Hacker News new | past | comments | ask | show | jobs | submit login
Malware identified in CCleaner 5.33 (talosintelligence.com)
675 points by spaar on Sept 18, 2017 | hide | past | web | favorite | 222 comments



As a kid, the only OS I was aware of was Windows. Once, my computer was infected to the point where it was almost unusable. A more experienced friend suggested a non-free antivirus and the CCleaner. After a lot of effort, I could get my machine back to working, but it became so slow that it led me to discover Linux. Now, on a Windows 10 machine, I’ve nothing but Defender, and since the aforementioned experience I’ve never had to use any other antivirus, a ‘junk’ cleaner, etc. Once bitten, twice shy :)

Edit: I hated investing in anti-stuff.


CCleaner is not an Anti-Virus. It does not run in the background (at least the free version) and will not slow your PC. It helps users locate and remove temporary/cache files buried in the OS to free up disk space. It is very useful - even for pros. Defender will not do this.


CCleaner does sell a bit of FUD though - "your computer is slow, use us so it goes faster". I don't think "crap" is causing significant slowdowns anymore, maybe frees up some disk space but nothing that the OS can't do itself either.


Deactivating that programs start on boot, maybe?


Just do that in the task manager


Wasn't an option until Windows 10, I think. autoruns from SysInternals is my go-to.


There's also "msconfig", present in Windows 7.


And XP and 2000 and maybe earlier versions too


msconfig has been around since at least XP.


There are also a similar tool from Nirsoft.


How many times have we all noticed our computers running slow, only to find a bunch of tempfiles not touched by anything!


CCleaner is also essential for cleaning up poorly uninstalled apps leaving registry keys lingering around. It's also great for when you need to fully reset and reinstall a misbehaving app, such as Symantec Endpoint Protection, which fails to clean up several critical registry keys that it checks during installation, and then refuses to re-install if they exist. Sure, you could hunt them down and write a script for Symantec, but CCleaner does it for all apps. I've fixed so many terrible apps and installs using CCleaner, it's an absolute necessity.

That and RevoUinstaller. You run RevoUinstaller then CCleaner, and maybe a reboot in between, and you've really removed an app. (The paid version of Revo is even cooler, as it will let you log the files generated during an install, and then on uninstall, it'll make sure to remove all the files and directories you had previously logged.)


This is one of the many reasons why I always prefer UWP apps on Windows 10

https://np.reddit.com/r/Surface/comments/6ifyxq/spotify_for_...

In addition, this also gives you granular privacy control

https://www.howtogeek.com/221864/digging-into-and-understand...


I have always assumed the vast majority of software meeting this description is malware. I don't know if I should feel silly or if it's a sensible assumption for end users to make.


I never liked, nor used CCleaner. I always thought it was for lazy people or those who refused to do it the hard way.


Categorically disregarding the use of automated maintainence tools under the guise of "lazy vs real techies" seems short sited, arrogant, and regressive.


It may be more expensive but hand-crafted, artisanal system administration is well worth it. The difference between it and cheap, factory produced system administration is night and day. Also, it's Local and Made In The USA so you are helping people around you in the greatest nation on earth rather than poor people in another country.


If being some sort of sysadmin craftsman gets you up in the morning, all the power to you. But for many others, "good enough" really is good enough.


Whats wrong with helping poor people?

Also, quick question: are Puppet and Ansible "factory produced" sysadmin?


Why would you do it the hard way, when there's an easy way. Especially when it's an unpleasant activity like deleting unnecessary files.


The free version does load itself into the background these days to pop up messages reminding you to clean your PC.


You can turn it off in the options.


Doesn't Windows 10 basically do this itself?


The latest Win 10 has a new setting that vaguely indicates it will look for and delete temporary files automatically. On my machine it was not turned on by default.

No idea how much it gets vs. leaves behind and since turning on it hasn't thrown up any obvious notifications lauding itself.

This is on a secondary machine. My primary machine isn't Windows.


Hardly. CCleaner can easily remove 5-6GB of junk.


I use CCleaner for maybe even 10 years, a great tool.

But Windows 10 (a few older versions as well, but somewhat hidden) has something similar called "Disk Cleanup" (Win key > enter "Disk Cleanup" > "Clean up system files" > Check all marks). "Disk Cleanup" removes stuff that CCleaner doesn't, so I use them together.

You can even remove system restore and shadow copies (Win key > enter "Disk Cleanup" > "Clean up system files" > "More Options" tab > "System Restore and Shadow Copies" > "Clean up" button).


> Disk Cleanup" removes stuff that CCleaner doesn't, so I use them together.

And vice versa if you use CCleaner combined with CCEnhancer[1]

[1]: https://singularlabs.com/software/ccenhancer/


"a few older versions as well" - It's been in every version since Windows 98 :)


You're asking for too much!


> CCleaner is not an Anti-Virus

I never said that.

> Defender will not do this.

I know what it does.


The culprit was the non-free AV. Gone are the days of simple passive signature scanners. Now they all sink their claws deeply into the OS intercepting filesystem operations, network packets, and any other privileged activity. Performance be damned.


Gone are the days of simple passive signature scanners. Now they all sink their claws deeply into the OS intercepting filesystem operations, network packets, and any other privileged activity.

Well, things have been like that for a long time already. E.g. Thunderbyte used an ISA card in the early 90ies to insert itself before and outside the operating system [1].

