CCleaner Confirms Hacked Build with Malware Used by up to 2.27 Million Users
On September 18th, 2017, Cisco’s Talos announced that CCleaner, a popular utility with billions of worldwide users, had been compromised by hackers, and was used to unwittingly distribute hidden malware in its installer. Later in the day, Piriform, the publisher of CCleaner, confirmed the problem.
Undetected by all but 1 major antivirus including CCleaner’s own parent company, this occurred for over a month and impacted over 2.7 million users. Users of CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 for 32-bit Windows are affected. These downloads were live on CCleaner’s official site from August 15th to September 12th, 2017. Anyone who downloaded the program during this time could be affected.
The company claims that while the hackers set up the backdoor and many users were impacted, that the perpetrators have been arrested and that the malware never successfully performed its full task and compromised user’s PCs or sent out their data; in the wake of recent security breaches such as Equifax, users are understandably worried. Given the severity of the threat of hacking and data theft, users should take action immediately if they have CCleaner.
Technical Details of CCleaner Malware Injection
First reported by Talos, the malware, which was hidden in the CCleaner installer without the publisher noticing (despite them being owned by Avast, a massive Anti-virus company), modified a core program DLL file to evade detection, and creates several registry keys. Not only were these files not flagged by any major Anti-Virus, but they were also even digitally signed by Piriform via their Symantec certificate, meaning your PC and security program would likely whitelist and trust the malicious installer. The malware gathers personal information on a user’s PC, including IP address and running programs, and sends it to a remote server. In our testing, the program sent data to IP 220.127.116.11.
Restore Your PC (If Possible)
As of the publication of this article, there have been no assurances given that updating or even uninstalling CCleaner will remove the malware is installed. The only action thus far has been shutting down the remote server where user data was being sent has been shut down by authorities. For this reason, it is best to remove the underlying malware separately, as its presence represents a serious security threat. Unfortunately, as this could have been installed as far back as August 15th, 2017, your System Restore points may not go back that far, or even if they do, restoring to such an outdated point may cause unintended problems with other programs you use and potentially lost files and data. Manually backing up files and doing a full format or clean Windows installation would likely be successful in fully removing the malware, but is extremely time-consuming and can be difficult for many PC users. Unfortunately, this makes a PC Restore or format an unattainable option for many.
Update CCleaner to the Latest Version
While CCleaner has told users to update to the latest version of the program. Prior to doing so, we recommend fully uninstall CCleaner, ensuring you check its program files folders and registry keys, manually deleting any remnants, and then re-downloading the latest version from the official site and reinstalling clean.