2.3 Million Infected: Hackers Insert Malware into Popular PC Freeware CCleaner

Tabletop Exercises with LIFARS Incident Response Team

Malicious hackers broke into popular freeware software CCleaner, potentially enabling them to control the devices of over two million users.

Researchers have discovered a backdoor installed in popular software CCleaner, a computer optimizing software for personal computers and Android devices that is downloaded some 5 million times a week. With over 5 billion downloads since its launch, CCleaner is among the most-downloaded freeware products around.

A version of CCleaner downloaded in August, specifically, included remote administration tools that tried to connect to several unregistered web page, revealed researchers at Cisco’s Talos unit. In looking closer, investigators determined that the CCleaner download server hosting the affected backdoored app was spewing the malware until September 12, when a clean version of the software was released.

The malware would spy on the infected computer to send encrypted information including the computer’s name, installed software and running processes back to the hackers’ server. Further, the hackers also made use of a domain generation algorithm (DGA), which created new domains to receive and send the stolen data whenever the hackers’ original servers went down.

In an admission on Monday, CCleaner’s owner, Avast-owned Piriform’s vice president of product Paul Yung wrote:

Based on further analysis, we found that the 5.33.6162 version of CCleaner and the 1.07.3191 version of CCleaner Cloud was illegally modified before it was released to the public, and we started an investigation process. We also immediately contacted law enforcement units and worked with them on resolving the issue. 

“Before delving into the technical details, let me say that the threat has now been resolved in the sense that the rogue server is down, other potential servers are out of the control of the attacker, and we’re moving all existing CCleaner v5.33.6162 users to the latest version,” Yung said, adding: “to the best of our knowledge, we were able to disarm the threat before it was able to do any harm.”

 However, the bigger problem at hand is that CCleaner does not update automatically. This means that every individual who has installed the compromised software will have to delete it outright and install the latest version of the software.

For its part, CCleaner’s parent company has contacted law enforcement authorities and is currently investigating the incident.