Old anti-virus programs also used Terminate and Stay Resident (TSR) [2]

[1] https://en.wikipedia.org/wiki/ThunderByte_Antivirus

[2] https://en.wikipedia.org/wiki/MSAV


On the note of ISA cards, i once helped install a card on some school computers that inserted itself before the OS loaded and split the HDD in half. This so that on certain conditions a clean version of the OS etc could be loaded from the half that was hidden during normal use.


DeepFreeze? I thought it was all software.


Do not recall the brand, i just helped install them and set up the initial install of OS and software.


Free and non-free AV are liabilities at this point (for Windows). Microsoft has never had an official way to let AV hook into the system calls needed, so they all relied on hacks and shifty stuff.

Surprise, surprise, now there is more attack surface available since AV is kernel level. And so now we see attacks getting root or kernel level access via AV vulnerabilities.


Unfortunately attack surface on AV also includes Windows Defender itself:

https://arstechnica.com/information-technology/2017/06/lates...


This is why security mono-culture is dangerous and it's in our interest to maintain a diverse ecosystem of security vendors in every area. Security is hard and anyone can have a serious vulnerability.


I'll still take 1-2 vendors that actually have security as a top priority over a variety of vendors that care plenty about features and detection rates but not about actually hardening their code.


> The culprit was the non-free AV.

Yes it was. After using it a couple years, when I decided to get it off my system, it was far from easy. It simply didn't go. Because of the trouble it was giving me, I thought I had no choice but to renew my subscription. It was at this point I started looking for an OS alternative.


To be fair, they're responding to more sophisticated virus distribution.


There's always ClamAV/ClamWin that does just that...

[0] http://www.clamwin.com/


Definitely test drive a couple of Linux distributions. I do so periodically and love seeing the progress.

There are really only two things keeping me on Windows.

    1. I run some Windows-only applications that don't work with Wine.
    2. A lot of Linux software often doesn't work well on a hi-dpi monitors.
Aside from that, since Windows 7 (and later versions of Vista), Windows is fine. IMHO, operating systems aren't terribly interesting these days. Everything interesting is in applications on top of the operating system. Windows, macOS, Linux? Whatever. If the application I need runs on that operating system, then I can be productive.


hi-dpi is in a sad state right now. Fortunatly, there is good support for hidpi in wayland, and as things migrate that way it will get better.

As for running windows apps....how much time do you want to waste? The only windows stuff I really run is games, and the way I do that is by running windows in a VM with the graphics card direct assigned. It works really well, and is super neat, but it was a huge pain in the ass to set up on consumer grade hardware.


Exciting to hear about HighDPI support in Wayland. I had to switch back to windows after getting a 4k display because it's basically unusable for a 3 monitor setup on Ubuntu (1 4k + 2 1080s). We'll see in a month :)


If you give it another shot, make sure you are running Xwayland and that you aren't manually setting the scaling factor. In the current version, it will guess a scaling factor based on the DPI of each display, but if you manually set it it will be applied globally and you will be right back where you are now.


I will buy a Chuwi HiBook for any developer who wants to make Linux and HiDPI not suck.


> it led me to discover Linux

As someone who is the same boat but hasn't discovered Linux yet, how hard would you say it would be to install a version of Linux that support 3 monitors (using an onboard ATI card and a PCIe card)? Last time I tried installing it this is the part I gave up at.

Also as a person always been aware of Window I find the graphics in Ubuntu lacking some finesse, i.e. the scrollbars, window panes look like that created using Java applets (granted it is a matter of taste and personal choice) but what is the most professional looking desktop to try right now?

Sorry i know this is off-topic but I too really want to switch from windows and don't want to waste money in Macbooks so any advice would be appreciated.


Fedora[0] might be what you're looking for. There are various "spins"[1] that use different desktop environments if the main one doesn't take your fancy. You can use a live image to try a few before you install.

[0] https://getfedora.org/ [1] https://spins.fedoraproject.org/


The boring answer is that if you have a graphics card with good Linux support, you're going to have a good experience. Otherwise probably less good. So without knowing the specifics of your graphics hardware it's impossible to give a clear answer.

People generally don't fault MacOS for not supporting whatever hardware they bodged together, yet they expect Linux to work with anything because hackers and magic. I guess that's a good reputation to have but it's not very useful if you want something that just works.

In the case of Linux, what just works is generally the drivers that are built in to the system, with vendors that take an active part in Linux development. And since Intel started to make both network and graphics cards, that's usually your best bet. ATI is generally usable too, but performance and power consumption generally lag their Windows equivalent drivers.

With that said, it's quite easy to test. Download the latest Fedora (or Ubuntu) live DVD and boot it. If that works with your display, a native install is going to work too.

Just don't install Linux as an almost-Windows or cheap-MacOS. If you want Windows software then that's what you should run it on. Run Linux because you want a UNIX desktop and the kind of software that goes with it (gcc, bash, rsync, native TCP/IP utilities and those things).


I recommend KDE, it feels a bit more well put together for a desktop these days.

With regards to your question about triple monitors. I mean, I managed to get triple monitors working on FreeBSD without much fuss so I am not sure of how much help I can be when I say "it should just work". I am obviously biased.

But, it's likely that it will just work, the open source drivers for AMD are significantly superior to the open source drivers for nVidia. Although I only have nVidia cards running and I have 2 setups with triple monitors.


Give Ubuntu desktop a try. The installer allows you to run the OS live without installation. You can use this to see if Ubuntu is something you may be interested in.


+1 for this. Try before you "buy" so to speak. In a very similar vein, Linux Mint also allows you to do this. Both OSes work very well out of the box and there are large communities for help.


My experience with Ubuntu (xubuntu 16.04.x) is that you really need a modern Nvidia card to get high/native resolution. Especially for someone who wants to run 3 monitors.


