Vanilla 1.1.9 is a product of Lussumo. More Information: Documentation, Community Support.

    • CommentAuthorkorkskrew
    • CommentTimeSep 19th 2017
    Fuuuuuuuck! I just installed that, to clean up a cluttered backup drive.

    This really sucks. I wonder what the malware does. Anyone know?
    • CommentAuthorkorkskrew
    • CommentTimeSep 19th 2017
    After a little reading, it looks like it was only mapping out my LAN, but didn't have a keylogger or anything that could compromise my LAN security. It also looks like uninstalling does remove it.

    Can anyone point to different info than this? I need to know, because I have about 25 bitcoins at risk.
    • CommentTimeSep 19th 2017 edited
    The Talos report is available at

    (Check your system for the registry key identified in that report.)

    Craig Williams, one of the authors of that report, replied to a question in the comments that asked if simply uninstalling the malware would also remove the malware with:

    Uninstalling the tool will not remove the malware. To remove the malware you should restore from a previous backup that is known to be clean or try a virus removal tool.

    The CCleaner website does not explicitly state that updating CCleaner removes the malware. They added a blog post about it here:

    The only place where I saw a claim that uninstalling or upgrading CCleaner would also remove the malware was on bleepingcomputer. I have not seen any evidence to back up that claim yet.

    I wouldn't have expected uninstalling CCleaner to also remove the malware. I would have thought it likelier that updating CCleaner might remove the malware, but I would have expected Avast to explicitly make that claim in that scenario.
    • CommentTimeSep 19th 2017 edited
    Posted By: DuracellI would have thought it likelier that updating CCleaner might remove the malware, but I would have expected Avast to explicitly make that claim in that scenario.

    Update to the CCleaner 5.33.6162 Security Incident

    Some media reports suggest that the affected systems needed to be restored to a pre-August 15th state or reinstalled/rebuilt. We do not believe this is necessary. About 30% of CCleaner users also run Avast security software, which enables us to analyze behavioral, traffic and file/registry data from those machines. Based on the analysis of this data, we believe that the second stage payload never activated, i.e. the only malicious code present on customer machines was the one embedded in the ccleaner.exe binary. Therefore, we consider restoring the affected machines to the pre-August 15 state unnecessary. By similar logic, security companies are not usually advising customers to reformat their machines after a remote code execution vulnerability is identified on their computer.

    Customers are advised to update to the latest version of CCleaner, which will remove the backdoor code from their systems. As of now, CCleaner 5.33 users are receiving a notification advising them to perform the update.
    • CommentAuthorkorkskrew
    • CommentTimeSep 19th 2017 edited
    I don't have that registry key, so I think I may be able to stop hyperventilating now. Either Avast stopped it, or I used the 64 bit version of CCleaner. How ever it didn't happen, I'm glad.

    Still nervous though. My browser recently forgot all it's cookies for no reason. It forced me to re-enter all my logins. Things like that always make me skittish.

    ETA: Thanks for the info Duracell
    • CommentTimeSep 19th 2017
    "We are now down to 730,000 users" ... reminds me of the episode of Father Ted where Ted tires to reassure someone about the number of Pedophile priests in the world ...
    • CommentAuthorAsterix
    • CommentTimeSep 20th 2017
    I've run CCleaner on my wife's computer (she seems to be wedded to Windows...sigh). And there only to clean up the registry--not running it as an always-resident program. So far, so good.
    • CommentTimeSep 22nd 2017
    Hackers hold entire school district to ransom

    An entire US school district in Flathead Valley, Montana, shut down for three days after hackers going by the name of “TheDarkOverlord Solutions” targeted several schools, sending death threats to parents and promising to release students’, teachers’ and school administrators’ personal information unless a ransom was paid.

    It amounted to disruption of more than 30 schools across the valley, including cancellation of weekend activities and events through the weekend. Classes resumed on Tuesday under heightened security.

    Flathead County Sheriff Chuck Curry posted the ransom note on Facebook (with some information redacted), along with a written statement, to alleviate concerns about the physical safety of those in the school community.

    The Dark Overlord, or the more ironically titled The Dark Overlord Solutions (if you can stomach the endless ransom letter, which goes on for page after self-congratulatory, self-amusing page, you’ll notice that the group relishes its irony), is a known group.

    The Dark Overlord has gone after healthcare organizations.

    The group is also responsible for extorting Netflix, though the company refused to pay.

