UPDATED Sept. 21 with news that malware injection seems to have been for purposes of industrial espionage.
CCleaner, a system-optimization tool with more than 2 billion downloads worldwide, is used by many Windows, Mac and Android users who want looking to keep their devices running as fast as possible. Unfortunately for them, it appears that hackers decided to sneak their own code into a recent build of CCleaner for Windows in an attempt to steal data and possibly infect users' systems with even more malicious applications.
The attack took place by piggy-backing onto CCleaner by infiltrating the servers that distribute the software, infecting version 5.33 of the Windows utility and version 1.07 of its cloud-based sister application. Those servers belonged to Piriform, the London company that created CCleaner. In July of this year, Piriform was acquired by the Prague-based antivirus maker Avast.
If you've updated CCleaner since Aug. 15 and you're running 32-bit Windows, you may be infected. You should roll back to a pre-Aug. 15 snapshot of your system, or run a malware scan. Following either (or both) of those steps, visit Piriform's site to download and install the latest, clean version of CCleaner.
A report on this attack from technology company Cisco's Talos Intelligence blog notes that infected versions of CCleaner were observed "as recently as September 11," and that they alerted Avast of the issue on September 13. Before that, though, Piriform already knew something fishy was going on.
In a blog post from Paul Yung, VP of Products for Piriform (opens in new tab), the exec noted that his company saw suspicious activity from "unknown IP address receiving data from software found in version 5.33.6162 of CCleaner" on Sept. 12, which led to Piriform taking the server down. This data transfer from CCleaner appeared to be the malware, identified as Floxif, phoning home to its command-and-control servers.
The infected version of CCleaner, 5.33 for Windows, was made available for download on Aug. 15, and its cleaned version, version 5.34, on Sept. 12. The infected version of CCleaner Cloud was made available on Aug. 24, and a clean version on Sept. 15. The Mac and Android versions of CCleaner do not appear to have been affected.
An Avast spokeswoman told Reuters that 2.27 million users had downloaded the infected version of CCleaner, and that 5,000 installations of CCleaner Cloud had received the tainted update to that software.
If you're on version 5.33 of CCleaner, which states its version number in its top left corner of its interface, your best bet may be to roll back your Windows system to a snapshot from before Aug. 15, as your system may have been compromised since then. At the very least, make sure your own anti-virus software is up to date.
Those without the option to restore a backup should check if their CCleaner is 5.33. Yung notes that that Piriform is updating all versions of its software up to non-malicious versions, but users can download a new copy here (opens in new tab).
While CCleaner is a very popular application, claiming 5 million downloads per week, this infected version would not have hit all of those users. The free version of CCleaner must be manually updated. However, CCleaner is also built into some versions of Avast antivirus software, in which it is automatically updated. CCleaner Cloud is also automatically updated.
Cases such as this, where system-optimization or anti-virus software is infected by malware, are especially dangerous, as those programs take deep-level system privileges, and can do more damage than almost any other software. Even more importantly, the hacked version of CCleaner was signed with a legitimate copy of Piriform's developer certificate, which shouldn't have been available to the miscreants involved.
Fortunately, the impact of this affected version of CCleaner may be mitigated by more than its lack of automatic updates. The Floxif malware appears to infect only 32-bit Windows systems, and most PCs sold in the last 5 years run 64-bit Windows.
As to who is behind this attack and how they infected the official versions of CCleaner, Talos hasn't released anything yet, and Yung isn't providing any other details.
UPDATED Sept. 21: Further analysis of the malware injected into the CCleaner updater, and the malware's command-and-control servers, strongly indicates that the CCleaner hack was an attempt at industrial espionage.
If a machine was infected by CCleaner, a new Cisco report says, the command-and-control server would check whether the infected machine happened to on the internal network of any one of the technology companies on a target list that included Google, Cisco, Samsung, Sony, Epson, D-Link, HTC, Linksys and others. The server would then deliver a "backdoor" to the infected machine for further exploitation.
No Chinese or Russian companies were on the target list.