I'll add the caveat that for HiDPI displays you're still likely to run into scaling issues, particularly if you have differently sized displays. I hear that for some specific cases Ubuntu/Gnome 3 handle things acceptably, but there's still a lot of rough edges (not that Windows doesn't still have problems here too).


This is true. I just installed Ubuntu on a shiny new (to me) Precision 5510 laptop. 4k monitor native. When I hooked it to my 27 inch, 2560x1440 monitor, the scaling became a disaster between the two screens. Setting the scale on the fly can also be a disaster. Best thing I have found is to set the res down on the higher-res monitor, and set the scaling to the same on both monitors. Or just never move things between monitors.


This Ubuntu user here is driving a 27" 4k Dell with an AMD RX460 that doesn't even have a fan. Works okay.


Don't you need an at-least-mediocre GPU to get high resolution on 3 monitors on any OS? I wouldn't connect 3 high resolution monitors to a Windows or Mac machine with no GPU.


Modern machines that seemingly have "no GPU" have an integrated GPU that's powerful enough for driving multiple monitors, desktop compositing and rendering some 3D (modern games at 720p, older games at higher resolution).


Aren't you still limited by the number of HDMI ports anyway?


Does AMD do this or is that still just an Intel thing?


AMD's APUs are actually more powerful than almost all Intel iGPUs. The only one that's competitive is Iris Pro 580 with the eDRAM addon, known in a previous incarnation as Crystalwell (not all Iris Pro 580s have this).

The tradeoff is that the CPU half of AMD's processors is kinda bad - they are all derived from either Jaguar laptop processors or Bulldozer, they desperately need to be refreshed with Ryzen. So Intel has the better CPU but a mediocre GPU (unless you splash out for Crystalwell), and AMD has mediocre CPUs but a good GPU...

AMD's non-APU processors (FX, Ryzen, TR, Epyc) do not have iGPUs however, same goes for Intel's lines of server chips (X99/X299/etc). This is something that is only in "client" processors.


I have a small underpowered desktop running in my house that only has onboard graphics and it runs Ubuntu 16.04 just fine, but its only connected to 1 monitor, not 3.


The Intel integrated graphic card of my laptop does handle 3 screens fine and I dont need to mess with drivers, everything works well out of the box. I would actually advise against NVIDIA cards unless you need powerful graphic processing or to do GPU computation.


Cool. Didn't know laptops existed with 3 monitor ports. Which model laptop are you using, and would you recommend it for programming? :)


Ahhh, doing some Googling shows it's from add-on peripherals and/or docking stations. eg:

http://www.dell.com/support/article/uk/en/ukbsdt1/sln115952/...


> how hard would you say it would be to install a version of Linux that support 3 monitors (using an onboard ATI card and a PCIe card)?

As a data point, the development desktop I'm using runs 3 monitors on Linux (Fedora 25). They're hooked into a single AMD R9 390 graphics card (overkill, but it was hanging around spare when putting together the pc).

The monitors are 1x Dell 30" in the middle, with 2x ASUS 24" monitors (one each side). No HiDPI stuff, and everything works fairly well. Using the "Xfce" spin of Fedora.

Didn't need to do any complicated setup. The monitors were all detected fine without mucking around, and I just needed to drag them into position in the Xfce4 gui tool so it knew which one was on the left, middle, right.


Lacking details, so nobody can promise anything, but I have run my current desktop with three monitors on two video cards. I currently run it with two monitors and two cards, with one bound to a Windows VM. That is somewhat trickier to set up, but multiple monitors should be fine.

My advice echoes others - you can try before you buy (install) with a few flavors of Linux; see what happens. If you have trouble, try to find a fellow human who can help - X is a little surprising to configure, if you haven't done it before.


How long ago was it, and what GPU did you try it with? Most relatively modern AMD GPUs (especially Polaris/RX 4xx and newer) work great out of the box these days, but that's a relatively recent phenomenon.


It was about 2 years ago. I'm using a multi monitor setup where i'm clubbing my onboard graphics card with the PCIe card (both ATI, though the onboard card is a very old model). On windows it works seamlessly but on Linux I couldn't do it. Thanks for the advice, I will try it again today.


Ubuntu makes this pretty easy. Also solus 3 would be a good choice. And there are a number of resources and tutorials for this very thing. You can also customize your desktop environment so the critique of scroll bars and such can be resolved.


ElementaryOS [0] prides itself in it's UI. Granted, this is very much a matter of taste, but if you're into the whole Mac look-and-feel, you might like it.

But frankly I find the Gnome-Shell desktop to be beautiful. Maybe try Ubuntu-Gnome? [1]

[0] https://elementary.io/ [1] https://ubuntugnome.org/


Elementary os looks beautiful. This is exactly the kind of stuff i found missing, will definitely install it today.


Great! If Elementary ends up not being to your tastes, do try Gnome-Shell. The UI is a bit "different", in the sense that it tries to innovate in quite a few places, but it's definitely pretty.


I found the animations on ElementaryOS to feel....clunky, to say the least.

That being said, the majority of UI animations in Linux are like that, so meh.


Um what did you install? Personally I have been an OpenSUSE guy for almost 10 years now. I would be surprised that you would have a problem. Ubuntu should also be found.

Stay away from Fedora and Arch unless you don't mind getting into some set up files. Personally it is fun getting things setup for me and so I enjoy Arch and Fedora and sometimes it they are just as quick and simple as OpenSUSE and Ubuntu.


I tried Ubuntu only. Couldn't get the third monitor to work. As per another comment I will give it another try and see if things have changed now.


