i30 Owners Club
OFF TOPIC => WORLD NEWS => Technology => Topic started by: Shambles on September 18, 2017, 16:26:46
-
Antivirus firm Avast has admitted inadvertently distributing a trojanised version of CCleaner, a popular PC tune-up tool, for nearly a month, infecting an estimated 2.27 million users.
:link: Downloaded CCleaner lately? Oo, awks... it was stuffed with malware ? The Register (https://www.theregister.co.uk/2017/09/18/tainted_ccleaner_downloads/)
-
I've been watching all this unravel over the last few days, investigations are pointing to a possible insider security breech.
Reply from Piriform :link: Piriform - Security Notification for CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 for 32-bit Windows users (http://www.piriform.com/news/blog/2017/9/18/security-notification-for-ccleaner-v5336162-and-ccleaner-cloud-v1073191-for-32-bit-windows-users)
The full coverage :link: Full coverage - Google News (https://news.google.com/news/story/dfwEfVNgxcDrI3MrxAPwcM_SngpFM?ned=us&hl=en)
-
If you are on a 32 bit system and concerned then uninstall CCleaner and navigate to regedit (Registry) and search for this leftover key HKLM\SOFTWARE\Piriform\Agomo and delete.
Malwarebytes will detect and remove the infection " Tojan.nyetya> Malware downloads\ccsetup553.exe " Avast still hasn't added the detection :disapp:
You can safely install the latest 5.34.6207 :link: CCleaner - Builds (http://www.piriform.com/ccleaner/builds)
Remember to do a custom install and untick boxes not required or you might end up with Avast and Google Chrome installed :rolleyes:
-
Jeepers! Thanks for the heads up.. I better check my versions etc.. :crazy1:
Edit: Looks all ok here. :victory:
-
I had that dodgy version on my main PC, but it is a 64 bit system. I just updated to the latest version and am doing a malwarebytes scan just in case...
-
Should all be fine on the 64bit system Dazz, installing the new version over the top is all that's required there👍
-
Should all be fine on the 64bit system Dazz, installing the new version over the top is all that's required there👍
:drinks:
-
Latest report by Vlk at Avast
Guys,
I just had a chance to read this thread and I'm a bit horrified as I think that there's quite some misconception about what actually went on.
First of all, the bottom line is: to the best of our knowledge, no harm was done to any CCleaner users as the threat was removed before it had a chance to fully activate.
This is really not about downplaying the issue. This is a statement based on a pretty thorough analysis, partially shared below and partially still embargoed because of the ongoing investigation.
Now, some facts:
- Avast acquired a company (Piriform) which was in the process of being hacked. We have good evidence that the attack started at least several weeks before the acquisition.
- Immediately after we first learned about something wrong with the CCleaner product (which was on September 12, i.e. 6 days ago) we started working on it and have been working on it around the clock since then.
- The #1 priority for us was to protect the CCleaner customers and minimize the actual customer impact of the incident.
- For that reason, we first focused on fully understanding the malicious code and disconnecting the bad actors from their ability to control the backdoor, i.e. taking down the CnC servers.
- The CnC server was taken down on September 15, three days after we first learned about the incident. Given how difficult these things tend to be, we consider this a very good result and I don't see how we could have done it any better. (By that time, the secondary CnC servers (the DGA domains) were already sinkholed as well, so that technically cut the attackers off their ability to control the backdoor).
At the same time, we wanted to understand whether the second stage payload could have already activated before the threat was discovered. Now, the good thing is that about 30% of CCleaner users also run Avast security software, which allowed us to analyze behavioral, traffic and file/registry data from those machines. Based on this analysis, we can say with high confidence that to the best of our knowledge, the second stage payload never activated, i.e. the only malicious code present on customer machines was the one embedded in the ccleaner.exe binary itself. We also asked our colleagues from other security companies, but haven't heard anyone seeing anything suspicious either. And that's great news, as it means that despite the high sophistication of the attack, we managed to disarm the system before it was able to do any harm. To that end, we don't consider the advice to reformat and/or restore the affected machines to the pre-August 15 state to be based on facts (by similar logic, security companies are not usually advising customers to reformat their machines after a remote code execution vulnerability is identified on their computer, just because there was a hypothetical possibility that something might have gotten in).
