You might have heard of CCleaner (short for ‘Crap Cleaner’), which promises to clean up your system for enhanced performance because it was recommended by someone who is tired of hearing your complaints about your slow computer because there was so much crap inside it.
And you might have already downloaded or used it, right?
Well, it was confirmed that it was hacked to distribute malware directly to its users, according to this report.
According to the report linked above, CCleaner, version 5.33 is infected with a malicious payload that made it possible to download and execute other suspicious software which was actively distributed between August 15 and September 12, and was downloaded by 2.27 million users.
Piriform and Avast have already confirmed the said report, and according to them, the good thing is that there is currently no evidence to suggest the exploit was used to install additional malware.
The malware was also programmed to collect user data, including:
- Name of the computer
- List of installed software, including Windows updates
- List of running processes
- MAC addresses of first three network adapters
- Additional information whether the process is running with administrator privileges, whether it is a 64-bit system, etc.
Piriform also says all stolen data was encrypted and unlikely to be accessed – although we aren’t sure of that.
But, adding to the fun fact that the infected app was signed with a valid certificate Symantec issued to Piriform (recently acquired by Avast). Ironic, right?
Speaking to Forbes, Avast chief technical officer Ondrej Vlcek said that, “2.27 million is certainly a large number, so we’re not downplaying in any way. It’s a serious incident. But based on all the knowledge, we don’t think there’s any reason for users to panic.
“To the best of our knowledge, the second-stage payload never activated… It was prep for something bigger, but it was stopped before the attacker got the chance.”
However, researchers noted that the malware only ran on 32-bit systems.
There’s a plus.
On September 13, Piriform released CCleaner 5.34 and CCleaner Cloud version 1.07.3191 that do not contain the malicious code.
The threat has now been resolved in the sense that the rogue server is down, other potential servers are out of the control of the attacker, and we’re moving all existing CCleaner v5.33.6162 users to the latest version. Users of CCleaner Cloud version 1.07.3191 have received an automatic update. In other words, to the best of our knowledge, we were able to disarm the threat before it was able to do any harm.