CCleaner Hiding Malware
September 18, 2017 6:53 PM   Subscribe

The popular disc cleaning software CCleaner's most recent version is a payload for malware. Bleeping Computer has more detail.
posted by codacorolla (24 comments total) 16 users marked this as a favorite
 
Well that isn't entirely reassuring.
posted by ActingTheGoat at 6:57 PM on September 18, 2017 [4 favorites]


I was on the latest version of CCleaner but decided to remove it anyways because that's one less software I have to concern myself with.
posted by Foci for Analysis at 6:58 PM on September 18, 2017


So it's just the one version? "Version 5.33 of the CCleaner app offered for download between August 15 and September 12 was modified to include the Floxif malware, according reports published by MorphiSec and Cisco Talos."
posted by cashman at 7:04 PM on September 18, 2017


That's my read on it, yes.
posted by codacorolla at 7:05 PM on September 18, 2017 [1 favorite]


i'm so glad my laziness prevented me from updating it past v3.25
posted by poffin boffin at 7:25 PM on September 18, 2017 [7 favorites]


I have been on vacation from Sept 5 to now and have not touched my laptop. Today it seemed to be running slowly so the first thing I did was run CCleaner. I did not update it or whatever. I just heard about this literally 30 seconds ago. What exactly do I do now?
posted by AFABulous at 7:32 PM on September 18, 2017


Sorry there wasn't more detail in the FPP, but I wanted to get the information out there and I'm not on a computer at the moment. This Techcrunch article has some detail,
https://techcrunch.com/2017/09/18/avast-reckons-ccleaner-malware-infected-2-27m-users/

I think highlights are:

Only certain versions affected, only 32 bit systems, Piriform shut down most capabilities of the malware (but still recommends upgrading out of the malware version). Some three million users were affected, and it's hard to say exactly how. At the very least checking the version you're on and then upgrading out of CCleaner 5.33.6162 and CCleaner Cloud 1.07.3191 is recommended.
posted by codacorolla at 7:38 PM on September 18, 2017 [1 favorite]


AFABulous, Microsoft claims that Windows Defender can identify and remove Floxif. So I'd start by just running a scan, if I were you.
posted by Anticipation Of A New Lover's Arrival, The at 7:38 PM on September 18, 2017


I had the affected version, but apparently it was only active on 32bit systems, so not my windows 10. I still ran all my scan tools, Avria, Hijackthis, Spybot, Superantispyware, and updated CCleaner to 5.34. Hopefully that's sufficient because I really dont want to clean install this week.
posted by T.D. Strange at 7:54 PM on September 18, 2017


I'm curious—what's the purpose of it waiting 601 seconds and then checking the time?
posted by randomination at 8:01 PM on September 18, 2017


Interesting... I did upgrade to what is now known to be the malware version and I noticed at that time that unlike previous updates when CCleaner would say 'there is a new version -- go to the website to upgrade' this one went through automatically I.e. Without downloading it from the website.

I was a bit surprised at the time but didn't give It a second thought. Until now.
posted by Parsnip at 9:28 PM on September 18, 2017 [1 favorite]


I didn't even know my disks needed cleaning! I've just been buying bigger and bigger ones.
posted by ryanrs at 10:02 PM on September 18, 2017 [3 favorites]


Can confirm Malwarebytes (free version+) can find this trojan and get rid of it. I didn't even know it was on my PC until Malwarebytes prompted me to update and scan, and CCleaner had an "important update" to the new version that downloaded without having to go to the website. I only did research into the problem after MB confirmed the presence of a trojan in the installer file. but now Chrome seems to distrust the new CCleaner version, too, if you download it from the site

Researchers noted that the malware only ran on 32-bit systems.

This is more or less reassuring.
posted by lesser weasel at 10:38 PM on September 18, 2017 [3 favorites]


what's the purpose of it waiting 601 seconds and then checking the time?

Probably sandbox detection/evasion. Many AV analysis tools and practices involve running potentially malicious software inside virtual machines or debuggers for analysis which can skew the time or accidentally increase the running time. The malware checks the time, sleeps for a specific period of time, and then checks the time again. If the difference between the two checks isn't the specified value, it knows it's in the matrix and alters its behavior (which can range from deleting itself to doing nothing further that's malicious) to try to mess with the analysis.

Some of the automated testing platforms have 5 minute maximum test times that they keep an eye on unknown executables, so waiting 6 minutes before doing anything malicious puts them outside that window.
posted by Candleman at 10:40 PM on September 18, 2017 [6 favorites]


It should be noted that the attack used -- infiltrate a legitimate software's production pipeline to house the malware -- is a trick that's seen increased usage in the last few years, but for which there isn't much seen in the media. CCleaner is an effective and great program, but it's clear that you can no longer blindly trust software sources. Maintain solid anti-malware, and scan regularly.

