1: Bird's ★ 2017/09/19 (Tue) 13: 06: 41.52 ID: CAP_USER 9
Malware was included in the free soft regular version of UK software company
https://www.cnn.co.jp/storage/2017/09/19/6b1b6cc95dae73814324c758fd023fd5/hacked-cnn.jpg
San Francisco (CNNMoney) On January 18, the UK software company PIREPHOLD revealed that malware (malicious program) was mixed in the free software "CCleaner".The number of victimized computers is said to exceed 2 million.
CCleaner is a system cleaner software for Windows that can delete unnecessary files and web browser caches. Someone had charged malware to the version published in August, making it possible to control the infected computer.
It affects CCleaner version 5.33.6162 and CCleaner Cloud version 1.07.3191. The parent company of the preform security firm Abast found a problem on the 12th, and the updated software was released.
The company said that in collaboration with law enforcement authorities, the server for attack "before damage" was down. The malware in question collected information such as the name of computer, IP address, list of software used by user, but no important data was collected.
In security firms Cisco and Talos, this approach is described as "supply chain attack."Under such a tactic, the system used for software development is illegally invaded, and the downloaded user infects the malware without noticing it. There is a possibility that another malware such as Ransomware (ransom demand type malware) may be infected from here, he says.
Abast bought a preform in July. At this point CCleaner's users had about 130 million people.
The preform calls users to install new safe versions by deleting them if they are using malware contaminated versions.
Distribution 2017.09.19 Tue posted at 12: 16 JST
CNN
https://www.cnn.co.jp/tech/35107429.html
Detailed damage here
Other sources
System maintenance tool "CCleaner" is damaged by tampering, externally transmitting user information (September 19, 2017 07: 35)
http://forest.watch.impress.co.jp/docs/news/1081368.html
https://www.cnn.co.jp/storage/2017/09/19/6b1b6cc95dae73814324c758fd023fd5/hacked-cnn.jpg
San Francisco (CNNMoney) On January 18, the UK software company PIREPHOLD revealed that malware (malicious program) was mixed in the free software "CCleaner".The number of victimized computers is said to exceed 2 million.
CCleaner is a system cleaner software for Windows that can delete unnecessary files and web browser caches. Someone had charged malware to the version published in August, making it possible to control the infected computer.
It affects CCleaner version 5.33.6162 and CCleaner Cloud version 1.07.3191. The parent company of the preform security firm Abast found a problem on the 12th, and the updated software was released.
The company said that in collaboration with law enforcement authorities, the server for attack "before damage" was down. The malware in question collected information such as the name of computer, IP address, list of software used by user, but no important data was collected.
In security firms Cisco and Talos, this approach is described as "supply chain attack."Under such a tactic, the system used for software development is illegally invaded, and the downloaded user infects the malware without noticing it. There is a possibility that another malware such as Ransomware (ransom demand type malware) may be infected from here, he says.
Abast bought a preform in July. At this point CCleaner's users had about 130 million people.
The preform calls users to install new safe versions by deleting them if they are using malware contaminated versions.
Distribution 2017.09.19 Tue posted at 12: 16 JST
CNN
https://www.cnn.co.jp/tech/35107429.html
Detailed damage here
Other sources
System maintenance tool "CCleaner" is damaged by tampering, externally transmitting user information (September 19, 2017 07: 35)
http://forest.watch.impress.co.jp/docs/news/1081368.html
18: Mr. Anonymous @ 1st anniversary 2017/09/19 (Tue) 13: 13: 47.71 ID: pI40nDfW0
One
It is CIA
Kaspersky prevented this
Then the Department of Defense and UK MI 5 were furious
Finally leaking at CNN this time
It is CIA
Kaspersky prevented this
Then the Department of Defense and UK MI 5 were furious
Finally leaking at CNN this time
174: Mr. Anonymous @ 1 anniversary 2017/09/19 (Tue) 15: 06: 20.91 ID: 2iWzx8s70
One
Almost all free system cleaner software is malware and spyware
Almost all free system cleaner software is malware and spyware
6: Mr. Anonymous @ 1st anniversary 2017/09/19 (Tue) 13: 10: 23.02 ID: Q1hyXh3j0
Death this is this. If remote operation is enabled
I just managed to delete it and it will not be managed anymore
I just managed to delete it and it will not be managed anymore
14: Mr. Anonymous @ 1st anniversary 2017/09/19 (Tue) 13: 12: 33.64 ID: 0ThJoTRd0
CCleaner how many times
Was not this the previous erase of mail data riot?
Was not this the previous erase of mail data riot?
