CCleaner Malware Incident - What You Need to Know and How to Remove

Gladys Abbott
September 19, 2017

On September 13, Talos was conducting some beta testing for its new exploit detection technology when it noticed that CCleaner 5.33 (the latest version at the time) was being flagged by the new software.

The version of CCleaner tried to connect to several unregistered web pages, presumably to download other programmes.

In the Department of police of National police of Ukraine warns about infected by malicious software one of the updates of the popular program "CCleaner" created to assist users in the implementation of planned maintenance of their systems.

Security researchers have urged users of a hugely popular performance optimization tool to upgrade to the latest version, after discovering a sophisticated supply chain attack which inserted malware into the software.

Piriform's Paul Yung said: "We would like to apologise for a security incident that we have recently found in CCleaner version 5.33.6162 and CCleaner Cloud version 1.07.3191". This modified version was available to users for around a month, however, to Piriform's knowledge, it was able to disarm the security threat before it was able to do any harm.

The malware, Floxif, also only targeted "admin" level accounts on computers, so if you have a separate account for your elderly grandmother who downloads everything, it likely never kicked in.

The versions that were affected are CCleaner v5.33.6162 or CCleaner Cloud v1.07.3191 for 32-bit Windows PCs.

More news: Eleven injured after Porsche plows into spectators at Idaho car show

Cisco Talos said the attack affected CCleaner version 5.33, which was launched August 15. "For all other users, if you have not already done so, we encourage you to update your CCleaner software to version 5.34 or higher".

Attackers could use infected machines "for any number of malicious purposes" as there are capabilities in the malware to download and run second-stage payloads; possibly to steal personal and financial information. This came after security researchers at Cisco Systems Inc and Morphisec Ltd alerted Piriform's parent Avast Software of the hack last week.

But then CCleaner was compromised by hackers, and you learned that by installing it, you may have actually loaded malware onto your computer.

Piriform's owner, Avast, said it had managed to remove the compromised version before any harm had been done. Piriform did not immediately respond to a request for comment on the attack's distribution and where most affected systems were located. "The investigation is still ongoing", Piriform's Yung said.

"At this stage, we don't want to speculate how the unauthorised code appeared in the CCleaner software, where the attack originated from, how long it was being prepared and who stood behind it", Piriform wrote on its blog.

Far from being a fake CCleaner app, the version spotted by Cisco was found to be legitimate and signed with a valid digital certificate.

Other reports by LeisureTravelAid

Discuss This Article