Also, here's a Motherboard article about it.
posted by mystyk at 3:37 AM on September 19, 2017 [2 favorites]


There's a lot of malware takeover of previously innocent apps in mobile - my experience is all Android, so I can't say anything about Apple. I've had file managers and media players turn into loathsome vectors a few times, and I use very few apps.

In general, I long ago adopted a minimalist approach to third party utilities - if I don't need it, I don't use it. This is a habit I developed well before malware became as prevalent as it is now, when I was reviewing and often subsequently using new computers almost by the month. Before then, I had the usual tinkerer's mess of utilities, customisations, tweaks and fripperies, but after a while trying to create an easy way to migrate this lot from computer to computer I had the revelation that if I didn't bother, life became a lot simpler.

That's stuck with me, and it's quite notable how many of the 'problems' that utilities claim to fix can be circumvented either by better practice or by learning the built-in functions of an OS. Nowadays, I see almost every new thing as an increase in vulnerability surface, and it has to be something with an actual, quantifiable, unique benefit before I give it house room.

(Not that I don't have fun, but I do that elsewhere from my daily workspace.)
posted by Devonian at 4:57 AM on September 19, 2017 [1 favorite]


There's a lot of malware takeover of previously innocent apps in mobile - my experience is all Android, so I can't say anything about Apple.
Curious, did these come from Google's app store or from third-party sites?
posted by xedrik at 6:44 AM on September 19, 2017


Hey, does anyone remember an FPP (I think from a few years back) about a freeware PC program where the author had intentionally included a backdoor or was somehow stealing data? I can't remember exactly but there was some expose where computer forensics people were showing how it sent data back to some server.
posted by pravit at 7:17 AM on September 19, 2017


The most interesting part is it was some utterly mundane freeware utility you'd never expect, like a movie format converter or something.
posted by pravit at 7:17 AM on September 19, 2017


... popular disc cleaning software...

Maybe it's because of the spelling of "disc", but I was imagining software that made a CD-ROM drive do something that would supposedly make a CD physically cleaner.

I was having a hard time imagining that being popular.
posted by gurple at 8:19 AM on September 19, 2017 [1 favorite]


>>what's the purpose of it waiting 601 seconds and then checking the time?

>Probably sandbox detection/evasion.

Yep, that's it. Here's a technical writeup from Cisco's Talos Intelligence Group, who discovered the malware.

This is similar to the WannaCry/WannaCrypt attempting to connect to a domain that was known to be unregistered, to evade sandboxes, since they usually return a result for every connection request. When that domain was registered by a researcher, it stopped spreading.
posted by yuwtze at 8:28 AM on September 19, 2017 [3 favorites]


I just wish they still called it Crap Cleaner like in the olden days.
posted by univac at 1:07 PM on September 19, 2017


Talos has some followup analysis of the command and control server the malware was checking. The gist is that it was used to deploy a second payload to a restricted set of infected systems, and seems to have been focused on networking and hardware companies at the time the C&C server files were captured.
posted by figurant at 5:25 PM on September 20, 2017 [1 favorite]


Dan Goodin on Ars Technica has more:
From September 12 to September 16, the highly advanced second stage was reserved for computers inside 20 companies or Web properties, including Cisco, Microsoft, Gmail, VMware, Akamai, Sony, and Samsung. The 20 computers that installed the payload were from eight of those targeted organizations, Avast said, without identifying which ones. Again, because the data covers only a small fraction of the time the backdoor was active, both Avast and Talos believe the true number of targets and victims was much bigger.

The second stage appears to use a completely different control network. The complex code is heavily obfuscated and uses anti-debugging and anti-emulation tricks to conceal its inner workings. Craig Williams, a senior technology leader and global outreach manager at Talos, said the code contains a "fileless" third stage that's injected into computer memory without ever being written to disk, a feature that further makes analysis difficult. Researchers are in the process of reverse engineering the payload to understand precisely what it does on infected networks.

"When you look at this software package, it's very well developed," Williams told Ars. "This is someone who spent a lot of money with a lot of developers perfecting it. It's clear that whoever made this has used it before and is likely going to use it again."
...
The picture coming into focus now looks serious. Attackers gained control of the digital signing certificate and infrastructure used to distribute a software utility downloaded more than 2 billion times. They maintained that control with almost absolute stealth for 31 days, and, during just four days of that span, they infected 700,000 computers. Of the 700,000 infected PCs—again, believed to be a fraction of the total number of compromises during the campaign—a highly curated number of them received an advanced second-stage payload that researchers still don't understand. It's almost inevitable that more shoes will drop in this unfolding story.
The article also notes that there are signs that indicate the hackers could come from China, but that could also be a false flag to mislead investigators.
posted by filthy light thief at 2:08 PM on September 22, 2017 [1 favorite]


« Older White Americuh   |   What Do You Mean You Can't Refold the Map? Newer »


This thread has been archived and is closed to new comments