Talos recently observed a case where the download servers used by software vendor to distribute a legitimate software package were leveraged to deliver malware to unsuspecting victims. For a period of time, the legitimate signed version of CCleaner 5.33 being distributed by Avast also contained a multi-stage malware payload that rode on top of the installation of CCleaner. CCleaner boasted over 2 billion total downloads by November of 2016 with a growth rate of 5 million additional users per week. Given the potential damage that could be caused by a network of infected computers even a tiny fraction of this size we decided to move quickly. On September 13, 2017 Cisco Talos immediately notified Avast of our findings so that they could initiate appropriate response activities. The following sections will discuss the specific details regarding this attack.
Don’t use registry cleaners. They serve no purpose.
Hasn’t this program been infested with adware for years, in addition to being essentially digital snake oil?
No, CCleaner under Piriform has been really… clean, to say the least. All their products were rather free from nag things. But the chosen file hosts were quite messy, I must admit.
I completely disagree with this statement. I have been in this business for a long time and where I see the value of registry cleaners is if something isn’t working as expected. A actual story that happened to me was that I had Office 2013 that would not work. It kept going through a loop where when Excel opened it would complain about missing setup files. It would then ask for a recovery “disk” (yes I said disk). I tried all recommended patches and fixes from MS and nothing worked. I then turned to CCleaner as I had a lot of bloat on my system anyways and sure enough the problem was gone after one CCleaner run. Now I think it is a small percentage of problems that would run into this but I do believe it has its place.
Let me follow this up by saying a reinstall and an uninstall and then install also did not fix the issue.
Yup, used to install our products using InstallShield that had the bad habit to leave traces/leaks all around the registry and hard disk, making further installations hazardous if not plain futile.
I had to program my own version of a registry cleaner to remove any hints of a previous installation to allow customers to reinstall our software. I then switched to InnoSetup and all problems were gone.
Hail to good guy Jordan Russell.
Uhmm what kinda “bloat”, the kind you know you never should have used in the first place? You know what happens when you start trusting shady 3rd party fixing programs? You get malware. So you either fix the problem the right way (TM) or you get malware.
I love trolls like you. You come to attack someone. So let me tell you about myself, you minuscule little man. I have designed full fledged applications by myself for multiple organisations (including gov’t orgs to help children) and have also been a lead developer for Syllable once. So when you attack someone you should really do your research.
And, when your company asks you to install software for business purposes (like Office or say a PDF reader, or different software to test validity of certs, or Wireshark, or Bash for Windows so you can use Windows while in a meeting where you must present MYSQL queries/bash commands to prove the validity of your programs and your presentation software does not work well with your remote desktop nor do you have time to setup something better cause you are too busy designing real software) and then you no longer need it, you get rid of it! Because if you don’t, your company issued computer is slow and does not work as efficient as you need it to while you are compiling/interpreting QT4.8/QT5/NodeJS/PERL applications.
You DO know you sound like someone who sells shoes saying they are qualified to do foot surgery? Because if you are using registry cleaners to “fix muh box” you are frankly as bad an end user as those grandmas that click on everything whose PCs I have to fix!
If you were an actual educated computer end user? Then you would know 1.- Don’t install crap on your PC, 2.- If for ANY reason you have to install crap on your PC you use an install trace program like Revo to make a log of every change to your system so that on uninstall ALL of the changes are reversed, and 3.- You should have multiple disk images both on and offline so if any serious issue happened you could restore your PC in under 30 minutes with a single click.
I’m sorry but registry cleaners can seriously screw a PC up, most do not understand symlinks for just one example and if you had actually been a competent end user frankly a registry cleaner would never have been needed because you wouldn’t have had programs crap all over your PC in the first place, see rules 1-3.
First of all, Revo is a pretty good utility and I can’t disagree with that. Understand that I have used Linux primarily from 2002 and on, so being adept in Windows management is something I only do when I need to (I despise Windows).
