CCleaner Hacked With Data-Stealing Malware: What to Do Now

UPDATED Sept. 21 with news that malware injection seems to have been for purposes of industrial espionage.

CCleaner, a system-optimization tool with more than 2 billion downloads worldwide, is used by many Windows, Mac and Android users who want looking to keep their devices running as fast as possible. Unfortunately for them, it appears that hackers decided to sneak their own code into a recent build of CCleaner for Windows in an attempt to steal data and possibly infect users' systems with even more malicious applications.

The attack took place by piggy-backing onto CCleaner by infiltrating the servers that distribute the software, infecting version 5.33 of the Windows utility and version 1.07 of its cloud-based sister application. Those servers belonged to Piriform, the London company that created CCleaner. In July of this year, Piriform was acquired by the Prague-based antivirus maker Avast.

Credit: pathdoc/Shutterstock

(Image credit: pathdoc/Shutterstock)

If you've updated CCleaner since Aug. 15 and you're running 32-bit Windows, you may be infected. You should roll back to a pre-Aug. 15 snapshot of your system, or run a malware scan. Following either (or both) of those steps, visit Piriform's site to download and install the latest, clean version of CCleaner.

MORE: Best Antivirus Protection for PC, Mac and Android

A report on this attack from technology company Cisco's Talos Intelligence blog notes that infected versions of CCleaner were observed "as recently as September 11," and that they alerted Avast of the issue on September 13. Before that, though, Piriform already knew something fishy was going on.

In a blog post from Paul Yung, VP of Products for Piriform, the exec noted that his company saw suspicious activity from "unknown IP address receiving data from software found in version 5.33.6162 of CCleaner" on Sept. 12, which led to Piriform taking the server down. This data transfer from CCleaner appeared to be the malware, identified as Floxif, phoning home to its command-and-control servers.

The infected version of CCleaner, 5.33 for Windows, was made available for download on Aug. 15, and its cleaned version, version 5.34, on Sept. 12. The infected version of CCleaner Cloud was made available on Aug. 24, and a clean version on Sept. 15. The Mac and Android versions of CCleaner do not appear to have been affected.

An Avast spokeswoman told Reuters that 2.27 million users had downloaded the infected version of CCleaner, and that 5,000 installations of CCleaner Cloud had received the tainted update to that software.

If you're on version 5.33 of CCleaner, which states its version number in its top left corner of its interface, your best bet may be to roll back your Windows system to a snapshot from before Aug. 15, as your system may have been compromised since then. At the very least, make sure your own anti-virus software is up to date.

Those without the option to restore a backup should check if their CCleaner is 5.33. Yung notes that that Piriform is updating all versions of its software up to non-malicious versions, but users can download a new copy here.

While CCleaner is a very popular application, claiming 5 million downloads per week, this infected version would not have hit all of those users. The free version of CCleaner must be manually updated. However, CCleaner is also built into some versions of Avast antivirus software, in which it is automatically updated. CCleaner Cloud is also automatically updated.

Cases such as this, where system-optimization or anti-virus software is infected by malware, are especially dangerous, as those programs take deep-level system privileges, and can do more damage than almost any other software. Even more importantly, the hacked version of CCleaner was signed with a legitimate copy of Piriform's developer certificate, which shouldn't have been available to the miscreants involved.

Fortunately, the impact of this affected version of CCleaner may be mitigated by more than its lack of automatic updates. The Floxif malware appears to infect only 32-bit Windows systems, and most PCs sold in the last 5 years run 64-bit Windows.

As to who is behind this attack and how they infected the official versions of CCleaner, Talos hasn't released anything yet, and Yung isn't providing any other details.

UPDATED Sept. 21: Further analysis of the malware injected into the CCleaner updater, and the malware's command-and-control servers, strongly indicates that the CCleaner hack was an attempt at industrial espionage.

If a machine was infected by CCleaner, a new Cisco report says, the command-and-control server would check whether the infected machine happened to on the internal network of any one of the technology companies on a target list that included Google, Cisco, Samsung, Sony, Epson, D-Link, HTC, Linksys and others. The server would then deliver a "backdoor" to the infected machine for further exploitation.

No Chinese or Russian companies were on the target list.

Henry T. Casey
Managing Editor (Entertainment, Streaming)

Henry is a managing editor at Tom’s Guide covering streaming media, laptops and all things Apple, reviewing devices and services for the past seven years. Prior to joining Tom's Guide, he reviewed software and hardware for TechRadar Pro, and interviewed artists for Patek Philippe International Magazine. He's also covered the wild world of professional wrestling for Cageside Seats, interviewing athletes and other industry veterans.

  • Kenton82
    Only 32-bit systems affected. Not good still though.
  • flaggingred
    I run 64-bit and Malwarebytes rootkit found the malware in the CCleaner folder.
  • Avast-Team
    Hi everyone --

    There's a lot of detail regarding this in an official post on Piriform's blog:

    The key point from the blog post:

    "Based on further analysis, we found that the 5.33.6162 version of CCleaner and the 1.07.3191 version of CCleaner Cloud was illegally modified before it was released to the public, and we started an investigation process. We also immediately contacted law enforcement units and worked with them on resolving the issue. Before delving into the technical details, let me say that the threat has now been resolved in the sense that the rogue server is down, other potential servers are out of the control of the attacker, and we’re moving all existing CCleaner v5.33.6162 users to the latest version. Users of CCleaner Cloud version 1.07.3191 have received an automatic update. In other words, to the best of our knowledge, we were able to disarm the threat before it was able to do any harm."

    I will be following up with any additional information from my team as soon as it's available, and we thank everyone for your support.
  • peterblaise
    Note that 64-bit versions are CALLED by the 32-bit application nonetheless, so ALL CCleaner v5.33 installations -- 64-bit as well as 32-bit -- are suspect.
  • gerry16188
    I had my Win 10 64bit my Win7 64 bit and my Vista 32bit hacked with actually 2 different trojans. My Hotmail Skype also were compromised as I got a message from Microsoft to tell me that someone tried to access my account so I had to change passwords etc etc. not a fun afternoon.
  • Avast-Team
    Hi everyone -- our CEO and CTO have provided a detailed article clearing up some misconceptions about the incident. I believe this will give you the answers you're looking for.

    The incident only affected specific 32-bit versions of CCleaner -- no other Avast or Piriform products were affected -- and the threat was neutralized before any harm could be done.
  • rherber1
    I regularly run a MalwareBytes scan and this trojan wasn't detected when CCleaner 5.33 was functioning. It also wasn't detected by MWB when the 5.34 upgrade occurred last week. Only on Sept 19 (Australian time) when MalwareBytes database was updated to v. 2017.09.19.02 did it successfully notify that CCleaner was infected with Floxif.

    So, running a malware scan with one of the most widely used detection and removal programs was of no use whatsoever prior to Sept 19.
  • notlaughingnow
    Running Win 10 -64-bit and Defender found Floxif yesterday
    Thanks for the heads up Piriform
    Blog comments not good enough
    Seems Piriform knew much earlier in Sep.
    Poor transparency
    It's really an online war
    We, public, and customers, last to know
  • maximus1995
    I didn't have the 32 bit version, but I still uninstalled and ran MalwareBuster just to be sure, I can't believe such a large scale hack was pulled off this well.