate Trial Version in Malwarebytes 3.
If you haven't already done so, you might also want to consider enabling automatic checking for CCleaner updates at Options | Settings | Automatically Check for Updates to CCleaner.
-----------
32-bit Vista Home Premium SP2 * NS v22.11.0.41 * MB Premium v3.2.2 * CCleaner Free v5.35.6210
Today, 27/10/2017 I was alerted to this issue by NIS on my 64 bit Win10 laptop. Auto-Protect had detected trojan Sibakdi in ccsetup533.exe that I had retained. NIS quarantined it. Actually, I had CC535 installed. I don't know when I installed CC533 and if I subsequently installed CC534. This prompted me to check my 64 bit Win7Pro desktop. I found I still had CC533 installed. I have installed CC536.
I use my computers on a daily basis. Neither Piriform nor NIS had reported this issue on either computer up until now. I am surprised by this.
After reading this thread I am inclined to believe that I am safe as I only run 64 bit CC manually (and frequently as required). I am running full system scans. Should I take any further steps as a safeguard?
Thanks for your explanation though it's quite complex for me ;-)
I'll give you kudo's for your great analogy: "No burglars entered my house with that stolen key, see the door is still locked." -- "What if they just re-locked the door on the way out?"
As I understand it if you launch the 32-bit version on a 64-bit system the malware thread waits ~10 minutes before acting, but the 32-bit version passes control to the 64-bit version and exits the whole process (waiting malware thread included) within less than a second. If the 64-bit version was missing the 32-bit version might be able to keep running, but that's a pretty obscure scenario.
Also bear in mind (in general) when checking for malware traces left behind by malware, nothing stops the malware from deletingall traces of itself when it's done.
"No burglars entered my house with that stolen key, see the door is still locked." -- "What if they just re-locked the door on the way out?"
...However, my question remains whether this second-stage could only be initiated if you used the 32-bit version CCleaner.exe or if it could also be initiated by the 64-bit version CCleaner64.exe. In other words, am I save when I never executed the 32-bit version?
Our investigations show that the compromised code was only present in the 32-bit binaries (CCleaner.exe) and not the 64-bit binaries (CCleaner64.exe). Regardless of system architecture, CCleaner v5.33 installs both CCleaner.exe and CCleaner64.exe...In some cases, the 32-bit executable may be launched on a 64-bit system. For example, the CCleaner cleaning scheduler points to CCleaner.exe regardless of system architecture...
I'm still trying to figure what this means for users with 64-bit OSs, but my current understanding in that unless you were one of the 20 or so targeted companies who received the second stage payload and have all the IOC (indicator of compromise) Windows registry entries listed at the bottom of the 25-Sep-2017 Avast blog entry Additional information regarding the recent CCleaner APT security incident (including second stage entries like HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WbemPerf\HBP, etc.) then you don't have to worry that your system was attacked.
-----------
32-bit Vista Home Premium SP2 * NS v22.10.0.10 * MB Premium v3.2.2 * CCleaner Free v5.35.6210
I think I understand this second-stage loader concept and that it will check whether the OS is 32-bit or 64-bit.
However, my question remains whether this second-stage could only be initiated if you used the 32-bit version CCleaner.exe or if it could also be initiated by the 64-bit version CCleaner64.exe.
In other words, am I save when I never executed the 32-bit version?
Do you know if independent research has proven that CCleaner64.exe really wasn't infected? Or do 'we' all copy the initial Avast statement here? If these hackers were really targeting high-tech companies, you would expect 64-bits platforms are more interesting for them than 32-bits platforms...?
In short, do you know if there is real proof somewhere that the 64-bits version wasn't infected?
Cavehomme1: [..] I guess Norton and other AV vendors will need to, if not already, create a register of every single legitimate IP address which every trusted application connects to?
Since digicerts are inherently trusted, can anyone suggest what user settings adjustments are needed in Norton Security to prevent similar episodes of hacked trusted applications from phoning home and carrying out their nefarious tasks?
Separately, I guess Norton and other AV vendors will need to, if not already, create a register of every single legitimate IP address which every trusted application connects to?
You could put your firewall in manual mode and then you will have to validate a program the first time you allow it access (which could be a giant pain) and won't help you check for injected or tampered modules (usually DLLs). Plus under the circumstances a normal action would have been to allow ccleaner anyway.
The only thing that would have helped would have been to have a default deny for all programs that do not absolutely need internet access, but that would be a pain too.
Since digicerts are inherently trusted, can anyone suggest what user settings adjustments are needed in Norton Security to prevent similar episodes of hacked trusted applications from phoning home and carrying out their nefarious tasks?
Separately, I guess Norton and other AV vendors will need to, if not already, create a register of every single legitimate IP address which every trusted application connects to?
I'm not sure I follow this sentence (humorously or literally).
Somebody inside Piriform might have identified the attack outside and hacked the hacker's version to add Piriform to the targets.
That's if I understood
I don't know, someone went to a lot of (very effective) effort to breach other entities. This doesn't look like employer revenge to me unless we find that someone has fled the country and had a huge payoff.
Ondrej Vlcek, CTO of Avast, told SecurityNow that the point of the attack was to hurt Avast.
Really does seem highly likely that it was someone inside Piriform outraged at the sale.
I don't know, someone went to a lot of (very effective) effort to breach other entities. This doesn't look like employer revenge to me unless we find that someone has fled the country and had a huge payoff.
Given the system details that are sent back to the attacker, they could pick and choose which machines to deliver malware payload to (country/network A but not country/network B).
Update: It looks like they would know what antivirus was installed on each infected machine, they could skip delivering (or deliver a different) payload to those who had avast (or any other antivirus) installed.
Target:
32-bit computers only
Machines with computer names or name patterns of the attacker's choosing
Machines with IPs of the attacker's choosing (country/business/narrow/broad target list) -- could exclude by IPs
Machines with (or without) software installed (including antivirus) of the attacker's choosing
Machines with (or without) software (including antivirus) which is actively running of the attacker's choosing
So a hypothetical target to deploy the stage 2 malware (just an example) could be:
32-bit users only, only in Canada, excluding known avast network IPs, and anti-virus IPs, no IPs from Asia, no users with avast (protection) software installed, only users with quickbooks installed.
Looks like this is just what they did. Targets they could hit ~800,000. Targets they went for ~20-100.