Second, I agree that registry cleaners are terrible as they pose a lot of risk. I would not suggest them to everyone, but to a trained technician they are of great benefit. I don’t mind, for myself, taking that risk. But I would be much more cautious with someone else’s computer.
Third, again disk images are good but when you have a deadline that you have to meet and that means installing some software that you would rather not under other circumstances, you just usually bite the bullet and deal with the consequences after.
Fourth, who said anything about crap? I install software I need at the time. I don’t go to download sites and am very meticulous in what I install. That does not mean anything though. At one point I had 3 different versions of Visual Studio (yes I could have installed appropriate SDKs but that takes more time to get right), Android SDKs/NDKs,QT4.8/5.3,Netbeans 8.1, Eclipse, etc installed at the same time. Unfortunately not many products are great at removing themselves though and they leave residuals and sometimes need to be removed the more risky way. Again, you weigh the risk vs the reward.
What disk imaging software do you recommend?
Hiren Boot CD
Paragon Backup & Recovery. They have a free version if all you want to do is have disk images or if you need a full suite including disk partitioning and HDD management you can buy the full suite.
The nice thing about Paragon is it can set up an encrypted backup capsule which will store disk images (you can also have offline images as well which is what I recommend and do myself) which you can just push a key combo at boot and even if your PC is so messed up it cannot boot into the OS it will let you boot into the Paragon management tool and restore the PC easy peasy.
I’ve been using it for years as well as recommending it to customers and it works quite well, even in the free version you can browse inside images and restore single files/folders as well as entire images, it allows incremental images to keep image sizes down, you can lock an image so you can have a “fresh install with all my programs” image for refreshing Windows and it doesn’t get simpler to use than Paragon. Two thumbs way up.
PS. I will add to your three points a 4.- Test software in a virtual machine.
You are right. Registry cleaners do have its place as a really final last ditch effort to get really broken systems working again. In those situations it is worth to try it because the next best option would be a clean-wipe, which is what you SHOULD do in a business situation and which is what you will probably need to do in any other situation as well. Even if the registry cleaner fixes your 1 problem it might cause another one that you will not notice untill much later.
If you check the “bugfix history” of the regcleaner component of CCleaner you will see some major bugs have happened over time. This means that for most users of this component CCleaner will have caused more problems than it solved
The disk cleaning components of CCleaner are very good, but will mostly just remove caches that will slow down the programs you just cleaned up. This was useful a decade or 2 ago when diskspace was a limiting factor but now it is rather useless as well
CCleaner is probably the best program of it’s sort. It is small, free, often updated, has a portable version, looks nice, etc…..but except for niche cases it is no longer needed
In Summary
Regcleaners will not make your system work better/faster, but they might fix your “unsolvable” problem when you are in a jam. They should not be used generally!
Diskcleaners make you feel better, but probably slow your programs down
For startup items, just press CTRL+Shift+ESC (taskmanager), find the Startup tab and disable everything you want. It even has a nice “Startup impact” column
For disk cleanup, just run “cleanmgr /sageset:0”, check everything you want, run “cleanmgr /sagerun:0” after major changes on your system (like the now 6 monthly upgrades of Windows 10)
For registry cleanup: NOPE NOPE NOPE (In case of extreme emergencies there is an automatic registry backup at c:\Windows\System32\config\RegBack)
I can’t disagree with any of this. It definitely is preferred to clean wipe, when time permits. Unfortunately at my current job, where I have used Windows for the first time (outside of tech support roles), that does not happen; therefore I use CCleaner and tools of the such to get my computer working again. Do I think it is a great approach, no, but it is a method to keep on going.
Without knowing too much about your job I would start looking at system imaging to create backups of a well working system. You CAN rely on system images to restore a system to its working state. You CANNOT rely on CCleaner and similar tools to get that same result
(at my work we store system images for 50-100 systems in about 200 GB because a good system imaging tool only stores everything once and there is enormous overlap between systems. Just look up dism /capture-image and dism /append-image for a very rudimentary solution)
Since the identity of the vendor is known (because the package is signed), does this mean the vendor is liable to pay for damages, just like if a supermarket that sold flour containing arsenic would be? No? “Software doesn’t work that way”?
