does anyone have a fixleti can use to uninstall CCleaner
@rsingh
If you are trying to uinstall ccleaner in response to this…
I would caution you that even if you remove ccleaner from the system it is likely the C2 will still persists on those machines if C2 was already established. By removing ccleaner off your machines you will be losing one of your IOC to detect systems with the infected version of ccleaner version 5.33. You should write an analyses to review your risk level of ccleaner in your enterprise and mark those systems for rebuild.
If you or your networking team has netflow analyses you can see if there any systems talking to the C2 IP listed in the article.
2 Likes
I agree @sbl .
Any system that has CCleaner 5.33 should be marked for rebuild before any removal, and removal isn’t going to be sufficient.
For short term remediation running something that may clean up the infection is an option, but I would recommend nothing less than a full rebuild.
1 Like
We are going to investigate any machines with version 5.33 and later with the assumption they were upgraded and can be in scope of rebuild.
1 Like
@sbl and @jgstew i tried my analysis but its not picking up the correct version - unsure what i’m doing wrong
(windows of operating system) and (version of operating system >= “5.1”) and (if exists property “in proxy agent context” then ( not in proxy agent context ) else true) and (free space of drive of client > 7991656 * 2) and (exists regapp (“CCleaner.exe”) whose (version of it < “5.33” as version))
I think this part should be:
(exists regapp ("CCleaner.exe") whose (version of it >= "5.33" as version))It might also be a good idea to just uninstall CCleaner with a version older than 5.33 just to keep it from joining the pool of potential rebuilds if upgraded and never having had the bad version.
Wouldn’t it also make sense to query the registry (HKLM\SOFTWARE\Piriform\Agomo:NID) for any value there, as it appears on my reading of the article that the exploit reads that IP address there (but does nothing with it). If there’s an IP address there, wouldn’t that indicate at least some sort of infection?
the content is restricted i am unable to download even after message to content owner.