CCleaner software compromised by hackers

Editor 25
Found 18th Sep 2017
I know a lot of people use this software, and this is big news at the moment. It looks like the software has been hacked with around 2 million people compromised.

The hack has targeted two versions of CCleaner that were released in August.

  • CCleaner v5.33.6162
  • CCleaner Cloud v1.07.3191

"For a period of time, the legitimate signed version of CCleaner 5.33 being distributed by Avast also contained a multi-stage malware payload that rode on top of the installation of CCleaner," researchers explained. "On September 13, 2017, Cisco Talos immediately notified Avast of our findings so that they could initiate appropriate response activities.

2793193.jpg

We estimate that 2.27 million users had the v5.33.6162 software, and 5,010 users had the v1.07.3191 of CCleaner Cloud installed on 32-bit Windows machines. We believe that these users are safe now as our investigation indicates we were able to disarm the threat before it was able to do any harm.

There is no indication or evidence that any additional malware has been delivered through the backdoor. In the case of CCleaner Cloud, the software was automatically updated. For users of the desktop version of CCleaner, we encourage them to download and install the latest version of the software.

Given the presence of this compilation artifact as well as the fact that the binary was digitally signed using a valid certificate issued to the software developer, it is likely that an external attacker compromised a portion of their development or build environment and leveraged that access to insert malware into the CCleaner build that was released and hosted by the organisation. It is also possible that an insider with access to either the development or build environments within the organisation intentionally included the malicious code or could have had an account (or similar) compromised which allowed an attacker to include the code."

Clean versions of CCleaner (12th September) and CCleaner Cloud (15th September) have now been released.

[Source: Reuters]
Community Updates
Misc
Top comments
lumsdot31 m ago

Used ccleaner on my windows 10 PC a few months ago.Shortly after PC would …Used ccleaner on my windows 10 PC a few months ago.Shortly after PC would not boot


That's sounds more like a symptom of overly aggressive "cleaning"...
25 Comments
Used ccleaner on my windows 10 PC a few months ago.
Shortly after PC would not boot
Thankfully I kept putting off updating my ccleaner for the last few months.
lumsdot31 m ago

Used ccleaner on my windows 10 PC a few months ago.Shortly after PC would …Used ccleaner on my windows 10 PC a few months ago.Shortly after PC would not boot


That's sounds more like a symptom of overly aggressive "cleaning"...
Thank you thankfully not using Avast these days


Good software but agree the endleess 'updates' are a pain
Wongy11035 m ago

Thank you thankfully not using Avast these daysGood software but agree the …Thank you thankfully not using Avast these daysGood software but agree the endleess 'updates' are a pain



Was it only downloads through Avast that were affected? What about downloads via other sites?
tryn2help3 m ago

Was it only downloads through Avast that were affected? What about …Was it only downloads through Avast that were affected? What about downloads via other sites?


A quick google of the 'news' says yes
lumsdot1 h, 20 m ago

Used ccleaner on my windows 10 PC a few months ago.Shortly after PC would …Used ccleaner on my windows 10 PC a few months ago.Shortly after PC would not boot


Hah, that sounds like the sort of issues reported by the numpty users of our old IT Helpdesk:
"Hi, your engineer was looking at my computer six months ago, and now today my printer won't work..."
Edited by: "Bestard" 18th Sep 2017
It was only one version (of each) ccleaner and was patched in days.

The article says it was only diagnostic data like software versions and IP address that was sent.

Just update and run a good av and spyware scan. Problem solved.
Also, did you do a registry scan without backing up? I've used ccleaner for years and never had a problem booting or losing important files!
Wongy1102 h, 55 m ago

A quick google of the 'news' says yes



I try not to use google these days, same with youtube.

Using Duckduckgo and Vimeo, not as good as google or youtube but far less invasive and searches are a bit more accurate.

Google's habit of noting where you've been can be a real pain when you need to visit anything remotely linked. i.e. I often researched scripture, and when I needed to know the way houses were built back then Google kept presenting scripture mentioning houses - it was almost impossible to get the archeological/architectural info I needed due to Google noting my habits and basing my searches on them.
NeTHiNg. uSEd iT todAY. eVerYtHiNg FiND,
tryn2help25 m ago

I try not to use google these days, same with youtube.Using Duckduckgo and …I try not to use google these days, same with youtube.Using Duckduckgo and Vimeo, not as good as google or youtube but far less invasive and searches are a bit more accurate.Google's habit of noting where you've been can be a real pain when you need to visit anything remotely linked. i.e. I often researched scripture, and when I needed to know the way houses were built back then Google kept presenting scripture mentioning houses - it was almost impossible to get the archeological/architectural info I needed due to Google noting my habits and basing my searches on them.


Been using Ecosia on chrome for some time no not as good a google
worth noting this is only 32bit machines as well
theregister.co.uk/201…ds/
Thanks for the info.

I don't run 32bit Windows or allow CCleaner internet access, but I'll still update.
lanky784 h, 40 m ago

It was only one version (of each) ccleaner and was patched in days. The …It was only one version (of each) ccleaner and was patched in days. The article says it was only diagnostic data like software versions and IP address that was sent.Just update and run a good av and spyware scan. Problem solved.


