Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

CCleaner issue - update or not to update


  • Please log in to reply
14 replies to this topic

#1 seraphin

seraphin

  • Members
  • 118 posts
  • OFFLINE
  •  
  • Local time:05:45 AM

Posted 18 September 2017 - 07:04 AM

News broke today that CCleaner v5.33 is compromised and the version was "tainted with a backdoor installed in the tool".

 

My questions are

 

1. Does it mean versions prior to 5.33 are safe (i.e. no backdoor program installed) ????

 

2. In general, Is a "program update" equal to "downloading the latest program from scratch" ? (i.e. If I have a CCleaner v.4 and it continues to get updated regularly, when v5 is released and I update my v4 with the latest update patch, is my v4 now identical to my uninstall-v4-install-v5)


Edited by hamluis, 18 September 2017 - 07:21 AM.
Moved from Am I Infected to Gen Secuirty - Hamluis.


BC AdBot (Login to Remove)

 


#2 JohnC_21

JohnC_21

  • Members
  • 23,265 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:45 AM

Posted 18 September 2017 - 08:10 AM

Only 32bit 5.33.5162 was affected but even if you have 64bit I would update.

 

This compromise only affected customers with the 32-bit version of the v5.33.6162 of CCleaner and the v1.07.3191 of CCleaner Cloud. No other Piriform or CCleaner products were affected. We encourage all users of the 32-bit version of CCleaner v5.33.6162 to download v5.34 here: download. We apologize and are taking extra measures to ensure this does not happen again.

 

http://www.piriform.com/news/release-announcements/2017/9/18/security-notification-for-ccleaner-v5336162-and-ccleaner-cloud-v1073191-for-32-bit-windows-users

 

https://www.bleepingcomputer.com/how-to/security/ccleaner-malware-incident-what-you-need-to-know-and-how-to-remove/



#3 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,672 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:45 AM

Posted 18 September 2017 - 09:35 AM

1) yes, Talos only found it in version 5.33

2) yes, most program updaters download the full install program

 

If you have 5.33 running on your system, you should check if it is the backdored version.

 

Do you know how to calculate a cryptographic hash (md5, sha256, ...)?


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#4 JohnC_21

JohnC_21

  • Members
  • 23,265 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:45 AM

Posted 18 September 2017 - 12:38 PM

What's ironic is that only one AV detected it and that was CLAM AV.

 

image6.png

 

http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html



#5 zainmax

zainmax

  • Banned
  • 344 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:45 AM

Posted 18 September 2017 - 01:33 PM

News broke today that CCleaner v5.33 is compromised and the version was "tainted with a backdoor installed in the tool".

 

My questions are

 

1. Does it mean versions prior to 5.33 are safe (i.e. no backdoor program installed) ????

 

2. In general, Is a "program update" equal to "downloading the latest program from scratch" ? (i.e. If I have a CCleaner v.4 and it continues to get updated regularly, when v5 is released and I update my v4 with the latest update patch, is my v4 now identical to my uninstall-v4-install-v5)

If you do not use automatic updating (only possible for registered users), it will not disturb you in any way.


Edited by zainmax, 18 September 2017 - 03:11 PM.


#6 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,672 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:45 AM

Posted 18 September 2017 - 02:13 PM

I observed that this backdoored ccleaner.exe was also distributed via portable application packages, bundles, pirated software, ...


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#7 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,672 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:45 AM

Posted 18 September 2017 - 02:44 PM

What's ironic is that only one AV detected it and that was CLAM AV.

 

image6.png

 

http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html

 

 

Not a surprise to me. ClamAV was acquired by Sourcefire, later acquired by Cisco. I've seen before that Talos releases signatures before they publish research.

 

FYI, here is the ClamAV rule:

[daily.ndb] Win.Trojan.Floxif-6336251-0:1:*:8bff558bec5151535657be7829000056bb{4}53e8b9ffffff595933ff57576800000400ff15{4}8945??3bc7746968783900005750ff15{4}8bd08955??3bd7744a8bfa33c92bfb8a99????????889c0f????????c681????????00413bce7ce7ffd233c98a91????????88940f????????c681????????00413bce7ce7ff75??6a00ff75??ff15{4}ff75??ff15{4}5f5e5bc9c3


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,287 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:45 AM

Posted 18 September 2017 - 04:51 PM

The latest version of CCleaner (v5.34.6207) was released a few days ago. Everyone should be using that now.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 JohnC_21

JohnC_21

  • Members
  • 23,265 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:45 AM

Posted 18 September 2017 - 05:36 PM

Not a surprise to me. ClamAV was acquired by Sourcefire, later acquired by Cisco. I've seen before that Talos releases signatures before they publish research

 

Very Interesting. Thanks.