    Remember the group that wanted to spoil the release of Season 5 of Orange Is the New Black, back in May? Same group; at least, the group involved in this school attack is going by the same name, and it claimed to be responsible for the Netflix attack in its ransom note.

    In spite of having received 50 bitcoins (worth about $50,000 at the time) from an audio post-production studio in Hollywood, The Dark Overlord went right ahead and released the show anyway.

    The Dark Overlord spent a week making graphic death threats against children in Flathead County. The threats include the ransom letter’s horrific allusions to Sandy Hook, scene of the mass shooting murders of 20 elementary school children and six adult staff members. In spite of such threats, Sheriff Curry reassured residents that the group isn’t as murderous as it is full of hot air:

    We have made the unusual decision to release the ransom demand letter. We feel this is important to allow our community to understand that the threats were not real, and were simply a tactic used by the cyber extortionists to facilitate their demand for money.

    We have also discovered that they have frequently failed to live up to their promises to not release the stolen data in the past, even when their ransom demands have been met.

    We fully understand the concern and fear that has resulted from this cyber-attack, and want the community to know that all the valley law enforcement agency heads feel there is no threat to the physical safety of our children.

    Sheriff Curry said that the group is already under multiple investigations elsewhere in the US but that it’s located outside of the country.

    The hacking group managed to infiltrate the Columbia Falls school district server in order to steal personal information that included addresses, medical records, behavioral records and more for past and present students, staff and parents. More than 15,000 students were affected by the school closures, which included cancellation of away games.

    This isn’t just your run-of-the-mill ransomware. If the extortion is in fact coming from the well-known hacking group, it’s the first time they’ve added death threats to the mix.

    A local newspaper, the Flathead Beacon, quoted Zuly Gonzalez, co-founder and CEO of Maryland-based cyber security firm Light Point Security, who’s familiar with The Dark Overlord’s modus operandi:

    I’ve never heard of them actually threatening anybody’s lives, especially children… Usually these groups aren’t really designed to do that type of stuff.

    The Dark Overlord is, as far as law enforcement can determine, overseas. They’re not close enough to carry out physical harm. Hopefully, that will lessen the fear that parents must have felt when they received threats against their children’s lives.

    Gonzalez thinks it likely that the targeting of Flathead schools was random. These groups go after the low-hanging fruit, she says, which means networks that didn’t have proper protection in place to guard against malware.
    • CommentTimeSep 25th 2017
    • CommentTimeSep 27th 2017
    Instead of a Password, This Security System Unlocks via Your Heartbeat.
    • CommentTimeSep 27th 2017
    Hearts change all the time. Especially rate and rhythm. It's a very bizarre idea. And I have trouble getting my iPhone to read my fingerprints consistently. This heart thing should end up being a joy!
    • CommentTimeSep 28th 2017
    Well fingers can be cut off.

    Irises can be photographed.

    Hearts might be recorded same with voices, a combination of many might be useful but time consuming.
    • CommentTimeOct 4th 2017
    Former Equifax CEO blames breach on one IT employee.

    So he justified his massive salary by making ONE employee responsible and accountable for security and presumably upping profits by removing any expensive assurance activities. I've never heard such a fucking ignorant pile of shit spout even more shit.
    • CommentTimeOct 4th 2017 edited
    Still, it appears the IRS think Equifax are the go-to-guys for some security issues!
    • CommentTimeOct 6th 2017
    • CommentTimeOct 10th 2017
    Posted By: DuracellDeloitte hit by cyber-attack revealing clients’ secret email

    Update: Deloitte hack hit server containing emails from across US government

    The hack into the accountancy giant Deloitte compromised a server that contained the emails of an estimated 350 clients, including four US government departments, the United Nations and some of the world’s biggest multinationals, the Guardian has been told.

    Sources with knowledge of the hack say the incident was potentially more widespread than Deloitte has been prepared to acknowledge and that the company cannot be 100% sure what was taken.

    Deloitte said it believed the hack had only “impacted” six clients, and that it was confident it knew where the hackers had been. It said it believed the attack on its systems, which began a year ago, was now over.

    However, sources who have spoken to the Guardian, on condition of anonymity, say the company red-flagged, and has been reviewing, a cache of emails and attachments that may have been compromised from a host of other entities.

    The Guardian has established that a host of clients had material that was made vulnerable by the hack, including:

    • The US departments of state, energy, homeland security and defence.

