*CCleaner hacked to include malware in recent update

cccleaner hacked

TechViews News   …..

CCleaner is a popular Windows utility used by many millions of internet users to remove cookies, wipe browsing histories, and clean-up temporary internet files where malware might be lurking.

If you have downloaded or updated the CCleaner application on your computer between August 15 and September 12 of this year from its official website, then pay attention—your computer has been compromised.

The scale of the potential threat cannot be underestimated. Last year, CCleaner, which was recently bought by Avast, was boasting that it had been downloaded in total over two billion times, and was seeing five million additional users per week.

Security researchers from Cisco Talos discovered that the download servers used by Avast to let users download the application were compromised by some unknown hackers, who replaced the original version of the software with the malicious one and distributed it to millions of users for around a month.

Detected on 13 September, the malicious version of CCleaner contains a multi-stage malware payload that steals data from infected computers and sends it to attacker’s remote command-and-control servers.

As a security notification on CCleaner’s support forum explains, CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 were compromised.

Once in place, the malware would wait five minutes, determine if the user had admin privileges, and then steal information from PCs, such as the computer’s name, a list of installed software and Windows updates, running processes, MAC addresses of network adapters alongside additional information.

Cisco Talos researchers warn that “…it is likely that an external attacker compromised a portion of their development or build environment and leveraged that access to insert malware into the CCleaner build that was released and hosted by the organization. It is also possible that an insider with access to either the development or build environments within the organization intentionally included the malicious code or could have had an account (or similar) compromised which allowed an attacker to include the code.”

Cisco Talos researchers immediately informed Avast of the problem, and offending versions of the CCleaner installer containing the malicious payload are no longer available from the CCleaner download website. Law enforcement agencies have also been informed of the situation, and the third-party server that was set up to receive stolen data has been taken down.

It goes without saying that anyone still using version 5.33 of CCleaner needs to update to the (safe) version 5.34 as soon as possible. This message needs to especially get out to users of the free edition of CCleaner, as it does not feature automated updates and requires them to manually download updates. (Of course, the lack of automatic updates for the free edition of CCleaner may actually have reduced the total number of users put at risk by the compromised version.)

It’s worth pointing out that you may want to go one step further than just downloading a fixed version of CCleaner. After all, if you ran version 5.33 of CCleaner your PC may have been compromised. It might be sensible to roll-back your computer to a backup created before you installed that poisoned version of CCleaner.

Affected users are strongly recommended to update their CCleaner software to version 5.34 or higher, in order to protect their computers from being compromised. An alternative would be to completely uninstall the affected version of CCleaner and reinstall the new version in its place.

The latest version is available for download here.

Be Safe – Backup Your Data Regularly!


And don’t forget to take advantage of our FREE subscription to the TechViews.org Newsletter. A must-read if you are interested in Internet Security.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s