After reading your post I was trying to figure out if Wise Disk Cleaner has the same cookie cleaning functionality as CCleaner (e.g., to exclude selected cookies from cleaning) and went to their official forum from a link on the home page at http:// www. wisecleaner.com/wise-disk-cleaner.html. As soon as I started searching their user forum Norton reported a high risk intrusion attempt for Web Attack Fake Tech Suppot Website 73. The summary for this detection states "This signature is designed to prevent access to sites that redirect users or perform actions to trick users into calling the scammer and installing misleading applications such as fake antivirus software."
I think I'll just wait a few days and see if Avast releases any new information before I make a decision about whether it's time to ditch CCleaner. That would be a shame because I've been a loyal Piriform customer for years.
-----------
32-bit Vista Home Premium SP2 * NS v22.10.0.10 * MB Premium v3.2.2 * CCleaner Free v5.34.6207
Hi, Imacri. I agree about not ditching CCleaner. I've used it for years without issues.
Re Wise Disk Cleaner, Kaspersky, MBytes and Zemana have all give it a clean bill of health and the recommendation comes from the user on Whirlpool who does malware removal, so I'm guessing it's safe !
I've found a new vector here. If you use a scheduled task to run ccleaner (auto-elevate and also possibly auto-clean?) the task by default runs the 32-bit version (which automatically runs the 64-bit version) which would run the mal-code before anything else.
Theoretically 64-bit user who ran the 32-bit version for some reason (above or some other) may have the trace here instead:
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Piriform\Agomo\
I also found a possible example of malware stage two:
Floxif is the detection for a Trojan that was bundled with a hacked version of CCleaner. Downloads of the 32-bit versions of CCleaner 5.33.6162 and CCleaner Cloud 1.07.3191 were modified by hackers who included a Trojan in the main CCleaner.exe executable. These malicious versions were available for download between between August 15 and September 12.
When these versions of CCleaner were executed on a 32-bit system, the Floxif malware would be executed and transmit various information back to a remote server.
Ondrej Vlcek, CTO of Avast, told SecurityNow that the point of the attack was to hurt Avast. "At this point, we don't know how long the infection was in place... but the attackers must have known that Piriform was about to be owned by Avast." He describes the infection as 'very skillfully designed' to remain cloaked and evade the standard procedure for testing new software for weaknesses before it goes out into the wild.
"My view is that whoever designed this (had) carefully analyzed where the backdoors should be, and then added multiple layers and sophistication to the infection," said Vlcek. "It evaded our sandboxing process, and was definitely a very innovative attack. It went unnoticed for about a month."
After reading your post I was trying to figure out if Wise Disk Cleaner has the same cookie cleaning functionality as CCleaner (e.g., to exclude selected cookies from cleaning) and went to their official forum from a link on the home page at http:// www. wisecleaner.com/wise-disk-cleaner.html. As soon as I started searching their user forum Norton reported a high risk intrusion attempt for Web Attack Fake Tech Suppot Website 73. The summary for this detection states "This signature is designed to prevent access to sites that redirect users or perform actions to trick users into calling the scammer and installing misleading applications such as fake antivirus software."
I think I'll just wait a few days and see if Avast releases any new information before I make a decision about whether it's time to ditch CCleaner. That would be a shame because I've been a loyal Piriform customer for years.
-----------
32-bit Vista Home Premium SP2 * NS v22.10.0.10 * MB Premium v3.2.2 * CCleaner Free v5.34.6207
"...as soon as we became aware of this issue, we engaged and solved it. Within approximately 72 hours of discovery, the issue was resolved by Avast with no known harm to our Piriform customers."
Too bad the timeline posted today by bleepingcomputer's Catalin Cimpanu atAvast Clarifies Details Surrounding CCleaner Malware Incidentshows that it took over a month before Avast and Piriform even realized their v5.33 32-bit ccleaner.exe executable was infected.
"...as soon as we became aware of this issue, we engaged and solved it. Within approximately 72 hours of discovery, the issue was resolved by Avast with no known harm to our Piriform customers."
Too bad the timeline posted today by bleepingcomputer's Catalin Cimpanu atAvast Clarifies Details Surrounding CCleaner Malware Incidentshows that it took over a month before Avast and Piriform even realized their v5.33 32-bit ccleaner.exe executable was infected.
