top of page

Malware Embedded in CCleaner

Updated: May 19, 2019

malware in ccleaner

Malware Embedded in CCleaner Tool Puts Millions at Risk.

Malicious code has been discovered in two versions of Piniform's CCleaner housekeeping utility, the company disclosed on Monday. Piniform is owned by Avast, whose security products are used by more than 400 million people.

The malware infecting CCleaner could give hackers control over the devices of more than 2 million users. CCleaner is designed to rid computers and mobile phones of junk, such as unwanted applications and advertising cookies.

Two versions of the program were modified illegally before they were released to the public, Piniform said.

However, the threat has been neutralized, according to Piniform Vice President Paul Yung, who explained that the rogue server the hackers used to control the code is down, and other servers no longer are in the attackers' control.

All users who downloaded the infected version of the program for Windows, CCleaner v5.33.6162, have received the latest version of the software. Users of CCleaner Cloud version 1.07.3191 have received an automatic update.

"In other words, to the best of our knowledge, we were able to disarm the threat before it was able to do any harm," Yung said.

Machine Wipe Recommended.

Despite those reassurances from Piniform, more drastic action may be necessary, suggested Craig Williams, the senior technical leader at Cisco Talos.

"Because the malware remains present, even after users update the CCleaner software, Talos advises all users to wipe their entire computer -- remove and reinstall everything on the machine -- and to restore files and data from a pre-August 15, 2017 backup, before the current version was installed," he told the E-Commerce Times.

"It is critical to remove this version of the CCleaner software and associated malware, since it's structure means it has the ability to hide on the user's system and call out to check for new malware updates for up to a year," Williams explained.

Beyond the immediate threat, there may be problems with data loss, noted Morey Haber, vice president of technology at BeyondTrust.

"While the upgrade may remove the malware, leaked data has potentially been transmitted and could be used at a future time," he told the E-Commerce Times.

"Users should consider changing all privileged passwords to mitigate the risks of any leaked credentials," Haber recommended.

Serious Threat

What makes an attack like this particularly pernicious is that there's very little users can do to protect themselves from it.

"For most threats, there are security practices users can take in order to lower the chances of getting infected," said Itsik Mantin, director of security research at Imperva.

"In this case, there was really nothing the victims could do," he told the E-Commerce Times. "The software was properly signed, so they had every reason to trust it."

The threat faced by CCleaner users is serious, said Nathan Wenzler, chief security strategist at AsTech Consulting.

"The malicious aspect of the software allowed for remote administration of a machine that had the compromised version of CCleaner installed," he told the E-Commerce Times.

"An attacker would have full access to the system, including anything a user did while logged on, such as inputting credit card information to a shopping site," Wenzler explained, "or user names and passwords when logging in anywhere."

Could Have Been Worse

Fortunately, Piniform addressed the problem before it escalated.

"The threat was mitigated quickly by the software vendor before they believe any harm was done," noted David Pickett, a security analyst with AppRiver.

"The data exfiltrated to command servers was computer names, IP addresses, list of installed and active software, and a list of network adapters," he told the E-Commerce Times.

"They don't believe any sensitive user information was obtained -- such as credit card numbers, social security numbers or the like," Pickett added.

The threat was real but limited, according to Chris Roberts, chief security architect at Acalvio.

"It was a 'first step' type of thing, where the actual launching of an attack to harvest data wasn't finalized," he told the E-Commerce Times.

Supply Chain Vulnerable

Supply chain attacks -- hackers poisoning products before they reach customers -- appear to be on the rise.

"We're seeing more of these types of attacks," said Neil Wetzel, director of security research at Cygilant.

"That's because we're doing a better job of hardening the front-end user experience," he told the E-Commerce Times.

A recent supply chain attack caused damage around the world.

"The Ukrainian software company MeDoc had its software update servers breached earlier this year, leading to the NotPetya worm, noted Sean Dillon, a senior security researcher at RiskSense.

"This kind of supply chain poisoning has plagued software in the past, and we are seeing more of it in recent times," he told the E-Commerce Times.

Attackers have been targeting commonly used applications and platforms because they can be easier than targeting organizations directly, and they may get a higher rate of return, observed Dan Dahlberg, a research scientist at BitSight.

(By John P. Mello Jr. • E-Commerce TimesECT News Network)


bottom of page