CCleaner Hacked With Data-Stealing Malware: What to Do Now

CCleaner Hacked With Data-Stealing Malware: What to Do Now

by HENRY T. CASEY Sep 18, 2017, 5:42 AM
CCleaner, a system-optimization tool with more than 2 billion downloads worldwide, is used by many Windows, Mac and Android users who want looking to keep their devices running as fast as possible. Unfortunately for them, it appears that hackers decided to sneak their own code into a recent build of CCleaner for Windows in an attempt to steal data and possibly infect users' systems with even more malicious applications.

The attack took place by piggy-backing onto CCleaner by infiltrating the servers that distribute the software, infecting version 5.33 of the Windows utility and version 1.07 of its cloud-based sister application. Those servers belonged to Piriform, the London company that created CCleaner. In July of this year, Piriform was acquired by the Prague-based antivirus maker Avast.

If you've updated CCleaner since Aug. 15 and you're running 32-bit Windows, you may be infected. You should roll back to a pre-Aug. 15 snapshot of your system, or run a malware scan. Following either (or both) of those steps, visit Piriform's site to download and install the latest, clean version of CCleaner.

A report on this attack from technology company Cisco's Talos Intelligence blog notes that infected versions of CCleaner were observed "as recently as September 11," and that they alerted Avast of the issue on September 13. Before that, though, Piriform already knew something fishy was going on.

In a blog post from Paul Yung, VP of Products for Piriform, the exec noted that his company saw suspicious activity from "unknown IP address receiving data from software found in version 5.33.6162 of CCleaner" on Sept. 12, which led to Piriform taking the server down. This data transfer from CCleaner appeared to be the malware, identified as Floxif, phoning home to its command-and-control servers.

The infected version of CCleaner, 5.33 for Windows, was made available for download on Aug. 15, and its cleaned version, version 5.34, on Sept. 12. The infected version of CCleaner Cloud was made available on Aug. 24, and a clean version on Sept. 15. The Mac and Android versions of CCleaner do not appear to have been affected.

An Avast spokeswoman told Reuters that 2.27 million users had downloaded the infected version of CCleaner, and that 5,000 installations of CCleaner Cloud had received the tainted update to that software.

If you're on version 5.33 of CCleaner, which states its version number in its top left corner of its interface, your best bet may be to roll back your Windows system to a snapshot from before Aug. 15, as your system may have been compromised since then. At the very least, make sure your own anti-virus software is up to date.

Those without the option to restore a backup should check if their CCleaner is 5.33. Yung notes that that Piriform is updating all versions of its software up to non-malicious versions, but users can download a new copy here.

While CCleaner is a very popular application, claiming 5 million downloads per week, this infected version would not have hit all of those users. The free version of CCleaner must be manually updated. However, CCleaner is also built into some versions of Avast antivirus software, in which it is automatically updated. CCleaner Cloud is also automatically updated.

Cases such as this, where system-optimization or anti-virus software is infected by malware, are especially dangerous, as those programs take deep-level system privileges, and can do more damage than almost any other software. Even more importantly, the hacked version of CCleaner was signed with a legitimate copy of Piriform's developer certificate, which shouldn't have been available to the miscreants involved.

Fortunately, the impact of this affected version of CCleaner may be mitigated by more than its lack of automatic updates. The Floxif malware appears to infect only 32-bit Windows systems, and most PCs sold in the last 5 years run 64-bit Windows.

As to who is behind this attack and how they infected the official versions of CCleaner, Talos hasn't released anything yet, and Yung isn't providing any other details.


Popular posts from this blog

Report: World’s 1st remote brain surgery via 5G network performed in China

BMW traps alleged thief by remotely locking him in car

Visualizing The Power Of The World's Supercomputers