Beware! Your Favorite Windows Utility May Have Infected Your Computer


CCleaner, a popular optimization utility for Windows and Android, has apparently been infecting "millions of users" with a backdoor. Hackers successfully managed to breach security of CCleaner and injected malware into the app. The malicious utility was then distributed to millions of CCleaner's 2 billion users. The problem was first spotted and reported by Cisco Talos that discovered that download servers used by the antivirus firm Avast - that now owns CCleaner - were compromised to distribute malware inside CCleaner.

"For a period of time, the legitimate signed version of CCleaner 5.33 being distributed by Avast also contained a multi-stage malware payload that rode on top of the installation of CCleaner," the report by the Talos team said. Over 2 million users are estimated to have been infected by this modified version of software utility.

FTC Responds to Avast Selling Browsing Data – Says It Won’t “Hesitate to Take Appropriate Action as Necessary”

When AV firms can't protect their own software...

The "crap cleaner" has over 2 billion downloads to its name, according to the AV firm Avast itself. Last year the security firm also boasted that CCleaner has a growth rate of 5 million additional users per week. This popularity, however, also makes the utility a hotbed for malware. The security firm Cisco Talos informed Avast of its findings on September 13, which then proceeded to release an updated version of its utility. The affected versions of CCleaner and CCleaner Cloud were released on August 15 and August 24, respectively.

Avast in its report has apologized for the "security incident."

We would like to apologize for a security incident that we have recently found in CCleaner version 5.33.6162 and CCleaner Cloud version 1.07.3191. [...]

Users of CCleaner Cloud version 1.07.3191 have received an automatic update. In other words, to the best of our knowledge, we were able to disarm the threat before it was able to do any harm.

The company has urged its users to update CCleaner to version 5.34 or higher, with the latest version being available for download here.

2.27 million downloads of the infected CCleaner

Avast believes that 2.27 million users had downloaded the infected software on their 32-bit Windows machines. "We believe that these users are safe now as our investigation indicates we were able to disarm the threat before it was able to do any harm," the company said. Avast Piriform also added that PCs with the malicious CCleaner versions would transmit the following information to a third-party server located in the United States:

  • The computer's name
  • IP address
  • A list of installed software, including Windows updates
  • A list of active running software
  • MAC addresses of first three network adapters
  • Additional information - whether the process is running with admin privileges, whether it is a 64-bit system, etc.

The company has called this "non-sensitive data" used to profile affected PCs. However, it added that the malware also downloaded a second stage payload this server but its functionality is unclear due to encryption. It is possible that the malware was designed to use the infected PCs as part of a botnet.

How Avast Uses Its Antivirus Software to Harvest Data and Sell “Every Search. Every Click. Every Buy. On Every Site.”

Many believe that Avast is downplaying the severity of the issue with its security notification post. Avast chief technology officer Ondrej Vlcek, however, said that this is indeed a serious incident. "2.27 million is certainly a large number, so we're not downplaying in any way. It's a serious incident. But based on all the knowledge, we don't think there's any reason for users to panic," he added.

"To the best of our knowledge, the second-stage payload never activated [...] It was prep for something bigger, but it was stopped before the attacker got the chance."

If you have downloaded the infected version, update to CCleaner v5.34 as soon as possible. Security researchers have also advised users to restoring their machines to a state before August 15, 2017.