After trying a number of distros, I settled on Ubuntu and a while ago switched from Unity to Gnome. Most of the time I use two monitors without any problem and I live in a terminal.


KDE has that modern look, so install Kububtu, then figure out how to set up multiple monitors through kde


Don't go down that rabbit hole. Linux is not for desktop despite many years of efforts. Even the distro with the greatest focus on UI (elementaryOS) looks like a toy. That Linux is hugely successful everywhere EXCEPT in the desktop should tell us something.

Just my honest opinion after 15 years of continuous use in university and work.

XKCD still relevant today: https://xkcd.com/456/


I don't know... I have been on Xubuntu for about 4 years now, and love it. Just got a new touchscreen laptop with win10 on it and hate the experience. Switched the wife over to Xubuntu as her win10 laptop was running like crap, and she barely notices any difference in the experience except the Linux system is faster.

I think for a lot of people who want to just browse the Web and watch movies, Linux is more than up to the task. And suit, recently even libreoffice is working fine for my simple needs for word processing and spreadsheet work.


It's like driving a car you have to work on all the time or something. I have fond memories of doing it but I no longer have the time or inclination to spend that much time configuring my desktop.


Lets be real; as much as I shit on systemd, since it released the desktop experience for people is much more well-rounded and I think it has helped distro maintainers really push usability.

Usability of Linux in the past 10 years has been exponentially increasing.


They're going to need something else. X11 and GNOME/KDE/etc will never be mainstream. Ubuntu made a mistake not contributing to Wayland but they were right to try Unity.

Ironically, Canonical is making money mainly with cloud services. Meaning servers - what Linux is good at.


> XKCD still relevant today

and I wish this to be true for any *nix system.

The ability to venture down the rabbit as far as you want, without black-boxes.

I think a lot of us sit here today because of that privilege.


It absolutely has its place. That place just isn't the mainstream desktop consumer.


Feels like you've vaccinated you brain and developed antibodies of security-conscious computer usage patterns.


Yes, because it was a lesson learned the hard way :)


Years ago I used to use CCleaner and their disk defragmentor tool. Now I too am on Windows 10 and use neither, still it's sad to see this sort of thing happen to what I remember being decent free software.


IIRC, CCleaner used to come with some unnecessary stuff that caught users unawares.


If you have an SSD then defragmentation does nothing


I rescued my neighbor's Mac from an adware invasion using Malwarebytes so I I would argue that not all these tools are created equal.


Malwarebytes is great. However, what if it was their installer that was attacked in such fashion?

Trusting old memories of what's good or not can be dangerous. I remember getting caught out once by CoreTemp which suddenly packed a load of dung in its default installer. :(


Sourceforge revolutionizes open source by providing free hosting for projects!

[later]

Sourceforge - You will never find a more wretched hive of scum and villainy.

[still later]

Sourceforge is respectable again! (hopefully?)


> Sourceforge is respectable again! (hopefully?)

When pigs fly. I cringe every time I encounter a project hosted on SF and have to play their stupid find the download link game.


Uh have you been there recently? Like in the past year? The company is under new management, and cleaned up their act and download pages a lot. Sourceforge is headed in a better direction again.


Yet while SourceForge improved, Slashdot became a clone of HN's front page and is a cesspool of horrid editing staff, now.

So take that as you will. That tells me that SourceForge is probably bound to degrade some time soon.


For apps it supports, Ninite is a good way to avoid that kind of thing, although it may not have stopped the CCleaner issue. They package their installer with extraneous bundles removed.


I hope Ninite reads this and pulls them off their list of installers. It should be automatically removed from end users by Ninite as a direct response to this.


Well, it's not on the list currently, so either they never had it or they did indeed remove it.


BoxStarter is looking promising - http://boxstarter.org/


I pay for MalwareBytes, I think it's worth it.

Apart from that, I just use Defender.


Ditched when they started pushing FUD 5-6 years ago.

I worked in the anti-malware industry for 5 years. Pretty much across the board, this kind of software does more harm than good. AV on corporate email servers or your email provider makes sense. Rooting your own computer and leaving it vulnerable to shitty AV/AM vendor's software doesn't.

Literally saw malware in the wild that exploited AV software.


I downloaded a GTA 5 mod that had malware bundled and Windows Defender didn't catch it. I run Malwarebytes as well these days, but that's it.


I’m not a gamer. Also, I can’t recommend using or not using Defender. For aimless browsing I use my Linux box, and one of my favorite browser extensions is uBlock Origin. Nowadays I don’t have to carry flash drives or other storage devices and never plug in things that belong to others :)


Do you never run software you haven't written/audited?


I do, but I try to see if it's from a trustworthy source.


Pirform has been around for ages and has always been as "trustworthy" a software publisher as one could hope for. Supply-chain compromises are hard to completely mitigate, particularly with bundled windows installers.


Advertising never works for me. Linux and Windows are worlds apart.


There has been a number of cases of installers from trusted developers being infected lately. (For example Transmission being infected twice...)

On our side (developers) we need to be careful with this idea that "we will know" when something is wrong and be more careful when deploying software. It would also be nice if some form of tool could be used to test a binary to make sure it only contains what it should contain (sort of a whitelist of symbol names compared to the source files, idk...) I'm sure something along these lines probably exists for some different purpose.


First of all, this is why reproducible builds (getting bit-for-bit identical binaries independent of the machine used to build the software) is something we should be putting much more work into. The Debian folks are doing an amazing job there.