And this is why we are headed towards a software-driven dystopia, fast. The update to the autonomous system of your car will steer you towards a brick wall, or the update to the collision avoidance system could slam the brakes while you are driving on the highway, and the vendor will be able to just point to a third party and avoid all responsibility for any damages.
Edited 2017-09-19 12:42 UTC
Vendor is also a popular AV manufacturer (Avast).
Most certainly they will have to pay up for business users that used their corporate services.
Any OS that need crappy tools like ccleaner to (attempt to) run properly… is fundamentally broken.
Any OS that needs “antivirus” software to become a “normal” setup .. is fundamentally broken.
You had better switch to a Abacus then just to be safe. NO OS is safe from Virii or Malware, none, nada!
I think you might mean “viruses”.
Singular: Virus.
Plural: Viruses.
Of or having to do with/relating to a virus: Viral
WTF is “Virii?”
Why is it so hard to get basic English spelling and grammar right? Normally I don’t care about misspellings… but come on! Let’s not make up words/plural versions here.
Edited 2017-09-20 04:21 UTC
I believe I said the same thing, but was more polite about it.
The reason English is so hard is because it isn’t a pure language, and has many bastardised (or is that bastardized?) roots.
Unfortunately these days I often find that non-native English users are often better at spoken and written English than the English themselves.
The current trend of presenters or reporters on UK TV at the moment that say “drawring” or “sicth” (instead of “sixth”) drives me mad!
I also find that although American pronunciations grate to my ears, they are often more consistent with English pronunciation rules than the English use. Of course there are then the contradictions where we follow the rules but for some reason they don’t.
You cannot even imagine about French.
Octupuses? Octopus, octopoda, octopi is the correct for example according to Oxford standard English Dictionary (the only dictionary that matters). This could probably work in a similar fasion with virus however it doesn’t. The first example in the Dictionary of plural virus=”^aEUR~A large number of viruses emerge from the host cell before it dies.^aEURTM”
So viruses is correct use.
Any OS that borks itself during an “upgrade” .. is fundamentally broken. I’m looking at *you* Ubuntu…
I’ve been using Ubuntu since Hoary or Breezy and haven’t had an up grade problem since Dapper (6.04). I also administer numerous Ubuntu workstations and don’t have this issue.
I’m calling bullshit on this one.
Edited 2017-09-22 03:49 UTC
Lucky you. I haven’t had a successful upgrade yet. Fedora on the otherhand has been flawless.
Even Android doesn’t need
(1) a cleaner app
(2) anti-virus app
Even Android.
Even Android have and need both. Why do you think Google introduced Play Protect ?
CCleaner has often served me in the past. Whether or not Windows is broken because such tools are needed (and yes that is a shame) is irrelevant for the statement “CCleaner is a great tool”.
CCleaner is not just a registry cleanup tool. It also helps cleaning the computer from temporary files, programs, cached stuff and so on. I like the all-in-one interface for such tasks.
Further, I agree with others (above) that registry cleanup can be very useful. E.g. broken file associations and broken explorer.exe extensions can be fixed.
That it got infected with malware is very, very disappointing because the mother company is Avast. I hope they do follow up on this.
I use Linux a lot, on the server, and increasingly on the desktop as well. Still Windows and many applications (games, Outlook) have their use.
Well .. there are developers that hate it.
That’s part of the reason Google no longer allows on Android for other applications to access / manage the cache of existing ones.
Also Apple and Microsoft offered built in options for keeping the system “clean” or at least move the unnecessary data somewhere else..
By design it shouldn’t exist if everything is built by the book. Problem is, it never is.
Edited 2017-09-19 15:19 UTC
No, it isn’t great. Its a terrible sign that the registry was a terrible idea. Microsoft should provide a tool. Trusting small third parties is a really bad idea.
