Home / Tech News / Featured Tech News / Compromised CCleaner software leaves millions with malware

Compromised CCleaner software leaves millions with malware

Avast owned CCleaner hasn’t been clean itself for the past month, with hackers piggybacking malware on the software for at least a month. As the maintenance tool is free, its downloads are well into the millions meaning up to 3.9 million users could be affected.

Researchers at Cisco’s Talos Intelligence Group determined that the attack occurred between 15th August until 12th September, affecting versions CCleaner 5.33.6162 and CCleaner Cloud 1.07.3191. The popularity of the application resulted in the researchers’ decision to move quickly on the matter, prompting developers Piriform to release a stable version of CCleaner 5.34 and automatically updating the Cloud server.

The researchers found a “Domain Generation Algorithm (DGA) attached to the executable, as well as a hardcoded Command and Control (C2) functionality.” This gave the attackers capability to harvest data from infected machines such as the computer name, IP address and lists of installed and active software. This is luckily described as “non-sensitive” by Piriform, while there are “no indications that any other data has been sent to the server.”

Curiously, the file was still digitally signed using a valid certificate by the developer, prompting Cisco’s Talos researchers to conclude that “it is likely that an external attacker compromised a portion of their development or build environment and leveraged that access to insert malware into the CCleaner build that was released and hosted by the organization.”

Alternatively, “It is also possible that an insider with access to either the development or build environments within the organization intentionally included the malicious code or could have had an account (or similar) compromised which allowed an attacker to include the code,” the researchers added.

In a statement to Techcrunch, an Avast spokesperson stated that an estimated “2.27 million users had the affected software installed on 32-bit Windows machines,” which could be pushed up to 3.9 million with Piriform's statement that the affected software could have been “used by up to 3% of [its] users”. Avast now believes that “these users are safe now as our investigation indicates we were able to disarm the threat before it was able to do any harm.”

Nevertheless, Cisco’s Talos recommends to restore affected systems to a state before 15th August 2017 or reinstall the system altogether.

KitGuru Says: Although played down a bit regarding non-sensitive information, backdoor access in any software that potentially allows for outside control is serious business. Just the thought of it has me tempted to run a full reinstall despite not touching the software in a long while. Always proceed with caution when downloading free software, even when the source is reputable but rest assured that Avast is doing its best to control damages and protect customers.

Become a Patron!

Check Also

Blizzard unveils Warcraft 1&2 Remastered and major Warcraft 3 patch

The classic Warcraft RTS trilogy is now fully playable in remastered form, with Blizzard surprisingly dropping remasters for Warcraft 1&2 this week.

2 comments

  1. 2.27M users had the affected software installed on 32bit Machines.

    Some people are seriously limiting their machines, or are severely limited by how old their machine is… or just stubborn lol

  2. A lot of the time most people don’t even know which version of Windows is installed on their computers let alone whether it’s 32 or 64 bit. A lot of the OEM’s would install 32 bit Windows on the machines even if they had 4GB ram installed which would limit the installed memory to 3GB leaving 1GB unusable which made no sense at all. lol