26: Mr. Anonymous @ 1 anniversary 2017/09/19 (Tue) 13: 15: 35.28 ID: DXrogHXV 0
No, CCleaner warns about Apde every time it launches, so most of it is updating
38: Mr. Anonymous @ 1st anniversary 2017/09/19 (Tue) 13: 22: 58.32 ID: Snb17IqJ0
Symantec has sold the certificate business.
The reason was because Koz was certified by Google.
You should not enter this kind of thing anymore.
The reason was because Koz was certified by Google.
You should not enter this kind of thing anymore.
87: Mr. Anonymous @ 1st anniversary 2017/09/19 (Tue) 13: 49: 33.49 ID: Q1PLs6Z00
>> 38
Kaspersky is accredited by Spyware of Dew,
F-Secure was devocated as antisocial forces executives made intentional outflow of personal information.
Chinese software is out of the question.
There is no use anywhere.
Kaspersky is accredited by Spyware of Dew,
F-Secure was devocated as antisocial forces executives made intentional outflow of personal information.
Chinese software is out of the question.
There is no use anywhere.
55: Mr. Nanashi @ 1st anniversary 2017/09/19 (Tue) 13: 29: 26.88 ID: DXrogHXV 0
> The preform calls users to install new safe versions by deleting them if they are using malware contaminated versions .
Even if I raise it to a safe version, the MUID, TCID, NID inside the registry does not disappear, so the noise is spreading
43 Nameless san @ Namida eyes. (Osaka) @ no choice \ (^ o ^) / is prohibited [US] 2017/09/19 (Tue) 04: 43: 18.23 ID: Al / yh WOQ 0
41
If you have run 32-bit version of CCleaner v 5.33,
Registry
HKEY_LOCAL_MACHINE \ SOFTWARE \ Piriform \ Agomo
Confirm that there are no MUID, TCID, NID key
41
If you have run 32-bit version of CCleaner v 5.33,
Registry
HKEY_LOCAL_MACHINE \ SOFTWARE \ Piriform \ Agomo
Confirm that there are no MUID, TCID, NID key
Piriform - Security Notification for CCleaner v 5.33.6162
https://www.piriform.com/news/blog/2017/9/18/security-notification-for-ccleaner-v5336162-and-ccleaner-cloud-v1073191-for-32-bit-windows-users
It Store information certain information in the Windows registry key HKLM \ SOFTWARE \ Piriform \ Agomo:
MUID: randomly generated number identifying a particular system. Possibly also to be used as communication encryption key.
TCID: timer value used for checking how to perform certain actions (communication, etc.)
NID: IP address of secondary CnC server
https://www.piriform.com/news/blog/2017/9/18/security-notification-for-ccleaner-v5336162-and-ccleaner-cloud-v1073191-for-32-bit-windows-users
It Store information certain information in the Windows registry key HKLM \ SOFTWARE \ Piriform \ Agomo:
MUID: randomly generated number identifying a particular system. Possibly also to be used as communication encryption key.
TCID: timer value used for checking how to perform certain actions (communication, etc.)
NID: IP address of secondary CnC server
66: Mr. Anonymous @ 1st anniversary 2017/09/19 (Tue) 13: 34: 37.68 ID: 5QrrnUjn0
>> 55
5.33 I was running, but I did not have a key but was it safe?
Is there any switch?
By the way, I'm turning off my resident status.
5.33 I was running, but I did not have a key but was it safe?
Is there any switch?
By the way, I'm turning off my resident status.
71: Mr. Anonymous @ 1st anniversary 2017/09/19 (Tue) 13: 38: 54.60 ID: DXrogHXV 0
>> 66
Since it is a method of incorporating two stages of backdoor, it seems to be OK once the information storage key is not available
Since it is a method of incorporating two stages of backdoor, it seems to be OK once the information storage key is not available
135: Mr. Anonymous @ 1st anniversary 2017/09/19 (Tue) 14: 21: 31.56 ID: F1x6pA220
>> 55
I am OK as it's a 64 bit machine ...
I am OK as it's a 64 bit machine ...
93: Mr. Anonymous @ 1st anniversary 2017/09/19 (Tue) 13: 54: 41.26 ID: 5RIbvaad0
As long as the personal information is not transmitted, it seems to be different at the place where the process list was sent
13: Mr. Anonymous @ 1 anniversary 2017/09/19 (Tue) 13: 12: 16.36 ID: c + fe 01 g 20
Did the company that Abst acquired it?
That's going to be desperate ('· ω · `)
That's going to be desperate ('· ω · `)
24: Mr. Anonymous @ 1st anniversary 2017/09/19 (Tue) 13: 14: 43.27 ID: 40963qD50
It's software at Avast and it's the end of infection.
