More info on the CCleaner debacle.
Yesterday the Talos research team released more of their findings on the CCleaner hack. Contrary to statements I have seen this past week, the “secondary payload” was activated on some machines. It looks like the secondary payloads goal was to locate and take over control of computers inside major tech corporations networks. These corporations included Cisco, Dlink, Google, Microsoft, Samsung, Sony, and a host of others.
Here is the Talos article: CCleaner Command and Control Causes Concern
Excellent breakdown by Wired: The CCleaner Malware Fiasco Targeted at Least 20 Specific Tech Firms
My initial reaction stands.
“These new findings raise our level of concern about these events, as elements of our research point towards a possible unknown, sophisticated actor. These findings also support and reinforce our previous recommendation that those impacted by this supply chain attack should not simply remove the affected version of CCleaner or update to the latest version, but should restore from backups or reimage systems to ensure that they completely remove not only the backdoored version of CCleaner but also any other malware that may be resident on the system.” talos
***Update 0740hrs EST
Avast Blog – Progress on CCleaner Investigation
“For consumers, we stand by the recommendation to upgrade CCleaner to the latest version (now 5.35, after we have revoked the signing certificate used to sign the impacted version 5.33) and use a quality antivirus product, such as Avast Antivirus.”
***Update 0755hrs EST
Tired of seeing this “only 32-bit machines” nonsense.
“The stage 2 installer is GeeSetup_x86.dll. This installer checks the OS version and then drops either a 32-bit or 64-bit version of a trojanized tool. The x86 version is using a trojanized TSMSISrv.dll, which drops VirtCDRDrv (which matches the filename of a legitimate executable that is part of Corel) using a similar method to the backdoored CCleaner tool. The x64 version drops a trojanized EFACli64.dll file named SymEFA which is the filename taken from a legitimate executable that is part of “Symantec Endpoint”. None of the files that are dropped are signed or legitimate.” talos
– – – – – – – – – – – – –
Bottom line: If you INSTALLED CCleaner 5.33 you should restore your computer from a backup from before the date you installed it.
They have since released version 5.35 which new digital signatures.
Nice plug about recommending their owner’s antivirus lol. Switched from Avast a while ago as it was too bloated and intrusive.
Sigh…what a fiasco. Looks like I need to restore….hmmm do you think I am installing ccleaner again??? I don’t think so.
I can’t blame you but consider this. Will any program be watched more than this one for the foreseeable future?