CCleaner, one of PCWorld’s recommendations for the best free software for new PCs with more than 2 billion downloads worldwide, is used by many Windows, Mac and Android users who want looking to keep their devices running as fast as possible. Unfortunately for them, it appears that might not have been keeping your PC so clean after all. Hackers decided to sneak their own code into a recent build of CCleaner for Windows in an attempt to steal data and possibly infect users’ systems with even more malicious applications.
On Sept. 13th, the popular optimization and scrubbing software, Cisco Talos, has discovered the official download of the free versions of CCleaner 5.33 and CCleaner Cloud 1.07.3191 had a malicious bit of code injected by hackers that could have affected more than 2 million users who downloaded the most recent update. This means that a hacker infiltrated Avast Piriform’s official build somewhere in the development process build to plant malware designed to steal users’ data.
Cisco Talon also suspects that the attackers may have “compromised a portion of (CCleaner’s) development or build environment and leveraged that access to insert malware into the CCleaner build that was released and hosted by the organization.” As such, customers’ personal information was not at risk.
An Avast spokeswoman told that 2.27 million users had downloaded the infected version of CCleaner, and that 5,000 installations of CCleaner Cloud had received the tainted update to that software.
The malware was also programmed to collect a bunch of user data, including:
- Name of the computer
- List of installed software, including Windows updates
- List of running processes
- MAC addresses of first three network adapters
- Additional information whether the process is running with administrator privileges, whether it is a 64-bit system, etc.
Though it in no way alleviates the blunder, the appmaker says all stolen data was encrypted and unlikely to be accessed.
Avast chief technical officer Ondrej Vlcek said that,
“2.27 million is certainly a large number, so we’re not downplaying in any way. It’s a serious incident. But based on all the knowledge, we don’t think there’s any reason for users to panic. To the best of our knowledge, the second-stage payload never activated… It was prep for something bigger, but it was stopped before the attacker got the chance.”
Moreover, the unknown hackers signed the malicious installation executable (v5.33) using a valid digital signature issued to Piriform by Symantec and used Domain Generation Algorithm (DGA), so that if attackers’ server went down, the DGA could generate new domains to receive and send stolen information.
“All of the collected information was encrypted and encoded by base64 with a custom alphabet,” says Paul Yung, V.P. of Products at Piriform. “The encoded information was subsequently submitted to an external IP address 216.126.x.x (this address was hardcoded in the payload, and we have intentionally masked its last two octets here) via a HTTPS POST request.”
How to Remove Malware From Your PC
If you’re on version 5.33 of CCleaner, which states its version number in its top left corner of its interface, your best bet may be to roll back your Windows system to a snapshot from before Aug. 15, as your system may have been compromised since then. At the very least, make sure your own anti-virus software is up to date.
However, Piriform estimated that up to 3 percent of its users (up to 2.27 million people) were affected by the malicious installation.
If you are affected we strongly recommend to update your CCleaner software to version 5.34 or higher, in order to protect their computers from being compromised. The latest SAFE version is available for download in piriform’s official website.