It looks like you're using an Ad Blocker.

Please white-list or disable AboveTopSecret.com in your ad-blocking tool.

Thank you.

 

Some features of ATS will be disabled while you continue to use an ad-blocker.

 

CCleaner and TR/RedCap.zioqa, you wanted a Top Drawer conspiracy and Whodunit ?

page: 1
26
<<   2 >>

log in

join
share:

posted on Sep, 20 2017 @ 08:10 AM
link   
The 32 bit .exe of CCleaner (Version 5.33.6162) was infected with TR/RedCap.zioqa. (x64 is clean)
Gentlemen this was in the signed binary. (Talk about skill and knowledge).

This happened right after Avast Security acquired Piriform makers of CCleaner.

It has the capability to download and install, the question is what, who and why.

In the last few years, Avast has gone rogue with much of their activities, is it pay back or a intentional hoax on their part.

Avast you have entered the big boy club, shall we play a game ? Hehe

Buck

For those interested its a floxif.trace variant.



edit on 20-9-2017 by flatbush71 because: (no reason given)




posted on Sep, 20 2017 @ 08:14 AM
link   
a reply to: flatbush71

Well, ok, but for those of us who don't follow all the tech, what is Redcap and all that? What is it doing? Stealing files, downloading stuff to my computer like keystroke loggers, etc?
Little more info please.



posted on Sep, 20 2017 @ 08:18 AM
link   
a reply to: flatbush71

LOL, I have always been of the mindset that the people who write viruses are the same people who sell you virus protection. If viruses didn't exist, you wouldn't need their product. Like up until recently, nobody bothered writhing viruses for Mac's. Not enough of them to warrant the expense.

Who wrote it? who is the first one to come up with "the fix"? But it's probably just my tin foil hat.



posted on Sep, 20 2017 @ 08:18 AM
link   
a reply to: DAVID64




What is it doing?


I just said that as well. Nobody knows D.
Its only been in the wild for a short time and was just detected a little more 48 hours ago.


Guys there is something really strange about this, its just very unusual.


edit on 20-9-2017 by flatbush71 because: (no reason given)



posted on Sep, 20 2017 @ 08:26 AM
link   
a reply to: flatbush71

Well...crap. Now I'm a bit worried. Not long ago [ 2 - 3 weeks? ] my computer was acting very strange. I have an app that shows how much RAM is being used, along with if the network is active and with the browser closed, it's usually only around 19%. Suddenly, I'm up to around 50% and that's just sitting here doing nothing. No browser open, not playing games, nothing. It also showed that the network was not being used. Then one day, as suddenly as it started, it stopped. I ran Malwarebytes and it didn't find anything, nor did Spybot. I know just enough about this stuff...to know I don't know a whole lot about this stuff.



posted on Sep, 20 2017 @ 08:33 AM
link   
a reply to: flatbush71

It's usually very profitable if you can create a need for your products...
I've been using ccleaner for 10 years now..
And in all fairness, if you're still running 32bit you kind of deserve it



posted on Sep, 20 2017 @ 08:33 AM
link   
Just uninstall and up date CCleaner for the fix. That's easy.

I'm talking about the strange circumstances of the event within the conspiracy realm.

That's the puzzle.

Double Edit :

I love the hunt !
The prefix of the return address is 216.126.x.x


edit on 20-9-2017 by flatbush71 because: (no reason given)



posted on Sep, 20 2017 @ 08:43 AM
link   
I work with some infosec people who were on this more than 48 hours ago... my understanding is that all the thing is doing is capturing system information (os, installed apps, versions, etc) and sending them out to one specific IP.

Looks like an inside job.

Basically just scoping out potential targets for actual attacks.
Poorly executed, IMO, since they didn't get the 64 bit variant. Perhaps the target was government? I know there are still XP systems in use around the world.



posted on Sep, 20 2017 @ 08:48 AM
link   
a reply to: flatbush71

Any chance it was infected on the server it's being hosted from?
Server hacked, exe replaced with 'their' own version and everyone thinks ccleaner is just scrubbing the registry like it usually does.



posted on Sep, 20 2017 @ 09:05 AM
link   
Ok, Hehe, I was finally able to get Charlie-Tango on the phone.

And have complete forensic report.

(Chuckle) This is Bravo-Sierra.


I'm not going to name here where it went, but the right people do know and that's what counts.

Buck



posted on Sep, 20 2017 @ 09:10 AM
link   
a reply to: flatbush71

I have CCleaner. I removed it then reinstalled. Is that enough or is there something still fishy left in the registry?

Something strange happened at the same time. I started up my PC and Windows and CCleaner had automatically installed the trial version of the non-free version. I have used CCleaner for years and never had an issue. That was prior to the new installation. I may have been caught by this as I have only just configured a new machine.

It's a useful free program, but not THAT useful. There are alternatives and if it keeps messing up, well. Windows can do all it does and more, just that it is not all in the same place. The registry clean up is a very useful tool as so many programs upon removal still leave files everywhere.


edit on 20-9-2017 by Revolution9 because: (no reason given)



posted on Sep, 20 2017 @ 09:50 AM
link   
It took awhile to digest all the goggle-de-gook.
All its doing is making a copy of the system profile, encoding that information and transmitting. (If it can make a connection)
Its not doing any damage to systems.

