The Popular PC Maintenance Utility CCleaner has been hacked to spread Malware to millions of infected machines
An attack on an incredibly popular computer maintenance software has been discovered to have been discovered by the researchers as Cisco Talos reporting that “the legitimate signed version of CCleaner 5.33 . . . also contained a multi-staged malware payload that rode on top of the installation of CCleaner.” The parent company of CCleaner, Piriform ( recently purchased by Avast ) has acknowledged the issue.
What does this Malware Do?
While the actual payload of the malware is not harmful in it’s own right, there are a significant number of things that it does do that one should be concerned about as this data could be used to attack your machine in the future. Piriforms has confirmed that the malware creates a unique identifier for each computer and collects the following:
- Name of the computer
- List of installed software, including Windows updates
- List of running processes
- MAC addresses of first three network adapters
- Additional information whether the process is running with administrator privileges, whether it is a 64-bit system, etc.
Please see Cisco Talos’s blog post for technical details.
Was my machine compromised?
The best way to tell if your machine was compromised is to check the version and build of the installation. This includes the following
- Users running the 32-bit version of the application (not the 64-bit version)
- Users running version 5.33.6162 of CCleaner or CCleaner Cloud 1.07.3191, released on August 15th, 2017
Many users who choose the automatic download version will likely be on the 64-bit version which is not currently affected. CCLeaner also does not automatically process updates, which is actually a piece of good news for many users of the se
Since many users likely use the 64-bit version of the application, and CCleaner Free does not automatically update, which for a change is a good thing. If you are using the 32-bit version for Windows and you think you may have download CCleaner during the affect time, see the below image to check what version you have. Open CCleaner and check the top-left corner of the application – there will be a build and bit-version under the CCLeaner logo.
If this version is before 5.33.6162 you are not affected. If your version is is 5.34 or later, your version is also not affected. But – if you downloaded or updated CCleaner between August 15th and September 12th, and are using the 32-bit version, your system likely has been affected.
What Do I Do Now?
Although this announcement confirms that the software had been compromised, there is nothing directly harmful that had been discovered. Cisco Talos is recommending that anyone who may have the malicious software installed to restore the system to a state before August 15th, 2017 from a backup if possible. One should also scan their machine with antivirus and malware scans to confirm that the malware was indeed removed.
If you do not have a backup of the system prior to August 15th, 2017 – the next recommendation, while possibly a more intense option, is to reinstall Windows completely. While we understand that this is not the desired option – if one does not have an effective backup this is the only way you can be completely sure that the malware has been removed and that the system is not compromised.