Another important point is that distributions have already solved effectively all of these problems. We have automated building and signing systems that mean that installation and upgrades are done in ways that are not vulnerable even to fairly sophisticated attacks. You can build packages locally if you want to verify them, and modifying a package after it has been built invalidates the signature that all modern package managers require before installing a package. As part of the openSUSE project we even have a free-to-use (and free as in freedom) build project called the Open Build Service[1] which allows you to build packages (with automated dependency update rebuilds) for many different distributions (Arch Linux, Debian, Ubuntu, Fedora, RHEL and obviously openSUSE and SLES).

I get that distributions aren't "sexy" but it's getting quite frustrating seeing all these communities make the same mistakes that distributions made (and learned from) more than 20 years ago.

[Disclaimer: I work for SUSE and am an openSUSE community member.]

[1]: https://build.opensuse.org/


That's ok for the NSA and a few large enterprises to check certain binaries but you can't ask any start up or small company to recompile themselves every version of every OS / Software / Library that they use. It's not really a practical solution (even assuming everything is open source).


As I posted above, we have a build service that does this automatically for you. It takes maybe 30 minutes to create a few spec files, and now it's supported by a bunch of different distributions. You can then point your users at the repo (or mirror the repo if you prefer). Also OBS lets you create forks of projects that just inherit the unmodified packages (and said forks can also be cross-host so you don't need to self-host a whole distribution).

I agree that doing everything I mentioned manually is hard, that's again why I said that distributions have solved this problem and made it easy.


But who would use the build service? The consumer of the software or the publisher?

[edit] also that protects you against malware injecting binaries in an executable when compiling it, but not from malware injecting code into the source code of the executable.


> But who would use the build service? The consumer of the software or the publisher?

Publisher. A user could (if they were really paranoid) rebuild the packages locally, with two or three commands.

> Also that protects you against malware injecting binaries in an executable when compiling it, but not from malware injecting code into the source code of the executable.

You can download the source code that OBS used (both as a src RPM generated by the builder and the OBS repo that the builder was given read-only access to), and OBS supports cryptographic signatures of the originating source (with gpg-offline keys to avoid WoT attacks). If your developers are using sane source control practices (use GPG keys for every commit, but especially tags) then you are protected against that too.

Of course, reproducible builds is something that would solve this problem even better (protecting against attacks on OBS that cause it to add source that are not in the repo). As a side point, our threat model doesn't fully trust the nodes compiling the software so such attacks are fairly limited in scope (but I'm not a developer of OBS so I'm really not the right person to be asked these questions).


I don't know what they're planning to do, but we could need only a few parties doing the verifications. If a build yields the wrong binary then the release is flagged and nobody gets it. Apt should check against the expected results.

Many things could go wrong with this (mainly attacks on the expected results db, it should be replicated) but the idea should work.


The thing is if the threat is any machine on the publisher side being infected, then it sorts of need to be verified by the consumer of the software, a bit like compiling a checksum when you download software.


Debian packages are signed. It is hard to make software distribution completely secure. But, one could imagine creating pretty strong guarantees. Imagine that you have N completely different parties/machines (isolated, on different infrastructure, different user accounts).

- (N-1) machines build a new Debian package.

- The (N-1) results are fetched by the fourth party.

- The Nth party checks whether the build results are identical.

- The Nth party signs the result with GPG on a machine that is not connected.

- The signed package is distributed.

An attacker would need to compromise either: (1) N-1 build machines; (2) the offline machine used for signing packages; or (3) the upstream source.

I consider (3) to be the most serious thread. But in this scenario, only the distribution packagers need to inspect the source changes. In the common scenario where you download from a vendor (e.g. the Transmission or CCleaner website), every user has to inspect a binary blob.

Another possibility would be to have strong sandboxing for applications. An application could still participate in DDoS attacks, etc. But it would at least not encrypt/destroy your data.

tl;dr: reproducible builds are an extremely important development and Debian (and other distributions participating in this initiative) should be commended for their work!


Right, and this is why we need reproducible builds.


compile times are fast enough now that if the tools were friendly enough I don't know it would be so inconvenient to the end user anymore.

is there any distros out there now that are source based like Gentoo with more friendly defaults?


And why exactly can't the source be compromised?


There's NixOS. By default it uses a binary cache, but it'd be easy to disable that if you want to.

And reproducible builds are a work in progress.




I'm not sure how exactly these infections work, but one method would be to infect the developers' PCs. In which case you essentially can't trust anything. You'd need some kind of byzantine fault tolerance (mandatory multi-person code review?) to be sure nothing like this ever happens

What makes this scary is that, as far as I know, pretty much no software has that kind of security, and there are several pieces of widely used software that always update automatically (sometimes for good reason, sometimes not so much).


The solution would be code review + reproducable builds. This is how Debian tries to prevent these kinds of attacks.


You can enable AppLocker and have explicit control on what executes and what not by creating rules. I know quite a few companies that enforce its use in their employees' PCs.


As an aside, AppLocker was trivially bypassable for several years -- there were two different APIs that allowed you to set an "ignore AppLocker" flag. We used to use it in high-school to play games (or in my case, run gvim and some other development tools).

I think that there needs to be a more complete solution than just "secure the developers machines". You need to have peer-review, where the developers sign commits to approve them.


> mandatory multi-person code review?

Isn't this pretty much mandatory with SOX compliance anyway?


My first thought would be a little process running on a server not on your network that pulls the download every so often, say once a day, and texts you if it is different. You'd expect a text after you push your new version, but if you get one out of the blue, then you'd know something was up.


Binary analysis for each software you install might be too cumbersome for most developers.