What to trust
What to trust
21: Mr. Anonymous @ 1st anniversary 2017/09/19 (Tue) 13: 14: 24.80 ID: 91SwTQZU0
Abababa
Quoted from: · http : //hayabusa 9.2 ch.net/test/read.cgi/news/1505755716/
1: Nameless san @ Namida eyes. (Shizuoka Prefecture) @ \ (^ o ^) / is prohibited [DE] 2017/09/19 (Tue) 02: 28: 36.12 ID: 0G18LYld0 BE: 762376718 - PLT (12000) points privilege
We recently determined that older versions of our Piriform CCleaner v 5.33.6162 and CCleaner Cloud v1.07.3191 had been compromised.
We estimate that 2.27 million people used the affected software.
We resolved this quickly and believe no harm was done to any of our users.
This compromise only affected customers with the 32-bit version of the v 5.33.6162 of CCleaner and the v1.07.3191 of CCleaner Cloud.
No other Piriform or CCleaner products were affected.
We encourage all users of the 32-bit version of CCleaner v 5.33.6162 to download v 5.34 here: download.
We apologize and are taking extra measures to ensure this does not happen again.
Security Notification for CCleaner v 5.33.6162 and CCleaner Cloud v1.07.3191 for 32 bit Windows users
http://www.piriform.com/news/release-announcements/2017/9/18/security-notification-for-ccleaner-v5336162-and-ccleaner-cloud-v1073191-for-32-bit-windows-users
Hackers compromised free CCleaner software, Avast's Piriform says
http://www.reuters.com/article/us-security-avast/hackers-compromised-free-ccleaner-software-avasts-piriform-says-idUSKCN1BT0R9
The 32-bit version v 5.33.6162 in August and also the 32-bit version of Cloud v 1.07.3191 are infected
It is said that the relevant version of the user should immediately update to the latest version (v5.34)
We estimate that 2.27 million people used the affected software.
We resolved this quickly and believe no harm was done to any of our users.
This compromise only affected customers with the 32-bit version of the v 5.33.6162 of CCleaner and the v1.07.3191 of CCleaner Cloud.
No other Piriform or CCleaner products were affected.
We encourage all users of the 32-bit version of CCleaner v 5.33.6162 to download v 5.34 here: download.
We apologize and are taking extra measures to ensure this does not happen again.
Security Notification for CCleaner v 5.33.6162 and CCleaner Cloud v1.07.3191 for 32 bit Windows users
http://www.piriform.com/news/release-announcements/2017/9/18/security-notification-for-ccleaner-v5336162-and-ccleaner-cloud-v1073191-for-32-bit-windows-users
Hackers compromised free CCleaner software, Avast's Piriform says
http://www.reuters.com/article/us-security-avast/hackers-compromised-free-ccleaner-software-avasts-piriform-says-idUSKCN1BT0R9
The 32-bit version v 5.33.6162 in August and also the 32-bit version of Cloud v 1.07.3191 are infected
It is said that the relevant version of the user should immediately update to the latest version (v5.34)
26: Nameless san @ Namida eyes. (Osaka prefecture) @ \ (^ o ^) / is prohibited [US] 2017/09/19 (Tue) 03: 06: 42.24 ID: Al / yh WOQ 0
The compromise possibility the transmission of non-sensitive data (computer name, IP address, list of installed software, list of active software, list of network adapters) to a 3rd party computer server in the USA.
We sent low-confidential data such as PC name, IP address, list of installed software, list of running software, list of NIC, etc. to US server owned by a third party.
We sent low-confidential data such as PC name, IP address, list of installed software, list of running software, list of NIC, etc. to US server owned by a third party.
32: Nameless san @ Namida eyes. (Osaka prefecture) @ \ (^ o ^) / is prohibited [Nida] 2017/09/19 (Tue) 03: 31: 42.37 ID: P1hWnE / r0
CCleaner v 5.33.6162 sha-256 hash
6f7840c77f99049d788155c1351e1560b62b8ad18ad0e9adda8218b9f432f0a9
virustoal 14 engines detected this file
File size 7.32 MB
Last analysis 2017-09-18 18: 26: 53 UTC
6f7840c77f99049d788155c1351e1560b62b8ad18ad0e9adda8218b9f432f0a9
virustoal 14 engines detected this file
File size 7.32 MB
Last analysis 2017-09-18 18: 26: 53 UTC
33: Nameless san @ Namida eyes. (Osaka prefecture) @ \ (^ o ^) / is prohibited [Nida] 2017/09/19 (Tue) 03: 33: 16.32 ID: P1hWnE / r0
Where to publish detailed analysis results
http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html
sha-256 hash is here \ (^ o ^) /
http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html
sha-256 hash is here \ (^ o ^) /
36: Nameless san @ Namida eyes. (Osaka prefecture) @ \ (^ o ^) / is prohibited [US] 2017/09/19 (Tue) 03: 41: 14.95 ID: Al / yh WOQ 0
The digital signature of the infected version is valid ...
llegally modified before it was released to the public
Is it also written, internal criminal?
llegally modified before it was released to the public
Is it also written, internal criminal?
