Hackers hid malware in CCleaner PC tool for nearly a month

Updated: 2.27 million users had the affected software installed on 32-bit Windows machines, CCleaner maker Piriform said.
Written by Liam Tung, Contributing Writer

Hackers modified versions of the Avast-owned CCleaner software to infect potentially millions of PCs with a backdoor.

The so-called supply chain attack targeting CCleaner users was discovered by researchers at Cisco's Talos cybersecurity team, which reported its findings to Prague-based antivirus firm, Avast, on September 13.

Avast acquired CCleaner's UK maker, Piriform, in July, noting at the time the product had 130 million users. CCleaner is an optimization utility for Windows and Android.

Piriform this morning warned customers that the Windows 32-bit edition of version 5.33.6162 of CCleaner, and version 1.07.3191 of CCleaner Cloud, were "illegally modified before it was released to the public". This was used to infect PCs with a backdoor that can run code from the attacker's remote IP address.

The tainted versions of CCleaner and CCleaner Cloud were released on August 15 and August 24, respectively.

According to Piriform, the software may have been used by up to three percent of its users.

Piriform said that 2.27 million users had the affected software installed on 32-bit Windows machines. "We believe that these users are safe now as our investigation indicates we were able to disarm the threat before it was able to do any harm," the company told ZDNet.

According to Piriform, PCs with the compromised versions would transmit the computer's name, IP address, a list of installed software, a list of active software, and list of network adapters to a third-party server located in the US. The company describes this as "non-sensitive data" which was used to profile affected PCs.

After collecting the data, the malware downloaded a second stage payload from the third-party server. As the payload was encrypted, Piriform hasn't explained what it's functionality is, however notes that it has not seen this payload being executed and believes its activation is highly unlikely.

Piriform says Avast detected suspicious activity on its download server a day ahead Cisco's notification, but hadn't warned the public until today due to its cooperation with US law enforcement, which involved shutting down the affected server on September 15.

"Working with US law enforcement, we caused this server to be shut down on the 15th of September before any known harm was done. It would have been an impediment to the law enforcement agency's investigation to have gone public with this before the server was disabled and we completed our initial assessment," the company said in a statement.

The company says it has worked to remove affected versions that were being distributed on third-party download sites. It also pushed a notification to CCleaner users to update to version 5.3, which doesn't contain compromised code, while automatically updating CCleaner Cloud to a clean version. Avast Antivirus users also got an automatic update. CCleaner users who haven't updated need to do so manually.

Piriform hasn't determined how its software became compromised. Cisco's Talos team note that the affected version of CCleaner was signed with a valid certificate that Symantec issued to Piriform. Given this and other evidence it found, the researchers believe it's likely an external attacker compromised part of Piriform's development environment to plant malware in CCleaner. The other possibility is a malicious insider, it notes.

Editorial standards