I suggest you use something like "Little Snitch" for mac which warns you when software makes inside/outside connections.

It might not be the best, but it's definitely something that works to mitigate some hacks.


Thing is, you can't even trust little snitch these days[1] :(

At least a binary check after compilation+signing (by the developer) should improve security a little bit.

[1]: https://objective-see.com/blog/blog_0x21.html


I like to compliment Little Snitch with XFence (formerly known as Little Flocker).

You can think of it as a firewall for your filesystem and devices.


I use Little Snitch too. I had a Little Flocker license, but the rules were quite painful to maintain. Especially if you are also using the Terminal and command-line apps.


That creates an interesting conflict between automatic updates (you want to be patched against the latest security vulnerabilities) and manual, more infrequent updates (you are less exposed to a compromised update directly and automatically infecting your machine).


>Transmission being infected twice

Could you please elaborate? I only recall one instance of compromised Transmission installer.



It's also worth noting that the default installer for CCleaner automatically installs Chrome and sets it as the default browser with no notification in the default process. Unless you click "More..." from one of the screens, then it tells you. At least it was like this two weeks ago. Had to uninstall bundleware Chrome again from multiple family members' PCs.


FYI, BleachBit is a (FLOSS) alternative to ccleaner, that works pretty well.


That's why I package it for our PortableApps.com users! https://portableapps.com/apps/utilities/bleachbit_portable


What would happen if someone got malware on to your machine that specifically targeted PortableApps.com?


The VLC authors also report that Google tried to pay them quite huge amounts to include Chrome as well: https://www.youtube.com/watch?v=jWx1P93nS0c&t=48s

With Google’s recent actions, this makes Chrome literally into malware that your system’s AV should automatically detect and remove. If a significant amount of users gets the software without intending to, the install was malicious, and should be removed.


> the default installer for CCleaner automatically installs Chrome and sets it as the default browser

Why is that is my question.


Google pays companies to do new installs of Chrome. They're supposed to make it explicit, but Google doesn't really police it. It's usually via 'dark patterns' as it is with most free Windows antivirus apps where it shows a small indication at the bottom of the screen on a window that's about something else. For example, Avast sneaks it in as part of an automatic update on the Continue window: https://i.imgur.com/NIZk9Pd.jpg


"Don't be evil"

Even if it is explicit the idea is to have it enabled by default so people accidentally install it and then hopefully start using it.

Which browser dominates should be based on its quality not how much money you spend on it :/


Having chrome installed by whatever [dark] pattern is at least putting it on an even footing with the platform's default browser - for those who would never proactively change their browser, this at least is closer to such a browser meritocracy.


Every one of my family members I have to uninstall it for is already running a fully-up-to-date copy of Firefox. The question is usually "why does the web look different?" or "why does Firefox have a rainbow ball now?".


What about putting it on an even footing with Firefox, because currently that's its biggest competitor.

The thing is with Firefox that if it's on your computer is most likely because you installed it yourself.


Pal, you know you're revealing the selves of both MS and Google!


So, they fucked it. Thank you!


My Windows 7 machine still has a nightly scheduled cronjob to run ccleaner in headless mode. I mostly used it to automatically securely wipe anything I put into the Recycle Bin.

Fortunately I don't think I've updated the program in 2-3 years, so it probably doesn't have any malware in it, but still, rather scary to think that was used to be a daily program for me is now infected.

Which reminds me, I probably need to call my dad and anyone else I installed that for...


I really liked the style of this article, it explained things that are very technical in a way that someone with moderate knowledge of the concepts can grasp. Hats off to the author!


With all these malware problems I look forward to more heavily sandboxed operating systems based on capabilities. Maybe Fuchsia will be that operating system, if it does not turn out to be a google spyware hell.


I think what you're looking for is Qubes OS https://qubes-os.org


I think you're just going to see more stuff become a Web app. Sandboxing doesn't make much sense with a system utility like this.


Isn't that what Microsoft are attempting with the Windows Store?

IIRC Windows Store apps don't run in the same way as regular Windows applications, they run in a sandbox.


I hope I can make Redox be that operating system.


So... SELinux?


"CCleaner is an application that allows users to perform routine maintenance on their systems."

It's 2017, how is this still a thing?


I don't understand the question. Maintenance will always be a thing, carried out by humans, cron, or the os itself doesn't really matter.


Why doesn't MS Windows do the maintenance - CCleaner does things like clean up ancient cache files, remove Windows update files, remove registry entries for software that's no longer installed.

That sort of maintenance seems like it's the result of poor design in an OS that has the hood welded shut.

I actually used ccleaner on Win 10 recently, an MS update had associated loads of files with TWINUI which wasn't installed making things like viewing images impossible. Ccleaner found of the order of thousands of stale entries, removed them and made a backup. It also let me simply check and disable startup programs - I don't think Win 10 has a way to do that in the user UI?


> Why doesn't MS Windows do the maintenance - CCleaner does things like clean up ancient cache files, remove Windows update files,

Windows 10 can already do this by default.

> remove registry entries for software that's no longer installed.

Uninstalling old style Windows software is a hard problem that generally can't be done in a foolproof way, without potentially breaking stuff, due to bad legacy design decisions like giving programs free reign to install stuff wherever they want, without a proper application model nor dependency tracking. Therefore, registry cleaners are also prone to break things.

https://support.microsoft.com/en-us/help/2563254/microsoft-s...

> That sort of maintenance seems like it's the result of poor design in an OS that has the hood welded shut.

That's what UWP solves.

https://np.reddit.com/r/Surface/comments/6ifyxq/spotify_for_...