    • The US Postal Service.

    • The National Institutes of Health.

    • “Fannie Mae” and “Freddie Mac”, the housing giants that fund and guarantee mortgages in the US.

    Football’s world governing body, Fifa, had emails in the server that was breached, along with four global banks, three airlines, two multinational car manufacturers, energy giants and big pharmaceutical companies.

    The Guardian has been given the names of more than 30 blue-chip businesses whose data was vulnerable to attack, with sources saying the list “is far from exhaustive”.

    Deloitte did not deny any of these clients had information in the system that was the target of the hack, but it said none of the companies or government departments had been “impacted”. It said “the number of email messages targeted by the attacker was a small fraction of those stored on the platform”.

    This assurance has been contested by sources that spoke to the Guardian. They said Deloitte’s public position belied concern within the company about exactly what had happened and why.

    The Guardian first revealed the existence of the hack on 25 September.

    Since then, the Guardian has been provided with further details of the attack, which seems to have started in autumn last year at a time Deloitte was migrating and updating its email from an in-house system to Microsoft’s cloud-based Office 365 service.

    The work was being undertaken at Deloitte’s Hermitage office in Nashville, Tennessee.

    The hackers got into the system using an administrator’s account that, theoretically, gave them access to the entire email database, which included Deloitte’s US staff and their correspondence with clients.

    Deloitte realised it had a substantial problem in spring this year, when it retained the Washington-based law firm, Hogan Lovells, on “special assignment” to review and advise about what it called “a possible cybersecurity incident”.

    In addition to emails, the Guardian understands the hackers had potential access to usernames, passwords, IP addresses, architectural diagrams for businesses and health information.

    It is also thought that some emails had attachments with sensitive security and design details.

    Deloitte has insisted its internal inquiry, codenamed Windham, found that only six clients had information that had been compromised. The review had also been able to establish “precisely what information was at risk”, the company said.

    However, that analysis has been contested by informed sources that have spoken to the Guardian. They say the investigation has not been able to establish definitively when the hackers got in and where they went; nor can they be completely sure that the electronic trail they left is complete.

    “The hackers had free rein in the network for a long time and nobody knows the amount of the data taken,” said one source.

    “A large amount of data was extracted, not the small amount reported. The hacker accessed the entire email database.”

    Another source added: “There is an ongoing effort to determine the damage. There is a team looking at records that have been tagged for further analysis. It is all deeply embarrassing.”

    The Guardian has been told Deloitte did not at the time have multi-factor authentication as standard on the server that was breached. A cybersecurity specialist told the Guardian this was “astonishing”.

    The expert said the migration to the new email system would have “utterly complicated the kind of forensic investigation required to see what had happened”.

    “A hacker has got into Deloitte’s email system and been undetected for months, and only six clients have been compromised? That does not sound right. If the hackers had been in there that long, they would have covered their tracks.”

    When the Guardian put all these points to Deloitte, it declined to answer specific questions, but a spokesman said: “We dispute in the strongest terms that Deloitte is ‘downplaying’ the breach. We take any attack on our systems very seriously.

    “We are confident that we know what information was targeted and what the hacker actually did. Very few clients were impacted, although we want to stress that even when one client is impacted, that is one client too many.

    “We have concluded that the attacker is no longer in Deloitte’s systems and haven’t seen any signs of any subsequent activities.

    “Our review determined what the hacker actually did. The attacker accessed data from an email platform. The review of that platform is complete.”

    In recent months, Deloitte has introduced multi-factor authentication and encryption software to try to stop further hacks.

    Dmitri Sirota, co-founder and CEO of the cybersecurity firm BigID, warned that many companies had failed to use such methods because they were inconvenient and complex.

    “Privileged accounts are like keys that unlock everything, from the castle to the treasury. They provide unfettered access to all systems, which is why they are so valuable.

    “Organisations are monitoring databases, not the data in it. It’s hard to detect changes, prevent incidents or compare your data to notice breached information unless you have an inventory of what you have.”
    • CommentTimeOct 12th 2017
    More Equifax.

    One tech ... Right.
    • CommentTimeOct 16th 2017
    WPA2. Fuck.
    • CommentAuthorLakes
    • CommentTimeOct 19th 2017
    VPN... VPN... VPNnnnnn all sing along now.
    • CommentTimeOct 25th 2017