What really ticks me off is that the change log for CCleaner v5.34 at http://www.piriform.com/ccleaner/version-history still says "Minor GUI improvements / Minor bug fixes".
-----------
32-bit Vista Home Premium SP2 * NS v22.10.0.10 * MB Premium v3.2.2 * CCleaner Free v5.34.6207
The infected 32-bit ccleaner.exe executable for v5.33 was signed by Piriform with a valid digital certificate, whitelisted by Norton and then given full (unrestricted) access through my Norton Smart Firewall between 15-Aug-2017 and 13-Sep-2017, so I'm still trying to figure out if there is any way I can figure out if data from my computer was sent back to the rogue servers at IP address 216.126.x.x.
-----------
32-bit Vista Home Premium SP2 * NS v22.10.0.10 * MB Premium v3.2.2 * CCleaner Free v5.34.6207
Almost certainly yes data was sent.
Computer name, IP, installed software, running software, MAC address for your network adaptors.
On the basis of that info the attacker could decide what (if any) malware to send you for stage 2.
My Malwarebytes v3.2.2 Threat Scan came up clean yesterday with database v1.0.2835, but I ran a new Threat Scan today with the database v1.0.2843 and it finally detected the following stray registry entries left behind by the Floxif malware that was embedded in the 32-bit ccleaner.exe executable for v5.33:
The infected 32-bit ccleaner.exe executable for v5.33 was signed by Piriform with a valid digital certificate, whitelisted by Norton and then given full (unrestricted) access through my Norton Smart Firewall between 15-Aug-2017 and 13-Sep-2017, so I'm still trying to figure out if there is any way I can figure out if data from my computer was sent back to the rogue servers at IP address 216.126.x.x.
-----------
32-bit Vista Home Premium SP2 * NS v22.10.0.10 * MB Premium v3.2.2 * CCleaner Free v5.34.6207
Given the system details that are sent back to the attacker, they could pick and choose which machines to deliver malware payload to (country/network A but not country/network B).
Update: It looks like they would know what antivirus was installed on each infected machine, they could skip delivering (or deliver a different) payload to those who had avast (or any other antivirus) installed.
Target:
32-bit computers only
Machines with computer names or name patterns of the attacker's choosing
Machines with IPs of the attacker's choosing (country/business/narrow/broad target list) -- could exclude by IPs
Machines with (or without) software installed (including antivirus) of the attacker's choosing
Machines with (or without) software (including antivirus) which is actively running of the attacker's choosing
So a hypothetical target to deploy the stage 2 malware (just an example) could be:
32-bit users only, only in Canada, excluding known avast network IPs, and anti-virus IPs, no IPs from Asia, no users with avast (protection) software installed, only users with quickbooks installed.
Yes we run 23 bit on my desktop so that Dottie can use her WIN 98 era Solitaire Suite!
Tablet is on 64b it Win 10AC Home because CU breaks the touchscreen function so I have it isolated from the internet to stop MS from force updating it again. Dottie uses it offline for some therapy programs. But it does have CCleaner on it so I'll check the version.
If your Permalink was specifically to me, thanks. I looked where the quick scan directed me to and saw what I reported but looking specifically at Resolved and the details are there although dated today twice and not yesterday when the quick scan reported what it had done.
Filename: ccleaner.exe
Threat name: Trojan.Sibakdi
Full Path: e:\program files\ccleaner\ccleaner.exe
etc.
Thanks for the pointer but my note to Sunil still applies!
Given the system details that are sent back to the attacker, they could pick and choose which machines to deliver malware payload to (country/network A but not country/network B). Sounds like they either didn't plan to distribute a payload or they had a very specific target in mind. No-one's seen this payload so either it didn't exist or they were very good at this.
For information regarding this event > from Norton pop-up > View Details > Copy to Clipboard &or from Norton history > More Options > Copy to Clipboard > paste.
It detected "a virus" on a quick scan yesterday and said it fixed it ..... just checked now that I'm catching up on post-IRMA messages and CCleaner is no longer on my machine!
My desktop shortcut is still there but puts up a windows error message about the file no longer being there and Open file location draws a blank ....
Nice to know what they removed with no indication of what the virus was ... or is it hidden somewhere other than the usual History place?
