Avast reckons CCleaner malware infected 2.27M users

Users of a free software tool designed to optimize system performance on Windows PCs and Android mobile devices got a nasty shock this morning when Piriform, the company which makes the CCleaner tool, revealed in a blog post that certain versions of the software had been compromised by hackers — and that malicious, data-harvesting software had piggybacked on its installer program.

The affected versions of the software are CCleaner 5.33.6162 and CCleaner Cloud 1.07.3191.

The company is urging users to upgrade to version 5.34 or higher (which it says is available for download here).

So clearly some users may still have a compromised PC on their hands (Piriform says it’s moving all users of the CCleaner to the latest version of the software, while noting that users of CCleaner Cloud will have been updated automatically.)

The malware was apparently capable of harvesting various types of data from infected machines — specifically, Piriform says: the computer name, IP address, list of installed software, list of active software and list of network adapters (data it describes as “non-sensitive”) — transmitting it to a third party computer server located in the US.

“We have no indications that any other data has been sent to the server,” it writes.

“Working with US law enforcement, we caused this server to be shut down on the 15th of September before any known harm was done. It would have been an impediment to the law enforcement agency’s investigation to have gone public with this before the server was disabled and we completed our initial assessment,” it added.

A spokeswoman for security giant Avast, which acquired the UK-based company back in July, told us: “We believe that these users are safe now as our investigation indicates we were able to disarm the threat before it was able to do any harm.”

“We estimate that 2.27 million users had the affected software installed on 32-bit Windows machines,” she further added.

At the time of the acquisition, CCleaner was billed as having 130M users, including 15M on Android. So concerns had been raised about the very large potential number of affected devices.

Although it would appear that, in this instance, the illegal payload was only successfully delivered to a small minority of users — and specifically to those using 32-bit Windows PCs.

No people running the tool on Android devices were affected, according to Avast’s spokeswoman.

Piriform’s VP of products has gone into some technical detail regarding the hack here, writing that: “An unauthorized modification of the CCleaner.exe binary resulted in an insertion of a two-stage backdoor capable of running code received from a remote IP address on affected systems.”

He also notes the company first noticed suspicious activity on September 12, 2017, before further investigation revealed “the 5.33.6162 version of CCleaner and the 1.07.3191 version of CCleaner Cloud was illegally modified before it was released to the public”.

That means some Windows users of CCleaner could have had their machines compromised for more than a month — given the affected versions of the tool were released on August 15 and August 24 respectively.

Piriform added that it estimates these versions “may have been used by up to 3% of our users” — which would push the pool of affected users as high as 3.9M.

Avast’s CTO Ondrej Vlcek declined to speculate on the hackers’ intentions for the data being harvest by the malware — saying he could not comment on account of a law enforcement investigation currently underway.

Asked what additional measures it’s taking to guard against a similar future attack, Vlcek told us: “We are making sure the problem doesn’t happen again by moving the entire Piriform product build environment to a more robust, secure infrastructure provided by Avast.”