> It also let me simply check and disable startup programs

This is already in the Windows 10 UI.


As other have said already, Windows does this - CCleaner does it ... better. And also did it before Windows did it.

Plenty of examples of native apps doing something that third-party apps do much better.


Microsoft also has a poor attitude when it comes to being good stewards of their customers' hard disk space:

https://blogs.technet.microsoft.com/joscon/2012/01/18/can-yo...

No, sorry, you don't get to take up 30 GB of valuable SSD space for some unspecified stuff that I might need later because removing it is "not supported."


I mean, nobody is stopping you from deleting stuff. They're just saying that if you want to do it you're on your own.


The OS does it by itself. It even includes an application so you can do it yourself if you want which is called "Disk Cleanup".


Just as one data point, the last time I ran Disk Cleanup, it hosed my entire Windows installation. The bug in question was documented as occurring in Vista, but wasn't fixed in Windows 7, and for all I know, still isn't:

http://www.winhelponline.com/blog/serious-disk-cleanup-probl...


I'm admittedly out of the loop, last time I used disk cleanup would have been Win7, I guess MS expanded it to do much more useful work?


On my W10 install, CCleaner usually finds ~1GB more than Disk Cleanup, not even counting browser caches.


You can disable startup programs from task manager in W10. Or msconfig in older versions.


I actually use Autoruns by preference, https://docs.microsoft.com/en-us/sysinternals/downloads/auto... .

If you type startup or autoruns or similar does Win10 suggest task manager, would never have thought to look there ... will try next time!


I think he's referring to the fact that you need a third-party application to perform maintenance, rather than have the functionality supplied in the OS.


> Given the presence of this compilation artifact as well as the fact that the binary was digitally signed using a valid certificate issued to the software developer, it is likely that an external attacker compromised a portion of their development or build environment and leveraged that access to insert malware into the CCleaner build that was released and hosted by the organization.

Did you read the article? It can happen to any company. It just so happens they targeted a very popular downloaded application. Who knows what other software installers have been compromised.


So it was only the 32-bit executable that was affected?

By default CCleaner installs both the 32-bit and 64-bit versions, however on 64-bit systems it only runs the 64-bit executable and points every shortcut it makes to the 64-bit executable.

On one of my affected systems that appears to have had 5.33 installed, I noticed no registry keys that appear to be created and that system never ran the 32-bit executable.

Would it be safe to assume it's not affected and simply uninstalling CCleaner 5.33 is enough?

Piriform seems to suggest that only some useless system information was ever released by the compromised version. The general worry is that it wasn't just that information, but also other more important things like account logins and such.


"By default CCleaner installs both the 32-bit and 64-bit versions"

So the default for CCleaner, which is supposed to get rid of old system bloat and cruft, is to be bloaty and crufty, and install versions of itself the system does not need or can not use?


According to: https://news.ycombinator.com/item?id=15274517

This blog post from Piriform has more details: http://www.piriform.com/news/release-announcements/2017/9/18...

Basically they believe it was only the 32-bit installer that was compromised.


I wish there was more technical information, even the advisory is unclear here.

The CCleaner installer is always 32 bit for compatibility - it installs both 32 bit and 64 bit program binaries. On 64 bit systems, the default shortcuts are to the 64 bit binary.

So was the 32 bit installer compromised, or only the 32 bit binary? The original advisory makes references to the installer which is quite confusing. Tried to figure it out myself but I assume the loader has VM detection techniques as I wasn't able to infect a VM.


> Would it be safe to assume it's not affected

Well, it would be many things, but it wouldn't be "safe". Not a tinfoiler, just a pedant :) I could go with "reasonable".


I believe that it was just the 64-bit version. See their twitter reply:

https://twitter.com/piriform/status/910098222051446784

'The 64-bit version of CCleaner v5.33.6162 was not affected but we encourage all users to update to the latest version, 5.24.'


I found out that CCleanerSkipUAC in TaskScheduler appears to execute the 32-bit binary on 64-bit systems as well.

Avast/Piriform claim that the payload is not executed at all on 64 bit systems, and there is no secondary payload.

I guess it depends how much you want to trust that information.


It might be "acceptable" or "reasonable" to assume it's not affected. It would be safe to assume that it is.


Just wait until everyone finds out that Avast sells your raw traffic data to marketers and who knows else... (Google Jumpshot)


Found this post from 2015 for anyone else curious for details:

https://malwaretips.com/threads/avast-and-jumpshot.46539/


Once again, my bad habit of never upgrading in a timely manner has saved me a particular breed of egg on my face.


Question: I get my CCLeaner installers through Chocolatey, so it always installs the 64 bit version.

Obviously, this gave me quite a scare, so I downloaded and ran both MalwareBytes and Immunet - both came up negative. I checked my registry for the keys mentioned in the article, and found none of them. Can I assume I'm "safe" (well, one never is, but relatively speaking), or should I revert my system to an August image?


Apparently only the 32 bit installer was compromised.


CCleaner like Avast never make the job for me, I have always told people to stop using it.. but user need proof.

Even with ton of subject "I have removed X with CCleaner and now I.."


While the malware-ification of Avast has been a relatively slow process, [1] I have never trusted CCleaner, and I also groan when I see friends/family still using CCleaner after all the times I've helped them get out of jams CCleaner caused.

Anecdotally, I've seen CCleaner delete way too many false positives in the Registry, breaking applications, (and people have never heeded it's warning to properly backup the Registry), and worse entirely corrupt Registry Hives, breaking Windows.