CCleaner is a victim in all of this.

There is a rogue element involved in all of this, inside Piriform or inside Avast or completely outside it still smells.

I want to say a lot more, but I'm going to leave it at that.

Buck



posted on Sep, 20 2017 @ 09:53 AM
link   
You are 100% correct sir! I haven't used AV for the last 10 years and all my computers work better than they did with AV. Maybe businesses need it but for the personal user, it's just another racket.

Just don't open weird emails and you will be okay.

Look at john macafee and tell me you trust the AV industry, smh.
a reply to: network dude



posted on Sep, 20 2017 @ 10:43 AM
link   

originally posted by: DAVID64
a reply to: flatbush71

Well...crap. Now I'm a bit worried. Not long ago [ 2 - 3 weeks? ] my computer was acting very strange. I have an app that shows how much RAM is being used, along with if the network is active and with the browser closed, it's usually only around 19%. Suddenly, I'm up to around 50% and that's just sitting here doing nothing. No browser open, not playing games, nothing. It also showed that the network was not being used. Then one day, as suddenly as it started, it stopped. I ran Malwarebytes and it didn't find anything, nor did Spybot. I know just enough about this stuff...to know I don't know a whole lot about this stuff.


You may have processes running in the background being "triggered" (sorry I couldn't resist) by the TASK SCHEDULER (found in the Control Panel) and using system resources. Click on the Scheduled Task Library and scroll down the list- you might be surprised by what you find, but chances are that it isn't anything insidious.
edit on 9202017 by seattlerat because: added a link



posted on Sep, 20 2017 @ 12:04 PM
link   
a reply to: flatbush71

I do have CCleaner on my computer and don't use it anymore.I haven't
deleted it from my computer yet.I do have another type of cleaner on
my system and a good firewall.My firewall warned me about CCleaner
trying to access certain files yesterday afternoon.I didn't find out about
that company getting hacked until later in the day.I was glad that I listened
to my gut instinct and blocked what CCleaner was trying to do.



posted on Sep, 20 2017 @ 06:10 PM
link   
a reply to: flatbush71

YEP!
Malwarebytes caught the Floxif trojan.

From what I can tell, CCleaner tried to do an update in a really odd manner.....and I stopped it and went to the sire to do the update instead.
It must have laid the nasty somewhere and Malwarbytes picked it up and quarantined it.

SHEESH



ETA
BTW....using 64 bit
...and Win7 at that.....supposedly it only affected Win 10 32-bit

www.msn.com...
www.eweek.com...
edit on Wed Sep 20 2017 by DontTreadOnMe because: (no reason given)



posted on Sep, 20 2017 @ 06:14 PM
link   
Does the average consumer still use x86?

I haven't worked on one in quite awhile!



posted on Sep, 20 2017 @ 06:15 PM
link   

originally posted by: flatbush71

Guys there is something really strange about this, its just very unusual.



I have a 64bit system and no problems and that reg entry "Agomo" isn't there.

But I just got an "update notice" from CCleaner !! Oh Oh

Went ahead and did it with no problems yet.




posted on Sep, 20 2017 @ 06:39 PM
link   
a reply to: flatbush71

As interesting as the possibility of some insider at Avast inserting malware into it's legal software may be, it's not exactly the first time something like that has happened.

But check this out!!




Heating, ventilation, and air conditioning (HVAC) systems can be used as a means to bridge air-gapped networks with the outside world, allowing remote attackers to send commands to malware placed inside a target’s isolated network. This type of attack scenario — codenamed HVACKer by its creators — relies on custom-built malware that is capable of interacting with a computer’s thermal sensors to read temperature variations and convert these fluctuations into zeros and ones — binary code.

The malware, already installed on a computer on an isolated network with no Internet access, reads the temperature variations created by the HVAC system and converts the received thermal signals into malicious operations.

Researchers from the Cyber Security Research Center at the Ben-Gurion University of the Negev in Israel were the ones who came up with this attack scenario, and they created proof-of-concept malware that can be used to execute HVACKer attacks.

They also created a custom line-encoding protocol that allows a remote attacker to send commands using temperature fluctuations. This custom line-encoding protocol — the technique of breaking down binary data to voltage, thermal, or optical signals — was needed because classic line-encoding methods were too slow and inaccurate.

Attackers Can Use HVAC Systems to Control Malware on Air-Gapped Networks

Now that is some crazy sh*t right there. Using Temp changes to transmit code. Wow. I read a while back about some guys doing the same with sound to jump the air gap. But using a completely separate system (HVAC Equipment) to send code to an isolated network using Temperature Changes?!?!?!?! F*cking Banana's!!!



posted on Sep, 21 2017 @ 03:53 AM
link   
a reply to: mOjOm

That's the dumbest thing I have ever heard and it will never have a real world application for taking down targets.

You need to first hack the actual PC you want (Near Impossible) then..

Ugh..Just..no.




top topics



 
26
<<   2 >>

log in

join