Malware discovered in CCleaner put millions of users at risk

Cesar Mills
September 19, 2017

The details are still being reconstructed, but it appears hackers compromised the server the CCleaner executable (i.e. the program you download) was stored on and put the malware over the top, sort of like somebody sneezing on your salad before handing it to you.

Research firm Cisco Talos discovered hackers had compromised the CCleaner software at some stage of development.

The security team's blog said the signed version of CCleaner 5.33 distributed by Avast contained a multi-stage malware payload.

Talos researcher Craig Williams said it was a sophisticated attack because it penetrated an established and trusted supplier in a manner similar to June's "NotPetya" attack on companies that downloaded infected Ukrainian accounting software.

The researchers caught the issue when they spotted a version of CCleaner making requests to communicate with suspicious website domains.

CCleaner, software that is created to speed up PC and smartphone performance by removing unneeded or unecessary files, is the latest victim of hackers hijacking legitimate software to spread malware and gain access to infected systems. When the Petya/NotPetya malware infected computers across Ukraine and the world in July, it was spread by an infected piece of software.

The company said it was working with U.S. law enforcement agencies to discover who was behind the incident.

"The compromise could cause the transmission of non-sensitive data...to a 3rd party computer server in the United States of America", the company said.

Alec Baldwin wins Emmy for impersonating Trump on 'Saturday Night Live'
He also hilariously noted: 'Unlike the presidency, Emmys go to the victor of the popular vote'. Trump was attacked from Colbert's opening monologue through the end of the three-hour program.

Local crews help restore power to Irma victims
Police were first called to the facility at about 4:30 a.m. but authorities did not arrive until after 6 a.m., officials said. In the immediate aftermath of the storm, roughly 65 percent of all homes and businesses in the state were in the dark.

Pakistan court rejects ex-PM's petition against removal
The opposition also said that the margin of PML-N victory is in fact a defeat of the powerful Sharif family. Instead her daughter Maryam Nawaz spearheaded the campaign for Mr Sharif's PML-N party.

It gathers information like your IP address, computer name, a list of installed software on your computer, a list of active software and a list of network adapters and sends it to a third-party computer server.

"We confirmed that this malicious version of CCleaner was being hosted on CCleaner's download server as recently as September 11", it stated.

If your system used the compromised version of CCleaner it may actually be a smarter move to roll your system back to a date prior to the release of the versions containing the malicious code to make sure all elements of the bad code are gone.

Users of CCleaner Cloud have already received an automatic update that removes the threat.

Cisco Talos suspects the attack was possible thanks either to CCleaner's build environment being compromised or someone with inside access.

"Based on further analysis, we found that the 5.33.6162 version of CCleaner and the 1.07.3191 version of CCleaner Cloud was illegally modified before it was released to the public, and we started an investigation process". According Cisco's analysis, the infected version of CCleaner was first released on August 15, meaning that users were potentially exposed to risk of infection from the backdoor for approximately one month.

Piriform hasn't said when or how the attacker inserted the malware. "We are working with USA law enforcement in their investigation", the company said.

Other reports by GizPress

Discuss This Article

FOLLOW OUR NEWSPAPER