BTW, I have to say I was quite disappointed by the approach taken by the Cisco Talos team who appears to be trying to use information about this incident to drive marketing activities and piggyback on the case to increase the visibility of their upcoming product. And, I should probably also say that it wasn't Cisco who first notified us about the problem. The threat was first discovered and reported to us by researchers in a security company called Morphisec (thank you!). The threat was real, but to the best of our knowledge, it was fortunately mitigated before it could do any harm.
We plan to be issuing more communication about this as we go. This is a very unfortunate incident and of course, it's in our highest interest to properly investigate the issue and make sure it never happens again. Unfortunately, as you can imagine, the security measures in small companies are usually not up to the standard and that's a big lesson for us in terms of what to look for in case of future acquisitions.
Thanks,
Vlk
-
All very disconcerting. We rely on these companies to be absolutely scrupulous before snding stuff out.
-
All very disconcerting. We rely on these companies to be absolutely scrupulous before snding stuff out.
Like mentioned the second payload didn't eventuate as Avast had the server pulled down before malicious activity took place, the bigger worry is Symantec releasing a signed certificate which had been modified.
-
Further comments from Avasts CEO https://blog.avast.com/update-to-the-ccleaner-5.33.1612-security-incident (https://blog.avast.com/update-to-the-ccleaner-5.33.1612-security-incident)
-
Updated CCleaner 5.35.6210 with new digital signature :link: CCleaner - Builds (https://www.piriform.com/ccleaner/builds)
Use the slim build if you don't want added extras :)
-
I just checked and I have the 64-bit version. :D
-
I just checked and I have the 64-bit version. :D
The pressure was off for me too, I don’t know anyone with a 32bit system these days :)
-
I have had notification this morning of a new version ready for download.
-
I have had notification this morning of a new version ready for download.
See reply 11 :)
-
I already have that version
-
I already have that version
Yes, because it’s the lastest version as I’d already posted :)
-
More digging = more dirt...
:link: CCleaner targeted top tech companies in attempt to lift IP ? The Register (https://www.theregister.co.uk/2017/09/21/ccleaner_secondary_payload_targeted_top_tech_companies/)
-
I have 5.34.6207. The version I have been advised to download this morning is 5.35.6210.
I don't know why I have only just received this notification.
-
I have 5.34.6207. The version I have been advised to download this morning is 5.35.6210.
I don't know why I have only just received this notification.
It was only released 1 day ago :)
-
I have just tried to download and install it ,but it would not install. I uninstalled the originaland downloaded it again and still it would not install. I deleted all references to it in the registry and still it won't install. Any ideas anyone?
-
I have just tried to download and install it ,but it would not install. I uninstalled the originaland downloaded it again and still it would not install. I deleted all references to it in the registry and still it won't install. Any ideas anyone?
Which one are you trying to install, try the slim version here :link: CCleaner - Builds (https://www.piriform.com/ccleaner/builds) I just re-downloaded it and it installs fine.
-
That won't install either, I will try a system restore
-
That won't install either, I will try a system restore
You could also try right clicking the file and choose Run as Administrator, not sure if it'll help though :undecided:
-
Progress on CCleaner Investigation https://blog.avast.com/progress-on-ccleaner-investigation (https://blog.avast.com/progress-on-ccleaner-investigation)
-
It's now been revealed the stage 2 installer is GeeSetup_x86.dll. It checks the version of the operating system and plants a 32bit or 64bit version of the Trojan on the system based on the check.
Further REG keys have been found relating to systems that received the second payload
HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\001
HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\002
HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\003
HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\004
HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\HBP
-
C Cleaner completely fouled everything up. I must have had the nasty. The system restore did not work, so I had to put a mirror image on and than do all my updates again. All is running OK now including C Cleaner.
-
C Cleaner completely fouled everything up. I must have had the nasty. The system restore did not work, so I had to put a mirror image on and than do all my updates again. All is running OK now including C Cleaner.
Well done! Not an easy job.
-
It's a good job you have a sensible back-up regime.
I had to use Acronis to restore My C drive last week - but it was not related to Cleaner.
I have Microsoft Office Pro 2016 installed on the computer - not the Cloud version - and after I booted the computer one morning Outlook would not open. I got some garbled error message about network resources. I then noticed that the Icons for Word, Outlook and Excel in the task bar had changed to just rectangular squares. Clicking on those failed to open the programme.
I then tried to open each from the exe file in the Programs folder - those too failed.
