Piriform Alerts Users That CCleaner Contained Malware

Piriform’s CCleaner, a free PC cleaning app with 130 million users around the world, has been discovered to contain malware.

Researchers at Cisco Talos recently announced that CCleaner contains a backdoor that was inserted by hackers. The backdoor was present in two versions of the application – the 32-bit version of CCleaner 5.33.6162 and CCleaner Cloud 1.07.3191.

The backdoor was inserted into those versions at least a month before it was discovered, giving the hackers behind the malware plenty of time to gather information on compromised computers, of which there are many. An estimated 2.27 million users have downloaded the infected version of the application, according to Avast, which purchased Piriform this summer. Initially it was thought that as many as 3% of users may have been affected – approximately 3.9 million devices. As of yesterday, there were still 730,000 users that had not yet updated to the latest version of the software.

The backdoor was inserted into the CCleaner binary and was hosted on the company’s server. It is unclear whether the malware was inserted by an insider or whether an external attacker compromised the build or development environment. An investigation into the incident is ongoing and law enforcement are involved.

According to a recent blog post from Piriform, the malware was capable of gathering information such as a user’s IP address, active software installed on the infected device, and a list of network adaptors. That information was exfiltrated to a third-party server in the United States. Piriform notes that this was a two-stage backdoor that was also capable of running code from a remote IP address.

Piriform acted quickly once it was alerted to the presence of malware and released a new version of CCleaner; however, an immediate security alert was not issued about the backdoor as the company was working with law enforcement and did not want to alert the attackers that the malware had been discovered. The malware-infected version was released on August 15, 2017 and the infected version was removed on September 15, 2017.

All users of the application should upgrade to version 5.34 or higher. Users of CCleaner Cloud are already protected as the software is updated automatically. The malware did not affect the Android CCleaner app.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news