CCleaner official download was hacked and infected version containing malware released to public - how to fix

CCleaner by Piriform (recently acquired by Avast) is a famous software that comes with both free and paid versions, made available to Windows, Mac and Android users to do housekeeping in their computer or Android smart mobile device to clean up junk files and junk registry entries, in order to optimize the computer to maintain running smoothly. It claims to have achieved over 2 billion of downloads now. There is also a cloud version available.

If your computer has CCleaner installed, you need to be aware that during the period between mid-August to mid-September 2017, the official download site of CCleaner was hacked, and the official CCleaner installer had been replaced with a version containing malware that will compromise your computer. The "contaminated" CCleaner version had been distributed to all the 3rd party download sites as well!

If you installed or updated your CCleaner with the version containing the malware, then your computer is infected.

This is a kind of supply chain attack, will is considered a very effective way to distribute malicious software into target organizations or general public. The attackers are relying on the trust relationship between the supplying source (such as official release source) and the consumer. This trust relationship is then abused to attack organizations and individuals.


Which versions are affected?

• CCleaner v5.33.6162
• CCleaner Cloud v1.07.3191

It is said that the affected versions were for 32-bit Windows PCs, and the CCleaner for Android is probably safe. Newer official released versions of CCleaner (version 5.34 and above) are also safe as there will be no malware included (finger-crossed).


What the malware possibly do?

This malware was detected and reported separately by Cisco's Talos Intelligence Group and also the Morphisec's security team.

According to their analysis, this malware will collect information in your computer, including network connection detail, running processes, installed software, anything running with administrator privileges, etc. It will encrypt the information and send back to the hacker's server using HTTPS posting method.

The hacker's server can make use of backdoor created by the malware to send codes to be executed with administrator privileges at the infected computers.


How to fix?

If your Windows computer is installed with CCleaner, you should uninstall it immediately, regardless of the version. After that, if you still want to continue using CCleaner, you can download and reinstall the uninfected latest version (version 5.34 and above) from its official download site.


Reference sources:

• http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html
• http://blog.morphisec.com/morphisec-discovers-ccleaner-backdoor
• http://thehackernews.com/2017/09/ccleaner-hacked-malware.html
• https://www.pcworld.com/article/3225407/security/ccleaner-downloads-infected-malware.html
• https://www.cnet.com/how-to/ccleaner-was-hacked-heres-what-to-do-next/