37: Nameless san @ Namida eyes. (Osaka prefecture) @ \ (^ o ^) / is prohibited [Nida] 2017/09/19 (Tue) 03: 47: 55.78 ID: P1hWnE / r0
As for now judgment by virustotal
avast
AVG
avira
Bitdefender
Comodo
F-Secure
Kaspersky
Microsoft
Symantec
TrendMicro
Safety judgment is done with etc.
It seems that it will take some time to be recognized as an infected file by specimen submission in the future
Some products sometimes detect threats automatically from the behavior of software, but they are pretty missing
avast
AVG
avira
Bitdefender
Comodo
F-Secure
Kaspersky
Microsoft
Symantec
TrendMicro
Safety judgment is done with etc.
It seems that it will take some time to be recognized as an infected file by specimen submission in the future
Some products sometimes detect threats automatically from the behavior of software, but they are pretty missing
41: Nameless san @ Namida eyes. (Shizuoka Prefecture) @ \ (^ o ^) / is prohibited [US] 2017/09/19 (Tue) 04: 30: 25.99 ID: CxGPk + xi 0
What will happen to those who are doing Ver.5.34.6207 ('· ω · `)
43: Nameless san @ Namida eyes. (Osaka prefecture) @ \ (^ o ^) / is prohibited [US] 2017/09/19 (Tue) 04: 43: 18.23 ID: Al / yh WOQ 0
41
If you have run 32-bit version of CCleaner v 5.33,
Registry
HKEY_LOCAL_MACHINE \ SOFTWARE \ Piriform \ Agomo
Confirm that there are no MUID, TCID, NID key
If you have run 32-bit version of CCleaner v 5.33,
Registry
HKEY_LOCAL_MACHINE \ SOFTWARE \ Piriform \ Agomo
Confirm that there are no MUID, TCID, NID key
54: Nameless san @ Namida eyes. (Chiba) @ \ (^ o ^) / is prohibited [IT] 2017/09/19 (Tue) 06: 29: 30.39 ID: Q + x4OmlT0
It is not malware like destroying PC, so do not be afraid.
It seems that it will perform an action to send programs to an infected PC and simultaneously attack the distributor's servers.
So you can switch to a new CCleaner.
It seems that it will perform an action to send programs to an infected PC and simultaneously attack the distributor's servers.
So you can switch to a new CCleaner.
57: Nameless san @ Namida eyes. (Osaka prefecture) @ \ (^ o ^) / is prohibited [US] 2017/09/19 (Tue) 06: 50: 51.93 ID: Al / yh WOQ 0
>> 54
Supply chain refers to the distribution route of software ...
> Supply chain attacks are a very effective way to distribute malicious software into target organizations.
> This is due with supply chain attacks, the attackers are relying on the trust relationship between a manufacturer or supplier and a customer.
> This trust relationship is then abused to attack organizations and individuals and may be performed for a number of different reasons.
> The Nyetya worm that was released into the wild earlier in 2017 showed just how potent These types of attacks can be.
> This is due with supply chain attacks, the attackers are relying on the trust relationship between a manufacturer or supplier and a customer.
> This trust relationship is then abused to attack organizations and individuals and may be performed for a number of different reasons.
> The Nyetya worm that was released into the wild earlier in 2017 showed just how potent These types of attacks can be.
Supply chain refers to the distribution route of software ...
> In a supply chain attack, the trust relationship between the organization and vendors and suppliers is used by an attacker.
> This time, an attacker behind Nyetya infringed a software update server widely used in Ukrainian companies and organizations.
> Attackers used compromised servers to deploy software with backdoors, pretending to be software updates.
https://gblogs.cisco.com/jp/2017/09/worm-defense/
> This time, an attacker behind Nyetya infringed a software update server widely used in Ukrainian companies and organizations.
> Attackers used compromised servers to deploy software with backdoors, pretending to be software updates.
https://gblogs.cisco.com/jp/2017/09/worm-defense/
96: Nameless san @ Namida eyes. (SB - iPhone) @ \ (^ o ^) / is prohibited [CH]2017/09/19 (Tue) 11: 02: 54.00 ID: vTGsOIUh 0
It was not a conspiracy theory that security companies are scattering malware
Yu Arai
O'Reilly Japan
2010-12-20
0 件のコメント:
コメントを投稿