Does CCleaner keep your computers clean or not so much?
It seems that CClearner, one of PCWorld's recommendations for the best free software for new PCs, might not have been keeping your PC so clean after all. Cisco Talos has discovered a malicious bit of code injected by hackers that could have affected more than 2 million users who downloaded the most recent update. Users in Southern Maryland, D.C. and Virginia could be at risk!
On September 13th, Cisco Talos found that the official download of the free versions of CCleaner 5.33 and CCleaner Cloud 1.07.3191 also contained "a malicious payload that featured a Domain Generation Algorithm as well as hardcoded Command and Control functionality." What that means is that a hacker infiltrated Avast Piriform's official build somewhere in the development process build to plant malware designed to steal users' data.
The modifications made infected machines contact some recently registered web domains - a tactic often used by cyber-thieves who then use this route to install more damaging software on compromised devices.
Cisco Talon suspects that the attacker "compromised a portion of CCleaner's development or build environment and leveraged that access to insert malware into the CCleaner build that was released and hosted by the organization." As such, customers' personal information was not at risk.
According to Avast, the malware doesn't seem to have affected any machines in the wild. Vice President Paul Yung, states in a blog that the company identified the attack on Sept. 12 and had taken the appropriate action even before Cisco Talos notified them of their discovery. Yung says the attack was limited to CCleaner and CCleaner Cloud on 32-bit Windows systems–– fortunately, most modern PCs will likely be running the 64-bit version.
Yung assured customers that the threat has been resolved and the "rogue server" has been taken down. He also says Piriform has shut down the hacker's access to any other server. Also, the company is moving all users to the latest version of the software, which is available on the company's website.
Most reassuringly, Yung states that Avast was seemingly able to disarm the threat before it was able to do any harm. The intent of the attack is unclear at this time, though Avast says the code was able to collect information about the local system.
Users can download CCleaner 5.34 from Avast's website if they haven't already done so. Previous releases are also still available on the company's website, but the infected version has been removed from the company's servers. You'll also want to perform antivirus scan on your computer. If you're affected, CIsco Talos recommends using a backup to restore your PC to a state prior to August 15, 2017, which is when the hacked version was released.
