According to its parent company Avast, more than 130 million people use the performance optimization software CCleaner. And today all of those people need to be sure they’ve installed the latest update because some nasty malware has managed to make it into one of the builds.
Piriform’s CCleaner was purchased by the popular anti-virus developer Avast back in July and, according to researchers at Cisco Talos, hackers were able to compromise the software just a month later. The Talos team noticed on September 13th that the installer for CCleaner v5.33 was triggering its malware protection systems. Upon inspection, the researchers found that the CCleaner application was legitimate and had a valid digital signature from its makers, but it also contained a malicious payload.
In a blog post published Monday, Talos’ researchers compared the malware packaged with CCleaner to the NotPetya ransomware that caused global havoc back in June. The payload contained a Domain Generation Algorithm and Command and Control functionality that could be used to send encrypted information about the computer back to a server controlled by the hackers. It appears to have the ability to download and run other binaries through a backdoor but the software’s maker claims that in its review it has “not detected an execution of the second stage payload and believe that its activation is highly unlikely.” In other words, the people behind CCleaner don’t think any of the 2.27 million people who downloaded and ran the 5.33.6162 version of CCleaner and the 1.07.3191 version of CCleaner Cloud have actually been harmed by this malware.
Piriform’s Paul Yung explains:
At this stage, we don’t want to speculate how the unauthorized code appeared in the CCleaner software, where the attack originated from, how long it was being prepared and who stood behind it. The investigation is still ongoing ...
Again, we would like to apologize for any inconvenience this incident could have caused to our clients; we are taking detailed steps internally so that this does not happen again, and to ensure your security while using any of our Piriform products. Users of our cloud version have received an automated update. For all other users, if you have not already done so, we encourage you to update your CCleaner software to version 5.34 or higher, the latest version is available for download here.
The Talos team claims that its likely an external attacker was able to compromise CCleaner’s build environment or that an insider at Piriform was responsible. No malicious software has been found in CCleaner 5.34, which was released on September 13th. The malware was only present in the build that was released on August 15th (which has now been removed from the company’s download page). Anyone using the free version of CCleaner needs to manually download and update their software immediately.