Malware discovered in CCleaner put millions of users at risk

Cesar Mills
September 19, 2017

The details are still being reconstructed, but it appears hackers compromised the server the CCleaner executable (i.e. the program you download) was stored on and put the malware over the top, sort of like somebody sneezing on your salad before handing it to you.

Research firm Cisco Talos discovered hackers had compromised the CCleaner software at some stage of development.

The security team's blog said the signed version of CCleaner 5.33 distributed by Avast contained a multi-stage malware payload.

Talos researcher Craig Williams said it was a sophisticated attack because it penetrated an established and trusted supplier in a manner similar to June's "NotPetya" attack on companies that downloaded infected Ukrainian accounting software.

The researchers caught the issue when they spotted a version of CCleaner making requests to communicate with suspicious website domains.

CCleaner, software that is created to speed up PC and smartphone performance by removing unneeded or unecessary files, is the latest victim of hackers hijacking legitimate software to spread malware and gain access to infected systems. When the Petya/NotPetya malware infected computers across Ukraine and the world in July, it was spread by an infected piece of software.

The company said it was working with U.S. law enforcement agencies to discover who was behind the incident.

"The compromise could cause the transmission of non-sensitive data...to a 3rd party computer server in the United States of America", the company said.

Armed LGBT student Scout Schultz shot dead by US police
Police said the shooting was prompted when Scout Schultz failed to comply with their repeated commands to drop the knife. William Schultz said his child was a great student with a 3.9 GPA and was on track to graduate early in December.

A awful accident in NY : three dead
A person answering the phone there declined to comment; there was no immediately response to an emailed comment request. The collision pushed the charter bus into a building wall. "Thank God none of us was there", he said.

Four Florida teams in AP Top 25 poll; Alabama firmly on top
Three Big Ten teams round out the top 10 - MI (3-0), Wisconsin (3-0) and Ohio State (2-1). The Crimson Tide claimed 59 of 65 first-place votes after handling Colorado State.

It gathers information like your IP address, computer name, a list of installed software on your computer, a list of active software and a list of network adapters and sends it to a third-party computer server.

"We confirmed that this malicious version of CCleaner was being hosted on CCleaner's download server as recently as September 11", it stated.

If your system used the compromised version of CCleaner it may actually be a smarter move to roll your system back to a date prior to the release of the versions containing the malicious code to make sure all elements of the bad code are gone.

Users of CCleaner Cloud have already received an automatic update that removes the threat.

Cisco Talos suspects the attack was possible thanks either to CCleaner's build environment being compromised or someone with inside access.

"Based on further analysis, we found that the 5.33.6162 version of CCleaner and the 1.07.3191 version of CCleaner Cloud was illegally modified before it was released to the public, and we started an investigation process". According Cisco's analysis, the infected version of CCleaner was first released on August 15, meaning that users were potentially exposed to risk of infection from the backdoor for approximately one month.

Piriform hasn't said when or how the attacker inserted the malware. "We are working with USA law enforcement in their investigation", the company said.

Other reports by GizPress

Discuss This Article

FOLLOW OUR NEWSPAPER