So I carried out a repair of Office. This too failed.
I then decided to restore my Acronis 2016 back-up dated 9th Sept. The computer failed to boot from the Acronis emergency disc - which was resolved after I amended the boot order in the computer BIOS.
When Acronis booted the computer and I tried selecting the required back-up file - it didn't show in the list of back-ups.
By now I am getting very frustrated. The back-up was showing in File explorer but was not appearing in Acronis.
After further fiddling - I managed to get Acronis to find it - I can't recall how, after trying various things - and the restore was completed OK and MS Office was back to normal.
Acronis used to be user friendly - I have used it since when it was called True Image in about 2005. It was easy to use and a doddle to do back-ups and restores.
I now find the interface somewhat confusing and last year tried using Eusus ToDo back-up. It proved to be easy to use but the first time I tried a test restore it went tits up and I had to use Acronis to get the computer working again.
So - although Acronis frustrates me - it's the devil I know (or thought I did)
-
@AlanHo you could give Aomei a try :link: Best Free Windows 10/8/7/Vista/XP Backup Software 2017 | AOMEI Backupper Standard (http://www.aomeitech.com/ab/standard.html) It's simple to understand and the free version works well for me :goodjob2:
-
@Craig - thanks for the recommendation. I will take a look at it - but first :-
You are going to think I am crazy - but this is my belt and braces back-up procedure.
I have so much valuable stuff on my Win 10 desktop computer that it really would be a disaster to lose it all. So I use the following back-up system.
I have Acronis and Second Copy installed on the computer. I have a 2TB USB 3 hybrid external hard drive permanently connected to the computer and a 1 TB Seagate USB 3 portable drive which is stored in my garage - remote from the house. Hence if we are burgled or the house burns down - my data is as safe as I can economically make it.
I use Acronis to back up the C: drive (OS and Programs) and D: drive (All data) every week (normally Saturday or Sunday) on both the external drive in the study and the portable Seagate drive. This is done manually and not using the Acronis schedule facility. I always do a full back-up. I am not a fan of incremental or differential back-ups ever since one of them was corrupted and the chain was broken
I use "Second Copy" to make a duplicate of all my data on the external drive in the study, plus on an extra internal drive in the computer tower. Second copy is set-up to copy all changed files every time the computer is shut down. it keeps copies of changed files of the last two versions in an archive folder. Keeping such archive copies has been my saviour many times. Doing this probably adds a minute to the computer shut-down time, during which I am in the shower.
I thus have back-ups of all drives and files in both the study and the garage (which is 30 metres from my house). The garage data can be a week old. "Second Copies" of data files in the study are always bang up to date.
The only thing missing with this scheme are back-ups of the data archive files - but I can live with that.
Recovery
My usual recourse when the computer system or software gets grumpy is to try the simple fixes. If I have to recover the computer I use Acronis to recover the C: drive and leave all the data on the D; drive alone.
When data gets corrupted or lost - then Second Copy comes into play. The Second Copy files can be restored using File Explorer either singly, by selection or by complete folders with a simple copy and paste.
I have used this system for more than 10 years and whilst it may be rank over-kill, it has saved me numerous times.
That is the background to the following questions.
What are the differences between the AOMEI Backupper and their sister program AOMEI One Key Recovery :link: AOMEI OneKey Recovery|One Click Backup Windows System (http://www.aomeitech.com/onekey-recovery.html)
I am confused why they offer 2 programs for the same chore.
Will the program you recommend fit my current procedure. I would still retain Second Copy and use the new programme to back up just the C; drive - unless the Second Copy files were lost in a fire and and I was having to get a new computer up and running - in which case the Acronis (or another) back up would be used to restore everything.
Mad innit...................
-
What a cluster f**k :eek: :D
One key recovery I haven't used but the free version is quite basic, it's for making backups and restores to and from the recovery partition of your computer, Backupper standard is more like Acronis where backups/system images are made to an external drive.
I'm unfamiliar with the features contained in Acronis but Aomei should do you fine, it does everything you've mentioned for your needs from Acronis, it probably does most of the stuff of your second copy too :)
-
@CraigB
I have downloaded and installed AOMEI Backupper but not yet tried it out.
I am wading through the instruction manual and videos which look very well presented - Acronis could learn a lot from it.
At first sight it appears to be very user friendly and does everything I need.
