Hidden malware in CCleaner infecting 2.27M users

More than 130 million people use the performance optimization software CCleaner. Today all of those people need to be sure they have installed the latest update because some obnoxious malware has managed to make it into one of the builds. This is studied according to its parent company, Avast (NASDAQ:AVST).

Users of a free software tool engineered to regulate system conduct on Windows PCs and Android mobile devices got a unpalatable blow this morning when Piriform, the company which makes the CCleaner tool, announced in a blog post that certain versions of the software had been handed over by hackers and that malicious, data-harvesting software had carried on its installer program.

CCleaner 5.33.6162 and CCleaner Cloud 1.07.3191 are the affected software versions till now.

The malware, which was distributed through the update server for the Windows cleanup utility CCleaner, was apparently inserted by a hacker who compromised the software “supply chain” of Piriform, which was acquired by Avast in July.

There are 2 billion downloads of CCleaner worldwide, so the strongest influence of the malware is huge.

The company suggests users to download latest version of 5.34 or higher.
The Talos team noticed on September 13th that the installer for CCleaner v5.33 was triggering its malware protection systems.

Undoubtedly some users may still compromised their systems in hackers hands. Piriform says it’s moving all users of the CCleaner to the latest version of the software, while noting that users of CCleaner Cloud will have been updated automatically.

The malware was apparently capable of harvesting various types of data from infected machines. – piriform mentioned specifically. It also said the computer name, IP address, list of installed software, list of active software and list of network adapters (data it describes as “non-sensitive”) — transmitting it to a third party computer server located in the US.

We have no indications that any other data has been sent to the server. – it wrote.
Adding a statement Piriform said that – Working with US law enforcement, we caused this server to be shut down on the 15th of September before any known harm was done. It would have been an impediment to the law enforcement agency’s investigation to have gone public with this before the server was disabled and we completed our initial assessment.

We believe that these users are safe now as our investigation indicates we were able to disarm the threat before it was able to do any harm. – A spokeswoman for security giant Avast, which acquired the UK-based company back in July, told us.

Further adding – We estimate that 2.27 million users had the affected software installed on 32-bit Windows machines.

CCleaners is having 130million users, including 15M on Android at the time of acquisition. Large number of users of this software is the only concern.

According to Avast spokesman no person using this tool on Android devices were affected.
Piriform’s VP of products has gone into some technical detail regarding the hack here, writing that – An unauthorized modification of the CCleaner.exe binary resulted in an insertion of a two-stage backdoor capable of running code received from a remote IP address on affected systems.

The company noted a suspicious activity on September 12, 2017 stating – the 5.33.6162 version of CCleaner and the 1.07.3191 version of CCleaner Cloud was illegally modified before it was released to the public.

No malicious software has been found in CCleaner 5.34, which was released on September 13th.

The reason for this is, some windows users of CCleaner could have their machines compromised for more than a month which resulted in the affected versions of the tool were released on August 15 and August 24 respectively.

These versions may have been used by up to 3% of our users which would push the pool of affected users as high as 3.9M. – Piriform added.

For the average internet user, that information is hardly accessible or transparent. Ultimately, the responsibility for protecting those users from the growing rash of supply-chain attacks will have to move up the supply chain, too to the companies whose own vulnerabilities have been passed down to their trusting customers.

Avast’s CTO Ondrej Vlcek declined to theorize on the hackers’ intentions for the data being harvest by the malware — saying he could not comment on account of a law enforcement investigation currently underway.

Asked what additional measures it’s taking to guard against a similar future attack, Vlcek told us: We are making sure the problem doesn’t happen again by moving the entire Piriform product build environment to a more robust, secure infrastructure provided by Avast.


Please enter your comment!
Please enter your name here