CCleaner, the incredibly popular PC maintenance utility, has been hacked to include malware. Here’s how to tell if you were affected, and what you should do.
In a blog post published on Monday, Piriform’s VP of Products Paul Yung revealed that the company spotted a security breach in CCleaner 5.33.6162 and CCleaner Cloud. The said tool is a popular optimization tool for Windows and Android operating system.
Yung said that the version was compromised by some attackers before its release, who managed to attach some malware to the setup.
“A suspicious activity was identified on September 12th, 2017, where we saw an unknown IP address receiving data from software found in version 5.33.6162 of CCleaner, and CCleaner Cloud version 1.07.3191, on 32-bit Windows systems,” he added.
A two-stage backdoor was inserted in the CCleaner.exe binary which was capable of remote code execution after receiving commands from a remote IP.
What Does the Malware Do?
The malware did not actively harm systems, but it did encrypt and collect information that could be used to harm your system in the future. In particular, according to Piriform, it created a unique identifier for the computer and collected:
- Name of the computer
- List of installed software, including Windows updates
- List of running processes
- MAC addresses of first three network adapters
- Additional information whether the process is running with administrator privileges, whether it is a 64-bit system, etc.
Was I Affected?
Thankfully, it looks like this malware only affected a certain subset of CCleaner users. In particular, it affected:
Users running the 32-bit version of the application (not the 64-bit version)
Users running version 5.33.6162 of CCleaner or CCleaner Cloud 1.07.3191, released on August 15th, 2017
Since many users likely use the 64-bit version of the application, and CCleaner Free does not automatically update, this is good news for a lot of people.
If you are on a 32-bit version of Windows and think you might have downloaded CCleaner during the affected timeframe, here’s how to check what version you have. Open CCleaner and look in the top-left corner of the window—you should see a version number under the program name.
If that version is before version 5.33.6162, then you are not affected, and you should manually download the latest version now. If that version is 5.34 or later, your current version isn’t affected, but if you updated CCleaner in between August 15th and September 12th, and are on a 32-bit system, you may still have been affected. (If you’re comfortable going into the registry, you can open Registry Editor and navigate to HKLM\SOFTWARE\Piriform and see if there is a key labeled Agomo:MUID . If that key exists, it means you had the infected software on your system at one point in time.)
What Should I Do?
While nothing immediately harmful was discovered, Cisco Talos recommends restoring your system to a state before August 15, 2017 from a backup if you were affected. You should probably run an antivirus and MalwareBytes scan on your system and your backups to ensure no malware is left installed.
Alternatively, they say, you can reinstall Windows completely—yes, it’s a bit of a nuclear option, but it’s the only way to completely know your system is clean after an event like this.