The Hive database format of the Windows Registry was built to be read-mostly/write-rarely and doesn't survive well to active surgery, especially not "I run CCleaner once a week with all the options checked". Like I said, I've seen it corrupt entire Hives from too regular operation.

I'm also of the opinion that some of that "Windows slowdown" that these users complain of is a snowball impact of too much Registry surgery leaving sadly deteriorated/badly optimized for reading Hives behind, but that's mostly a hypothesis I have not scientifically proven.

[1] I kind of forgive people still running Avast out of habit from bad old XP days (not everyone got on the Microsoft Security Essentials train as fast as they could, and that was as much a marketing/awareness problem), though as knowledge that Windows Defender exists spreads there are increasingly fewer excuses to still run Avast.


Indeed, I explained some of the issues with cleaners here.

https://news.ycombinator.com/item?id=15277316


Was reading a copy of Maximum PC a while back and they suggested Privazer http://privazer.com/ . I've installed it on a couple of machines and it seems to do a pretty thorough job in cleaning the system.

The CCleaner infection was for win32 machines and from what I understand upgrading to the next version (v5.34) fixes the problem.


My new app: CCleanerCleaner will clear everything up in a jiffy.


Wow that's crazy, I was on the toilet just this morning running CCleaner on my phone as I do weekly and the thought momentarily crossed my mind that I shouldn't trust CCleaner on my phone (I limit my use of apps as much as I can) but my next immediate thought was, "Nah, this is Piriform we're talking about, they're one of the few free software developers I can probably trust to never inject malware into their products."

I mean, I guess that's still true since the build was compomised by an outside party, but it's still just an interesting moment of synchronicity.


Bundled installers are the worst thing about the old way windows software was distributed.


I think it is just about time for all apps to be distributed only by APPX package; now that the Project Centennial bridge has been available for several Windows builds, and what with the Anniversary Update making sideloading on by default, and the UX Upgrades for sideloading in the AU and Creators Update (and now with all of that several months to a year old).

Office itself is in Preview on the Windows Store, and when that comes out of Preview, other developers are especially going to be on notice to get applications into APPX packages, if not the Store, because for most applications if Office can do it, so can you.


Incredible write-up.


What's the easiest way to find out whether a computer is infected?


What can be done on machines that have a new install of CCleaner - Is there a patch available ?

Also does this effect the Mac OSX version of CCleaner or just the windows version ?


Edit: Updating with their release blogpost instead, as it's clearer:

Release Post: http://www.piriform.com/news/release-announcements/2017/9/18...

Affected Versions:

>This compromise only affected customers with the 32-bit version of the v5.33.6162 of CCleaner and the v1.07.3191 of CCleaner Cloud. No other Piriform or CCleaner products were affected. We encourage all users of the 32-bit version of CCleaner v5.33.6162 to download v5.34 here: download. We apologize and are taking extra measures to ensure this does not happen again.

macOS seems fine, it looks like it was their 32bit Windows/Cloud offerings:

http://www.piriform.com/news/blog/2017/9/18/security-notific...

>Before delving into the technical details, let me say that the threat has now been resolved in the sense that the rogue server is down, other potential servers are out of the control of the attacker, and we’re moving all existing CCleaner v5.33.6162 users to the latest version. Users of CCleaner Cloud version 1.07.3191 have received an automatic update. In other words, to the best of our knowledge, we were able to disarm the threat before it was able to do any harm.

So if you have a Windows copy, look for a patch I guess. Seems like it's not just fixed, but the rogue server taken down.


They also have a portable version, which is what I always use, so you don't have the installer issue (of course the main exe could be compromised, but that's not the case here).


Just Wow. I am happy now that I haven't updated my installation of ccleaner for over a year and so I am safe.


I'm happy I'm not using Windows XP so I don't need this crapware anymore because Windows10 runs fast w/o it.


Well, if you're about to use Malwarebytes / Rogue Killer / ZHP Cleaner, you will win hours by cleaning all these temporary files before a scan.


I never needed this kind of software while running Windows XP. Protip: Quit installing more than you need.


I still run it occasionally on my windows 10 laptop which has a small ssd for the main drive.


Me too, good that their update isn't convenient.. for once. Still at 5.31.

Gotta check other computers though, and smartphones.


Does anyone know whether the macOS Version was infected?


Others have stated only 32-bit Windows installer was comprimised. So, no, macOS version was not infected.


good thing I refuse to update, still on 5.25 :D


"CCleanup" appears to be a wordplay on "cleaning up CCleaner", but it's confusing and unnecessary. Even though the original article is named that way, I propose changing the thread title to the proper, well-known application name, CCleaner.


Also "A vast" - a play on Avast.


Installer neither on your system. They do more harm than good.


Any proof?


https://www.google.com/search?q=ccleaner+broke+my+computer&i...

Two seconds to type four words into the search bar.


That doesn't prove the parents contention which was "they do more harm than good". They presumably have something they've based that opinion on other than the existence of problems with a particular app - if you don't have anything substantive to add then please keep your "lm[f]gtfy, lolz" type comments to yourself, thanks.


The opinion is based on the broken computers and applications that happen after running CCleaner.

That software basically go through your computer and delete a ton of things that it considers useless. Have you ever seen the defaults settings? For instance, it used to delete the history, cache and settings from all major browsers.


that's rotten news you guys. if ccleaner goes bad, then eset nod 32 will soon do too?:((((


Uninstalling CCleaner and formatting now.


Not much point in uninstalling if you're going to format anyway.


It's the software equivalent of a double tap.


I guess we know how Equifax got hacked.


Yes, via an unpatched Apache Struts vulnerability.


What is sarcasm to you people?




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: