Malware Hidden in CCleaner Software

2018-08-15T20:41:14+00:00September 21st, 2017|Tags: , |

The security team at Cisco Talos discovered that download servers used by CCleaners had been compromised to distribute malware inside CCleaner.

The affected versions of the software are CCleaner 5.33.6162 and CCleaner Cloud 1.07.3191. The company is urging users to upgrade to version 5.34 or higher (which it says is available for download here).

From Cisco’s blog:

On September 13, 2017 while conducting customer beta testing of our new exploit detection technology, Cisco Talos identified a specific executable which was triggering our advanced malware protection systems. Upon closer inspection, the executable in question was the installer for CCleaner v5.33, which was being delivered to endpoints by the legitimate CCleaner download servers. Talos began initial analysis to determine what was causing this technology to flag CCleaner. We identified that even though the downloaded installation executable was signed using a valid digital signature issued to Piriform, CCleaner was not the only application that came with the download. During the installation of CCleaner 5.33, the 32-bit CCleaner binary that was included also contained a malicious payload that featured a Domain Generation Algorithm (DGA) as well as hardcoded Command and Control (C2) functionality. We confirmed that this malicious version of CCleaner was being hosted directly on CCleaner’s download server as recently as September 11, 2017. 

In reviewing the Version History page on the CCleaner download site, it appears that the affected version (5.33) was released on August 15, 2017. On September 12, 2017 version 5.34 was released. The version containing the malicious payload (5.33) was being distributed between these dates. This version was signed using a valid certificate that was issued to Piriform Ltd by Symantec and is valid through 10/10/2018. Piriform was the company that Avast recently acquired and was the original company who developed the CCleaner software application.

A spokeswoman for security giant Avast, which acquired the UK-based company back in July, told TechCrunch: “We believe that these users are safe now as our investigation indicates we were able to disarm the threat before it was able to do any harm.”

“We estimate that 2.27 million users had the affected software installed on 32-bit Windows machines,” she further added.