#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,072 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:45 AM

Posted 19 September 2017 - 01:37 PM

Please uninstall the version you have and download and install the latest version of CCleaner if you haven't done so already. This will over-write the bad file
 
You can download it here.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 The-Toolman

The-Toolman

  • Members
  • 1,201 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:45 AM

Posted 20 September 2017 - 09:36 AM

I'm still using CCleaner 4.00 without updater enabled as I want to control what is installed. :thumbup2:

 

If an older software utility is working without problems no need to update to a newer version imo.

 

The only reason I feel a need to update is for Security Fixes and New Hardware Replacement although I may be wrong.


I'm grumpy because I can be not because I'm old.

 

The world is what you make of it, if it doesn't fit, you make alterations.

 

Under certain circumstances, profanity provides a relief denied even to prayer.  (Mark Twain)


#12 britechguy

britechguy

    Been there, done that, got the T-shirt


  • Moderator
  • 7,534 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Staunton, VA
  • Local time:04:45 AM

Posted 20 September 2017 - 10:03 AM

Even if CCleaner's auto-update feature is enabled it, like most, is not really fully automatic (or at least it's not for the free version).  It will tell you that an update is available, but you still need to download and install it yourself.

 

I generally keep only the latest version of any software I use regularly.  It doesn't matter if "the old version" works since, when or if it doesn't, there's no support and the first question anyone (including on forums like this one) is going to ask is, "Are you running the latest version?"   If the answer is, "no," then the first response will most likely be (and should be), "Download and install the latest version to see if that solves the issue."

 

[I'll hold on to prior version installers until I've verified that I'm not having issues with the latest version, though.  After that verification they're promptly nuked.]


Edited by britechguy, 20 September 2017 - 10:05 AM.

Brian AKA Bri the Tech Guy (website in my user profile) - Windows 10 Home, 64-Bit, Version 1803, Build 17134 

 

     In a modern society where everyone thinks their opinion deserves to be heard nothing annoys me more than individuals who mistake their personal preferences for fact.

         ~ Commenter TheCruyffGurn on the The Guardian website, 8/13/2014

 

              

 


#13 mechem

mechem

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:03:45 AM

Posted 20 September 2017 - 04:30 PM

Even if CCleaner's auto-update feature is enabled it, like most, is not really fully automatic (or at least it's not for the free version).  It will tell you that an update is available, but you still need to download and install it yourself.

 

I generally keep only the latest version of any software I use regularly.  It doesn't matter if "the old version" works since, when or if it doesn't, there's no support and the first question anyone (including on forums like this one) is going to ask is, "Are you running the latest version?"   If the answer is, "no," then the first response will most likely be (and should be), "Download and install the latest version to see if that solves the issue."

 

[I'll hold on to prior version installers until I've verified that I'm not having issues with the latest version, though.  After that verification they're promptly nuked.

Apparently they changed their update procedure.  Now it presents a dialog box to update to the newest version rather than directing you to their site to download the newest version.  Not sure when it changed, but probably due to this issue.



#14 britechguy

britechguy

    Been there, done that, got the T-shirt


  • Moderator
  • 7,534 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Staunton, VA
  • Local time:04:45 AM

Posted 20 September 2017 - 04:59 PM

Apparently they changed their update procedure.  Now it presents a dialog box to update to the newest version rather than directing you to their site to download the newest version.  Not sure when it changed, but probably due to this issue.

 

 

 

Yep.  I just got that for the first time yesterday.  Still, my central point is that you must consent before the update will take place.  If you decline it continues to run the currently installed version (but you will be asked again, later).

 

I like the new style much better and it's much more in keeping with in-program updating behavior.


Brian AKA Bri the Tech Guy (website in my user profile) - Windows 10 Home, 64-Bit, Version 1803, Build 17134 

 

     In a modern society where everyone thinks their opinion deserves to be heard nothing annoys me more than individuals who mistake their personal preferences for fact.

         ~ Commenter TheCruyffGurn on the The Guardian website, 8/13/2014

 

              

 


#15 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,287 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:45 AM

Posted 20 September 2017 - 05:02 PM

CCleaner Version History/ChangeLog
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users