I just need some spare time now to play with it. I am optimistic.
:link: Get Started (https://www.backup-utility.com/help/get-started.html)
:link: AOMEI Backupper Video Tutorials (https://www.backup-utility.com/videos.html)
Thanks a bunch CraigB you may well have converted me.
-
You're very welcome Alan :hatoff:
-
I have now taken full back up of my C: and D: drives with AOMEI Backupper. Before doing the backup I deleted some unwanted stuff from my C: drive. I did the test back up onto a spare internal hard drive E: on my computer and then carried out a restore of just the C: drive
I’m not sure about this – but I have a 512 GB SSD C: drive and a 2TB hybrid hard drive for D: I get the impression that if I had just one hard drive partitioned into C: and D: you have to restore both if you included them in the backup. I need to check this sometime out of curiosity.
The software is very simple to use and holds your hand as you move through each stage – so much better than Acronis. I chose to back up the two drives – but you can select system, partitions or even files if it takes your fancy.
When you do a restore you first select which back-up file to restore from – I had only done one so it was Hobson’s choice.
You then choose which drive to restore to. This is where it gets interesting because you need to know which is drive 1 and which is drive 2. On my computer drive 1 is the D: drive and drive 2: the C drive. Another way of telling is their sizes in MB’s. I chose the one that I knew was C: (Acronis is the same in this respect - if you are not careful you could easily cock things up - especially if your two drives or partitions are the same size).
The restore worked (almost) perfectly – but with a nerve twitching interjection.
At the end of the restore, the computer is rebooted. When my computer tried to reboot – after the BIOS started - I was presented with a black screen and the message “The Boot Manager is Missing. Press Ctrl+Alt+del”
Which I did.
The computer then restarted with the same message.
So I entered Ctrl+Alt+Del again, but this time pressed F2 to open the BIOS when the computer revved up.
This revealed that the boot manager was now at the bottom in the boot order – so I moved it to the top and the computer booted fine – and has subsequently. I checked the C: drive and the test files I had deleted were back again – confirmation that the C: drive had actually been restored.
On this evidence I like this software but will use Acronis alongside for a while to make absolutely sure.
One thing to point out is that Backupper is quite a bit slower than Acronis – with Acronis a back up of C: and D: takes about 20 minutes – with Backupper it took 30.
With Acronis, a restore of just C: takes about 18 minutes – with Backupper this was almost 30.
This is a small price to pay for the pure convenience of the new software and its ease of use. I probably waste 10 minutes each time I use Acronis trying to fight my way through the Acronis interface anyway.
-
I seem to remember Steve gave us a link to AOMEI a couple of years ago.
I still have it but will download the version above.
-
All of which is - and you knew this was coming - :offtopic:
-
All of which is - and you knew this was coming - :offtopic:
It's a good job that the thread is in the OFF TOPIC section isn't it...................... :snigger:
-
All of which is - and you knew this was coming - :offtopic:
It's a good job that the thread is in the OFF TOPIC section isn't it...................... :snigger:
:mrgreen: :rofl: :rofl:
-
I tried making a DVD boot disk this evening using AOMEI. It failed.
I tried twice – but each time in reached 99%, sat there for a minute, and then ejected the disk from the DVD drive. I tried to boot the computer with the disks – but as I kinda expected - it ignored the disk and booted into Windows
I looked on their customer support and got no joy. I googled the problem – I am far from alone. Quite a few people had experienced the same problem.
AOMEI had advised people that this sometimes happens and the way round it is to download an iso file and burn it onto the disk using other software.
So I tried downloading an iso file using the option buried in the create boot media section. This stuck at 0% for 15 minutes so I stopped trying
Frankly I can’t be arsed with AOMEI so I have uninstalled it.
Damn – it looked so promising too.
-
:crazy2: but Windows 10 can create boot media :crazy1:
Which reminds me, I haven’t created a new boot rescue USB since I had Windows 7 :whistler: :head_butt:
-
I assume that a boot disk created in Win 10 will not load the AOMEI software.
Their user manual states that boot discs created by other software will not work
-
Yeah unfortunately Aomei only works with itself.
-
Additional information regarding the recent CCleaner APT security incident
https://blog.avast.com/additional-information-regarding-the-recent-ccleaner-apt-security-incident (https://blog.avast.com/additional-information-regarding-the-recent-ccleaner-apt-security-incident)