Yep version 5.34..... was released fairly quickly

Been using and recommending CCleaner for years and will continue to do so. No issues on my 3 setups.
Statement from Piriform

We recently determined that older versions of our Piriform CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 had been compromised. We resolved this quickly and believe no harm was done to any of our users. This compromise only affected customers with the 32-bit version of the v5.33.6162 of CCleaner and the v1.07.3191 of CCleaner Cloud. No other Piriform or CCleaner products were affected. We encourage all users of the 32-bit version of CCleaner v5.33.6162 to download v5.34 here: download. We apologize and are taking extra measures to ensure this does not happen again.

Issue Summary: Our new parent company, the security company Avast, determined on the 12th of September that the 32-bit version of our CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 products, which may have been used by up to 3% of our users, had been compromised in a sophisticated manner. Piriform CCleaner v5.33.6162 was released on the 15th of August, and a regularly scheduled update to CCleaner, without compromised code, was released on the 12th of September. CCleaner Cloud v1.07.3191 was released on the 24th of August, and updated with a version without compromised code on September 15. The compromise could cause the transmission of non-sensitive data (computer name, IP address, list of installed software, list of active software, list of network adapters) to a 3rd party computer server in the USA. We have no indications that any other data has been sent to the server. Working with US law enforcement, we caused this server to be shut down on the 15th of September before any known harm was done. It would have been an impediment to the law enforcement agency’s investigation to have gone public with this before the server was disabled and we completed our initial assessment. Between the 12th and the 15th, we took immediate action to make sure that our Piriform CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 users were safe—we worked with download sites to remove CCleaner v5.33.6162, we pushed out a notification to update CCleaner users from v5.33.6162 to v5.34, we automatically updated CCleaner Cloud users from v1.07.3191 to 1.07.3214, and for users using Avast Antivirus, they received an automatic update.

We are continuing to investigate how this compromise happened, who did it, and why. We are working with US law enforcement in their investigation. A more technical description of the issue is on our Piriform blog at: piriform.com/new…log. Again, we sincerely apologize for this and are committed to making sure nothing similar happens again. We encourage any user of the 32-bit version of CCleaner v5.33.6162 to download the latest version of Piriform CCleaner found here: piriform.com/ccl…ard.

For media enquiries, please contact press@piriform.com.

View the full blog post
Wongy1107 h, 7 m ago

Thank you thankfully not using Avast these daysGood software but agree the …Thank you thankfully not using Avast these daysGood software but agree the endleess 'updates' are a pain



Are you happy to use security software that isn't updated regularly? If so, why bother using any at all?
Wongy1107 h, 11 m ago

Thank you thankfully not using Avast these daysGood software but agree the …Thank you thankfully not using Avast these daysGood software but agree the endleess 'updates' are a pain


Regular updates to security software are essential for it to remain reliable - new threats are identified frequently and without updates to secuirty software, you'll have litle protection against these.
lanky785 h, 30 m ago

It was only one version (of each) ccleaner and was patched in days. The …It was only one version (of each) ccleaner and was patched in days. The article says it was only diagnostic data like software versions and IP address that was sent.Just update and run a good av and spyware scan. Problem solved.



Yes, it was patched, but that didn't do anything to the malware that had already been installed, with the possible exception of Avast users as there is an inference in the Piriform release that may infer the malware was removed by Avast via an automatic update.
lumsdot14 h, 53 m ago

Used ccleaner on my windows 10 PC a few months ago.Shortly after PC would …Used ccleaner on my windows 10 PC a few months ago.Shortly after PC would not boot


Cool story bro.
qbs8 h, 14 m ago

Are you happy to use security software that isn't updated regularly? If …Are you happy to use security software that isn't updated regularly? If so, why bother using any at all?



Illusionary8 h, 10 m ago

Regular updates to security software are essential for it to remain …Regular updates to security software are essential for it to remain reliable - new threats are identified frequently and without updates to secuirty software, you'll have litle protection against these.


When did I say I didn't ?
Just saying it is a right pain
I guess they have their reasons namely trying to sell you the paid version
Wongy11045 m ago

When did I say I didn't ?Just saying it is a right pain I guess they have …When did I say I didn't ?Just saying it is a right pain I guess they have their reasons namely trying to sell you the paid version



Strange as it may seem, the paid versions have to be updated too, so you'd find that equally painful.
Just done a run of malwarebytes and it came up with 2 malware issues of piriform software.
v 5.27 here, am i ok?
MrPleasant_exe27 m ago

v 5.27 here, am i ok?



You should be OK with that older version
MrPleasant_exe7 h, 56 m ago

v 5.27 here, am i ok?


What's your operating system? If it's 64 bit, you're ok. If you don't know whether your 32 or 64 bit, open CCleaner and in the top left corner under CCleaner Free, you'll see something like v5.34.6207 (64-bit)

Might be a good idea to update.
Edited by: "qbs" 20th Sep 2017
Post a comment
Avatar
@
    Text

    Top Discussions

    Top Merchants