CCleaner compromised by malware infection

Posted September 19, 2017

Piriform have advised users who have installed CCleaner v5.33.6162 or CCleaner Cloud v1.07.3191 on their system to delete them and update their CCleaner software to version 5.34 or higher.

Researchers at Talos, Cisco's threat intelligence team, said they discovered the malware after observing that data from CCleaner was being sent to an unknown IP address.

Although it would appear that, in this instance, the illegal payload was only successfully delivered to a small minority of users - and specifically to those using 32-bit Windows PCs.

Users of a free software tool created to optimize system performance on Windows PCs and Android mobile devices got a nasty shock this morning when Piriform, the company which makes the CCleaner tool, revealed in a blog post that certain versions of the software had been compromised by hackers - and that malicious, data-harvesting software had piggybacked on its installer program.

A popular PC maintenance application distributed malicious code for a period of almost one month after hackers apparently accessed the company's servers, according to both the firm and independent security researchers.

While Avast and Pirifom are not speculating on how long the attackers might have been in the CCleaner servers, Cisco's Talos research group has made it's own observations.Though Piriform's disclosure only mentioned Avast Threat Labs as helping in the analysis, Cisco Talos claims that it reported the security issue to Avast on September 13.

Talos researcher Craig Williams said it was a sophisticated attack - saying that the optimisation software had a proper digital certificate, which means that other computers automatically trust the program.

CCleaner is supposed to block malware, not grant access to it.

Other factors limiting the potential impact were the fact that the malware was only bundled with the 32-bit version of the software, as well as the malware only activating on Windows accounts with administrator privileges.

How Canelo-GGG could unfold
Golovkin, 35, is the older fighter between the two middleweights, but 27-year-old Alvarez has the edge in experience. The Canelo Alvarez vs Gennady Golovkin press conference is brought to you by FITE TV and can be streamed below.

"W$3 ith supply chain attacks, the attackers are relying on the trust relationship between a manufacturer or supplier and a customer", the Talos researchers noted.

Inside Job or Outside Hack? "Piriform believes that these users are safe now as its investigation indicates it was able to disarm the threat before it was able to do any harm", an Avast spokesperson said.

Separate analysis by Cisco's Talos security group suggests whoever was behind the attack on CCleaner had managed to get access to the server Piriform used to host new versions of the software.

The latest security breach targeted British software firm Piriform, known for its free software CCleaner. So if you didn't download those versions, or downloaded it before or after that time frame, you should be fine. If you use CCleaner, here's what you need to know.

But then CCleaner was compromised by hackers, and you learned that by installing it, you may have actually loaded malware onto your computer.

In a separate post, Talos reports: "In analyzing DNS-based telemetry data related to this attack, Talos identified a significant number of systems making DNS requests attempting to resolve the domains associated with the aforementioned DGA domains".

This malware was programmed to collect data from the computer.

CCleaner is the software to clean up the system and optimize its performance.

Yung said the company could not yet confirm how the malicious code had appeared in the software, but an investigation was "ongoing".