If you need it, either your system had a very bad day, or a very bad user who installed bad programs on it. In either case the proper solution is not CC cleaner, but a full system wipe and restore.
Aka, any OS that allows root access (ClamAV, anyone?). Desktop Linux has the same “security advantage” Mac OS X had before the mid-2000s, aka it isn’t profitable enough for malware crime rings to target. In fact, with security being lax all around Desktop Linux (for example, third-party .deb or .rpm packages are often not signed, install.sh scripts are never signed but often require root access and the Ubuntu updater has to be manually triggered by the user instead of being automatic) I wouldn’t be surprised if Desktop Linux has it’s own Flashback moment if it ever becomes profitable to do so for malware crime rings.
Edited 2017-09-19 18:37 UTC
No, the real problem with the registry, IMHO, isn’t that its a single place for programs to store data. That’s kind of defensible, if there was a better way for the system to automatically deal with the occasional corruption that happens due to old/bad disks and or cosmic rays.
The real problem with the registry is the way COM objects are stored/registered in there. Thats where I’ve always had problems with it.
Long story short, they’re kind of nested and self referential. And if important webs of those break, those lead to issues described here that are so difficult to fix, people want an application to automatically fix for them. If it was just a storage space for hierarchical name value pairs related to application settings, there wouldn’t really be a need for something like CC Cleaner.
Not sure I understand your points about linux. There are tools and technologies to prevent issues with third party installs (which like every other OS, should not be installed from untrusted sources). Havne’t used desktop Ubuntu in a while, but Fedora updates are automatic prompts by default in the workstation version. They can be easily automated.
PS. If you want to pick on Desktop Linux Security, Pick on Xorg. Its terrible.
? & does that carry over to Wayland?
Yeah, but letting stupid apps that neglect to wipe their own crap bork down the whole system is the OS’s problem.
I agree that ccleaner has its uses. A good one is to delete temp files that contain malware that runs on startup. It works as intended. The issue with 5.33 was only on 32-bit Windows.
The Ccleaner issue only affected 32bit versions.
I use it to cleanup cookies, temp space, easy startup look.
I often use it on a repair job. I don’t want to see what a customer has been up to on their broken PC.
Then, after the fix, I run it again to clean up what test programs, browser stuff I’ve been doing.
It is generally accepted that the registry concept was a bad idea. A single point of failure, accessed by all, almost needs its own os and file system just for maintenance, vulnerable to corruption, massive and badly implemented. Each application having its own .INI file is a valid replacement for all the registry’s faults and it was what the registry was designed to replace in the first place.
A good description of the registry’s woes: http://getwired.com/2012/06/24/the-windows-registry-it-seemed-like-…
Anyone who has to maintain Windows acknowledges that a system that has had many applications installed/uninstalled over time will have a bloated and unnecessarily complex registry. Boot times increase the longer this is retained. The impact can be drastically reduced by a registry clean out. Boot times of 15-30 secs on a 2ghz core2duo are achievable after tuning the system that includes a registry clean-out.
Reinstalling the os is not always practical and so a registry cleaner is a useful tool. To say it is useless undermines your technical competence in this area. These days I feel that OS news is becoming phone and tablet news from Apple.
What happened to valid, real-life information useful to users and maintainers of real operating systems and not just GUI users?
Boot times hardly depend on the CPU speed, much more on the storage subsystem…
Read the bold text…
So? Any amount of tuning will pale in comparison to simply, say, changing your storage subsystem from HDD to SSD. You seem to not realise that, especially since you boasted your CPU which has miniscule impact…
Hi,
I can’t help but feel that the entire issue (security concerns of having intermediaries in the supply of any software) is being ignored in favour of an irrelevant distraction (whether or not registry cleaners are good/bad).
What if it was a Ubuntu repository that was hacked to distribute malware alongside trusted software from trusted publishers? What if it was Steam that was hacked to distribute malware alongside games? It doesn’t matter what the software is, the problem is that there’s increased risk involved with not getting software directly from the publisher themselves.
– Brendan