Piriform's CCleaner used to distribute malware

September 19, 2017 // 11:05 a.m.

Tags: #avast #breach #ccleaner #data-breach #infected #infection #insecurity #malware #piriform #security #trojan-horse #virus

Piriform, owned by security firm Avast, has warned users of its popular CCleaner utility that a breach had it distributing a backdoor Trojan Horse for up to a month - affecting an estimated 2.27 million users.

Originally launched as Crap Cleaner prior to a rebrand to the more polite CCleaner, Piriform's best-known utility aims to reduce the amount of crud that builds up on your average computer over time. As well as digging out outdated cache files and other space-wasters, CCleaner can be used to find and delete a range of unwanted software programs including selected forms of malware - giving the news that the company's software has itself become a malware vector that little twist of irony.

'Our new parent company, the security company Avast, determined on the 12th of September that the 32-bit version of our CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 products, which may have been used by up to 3 percent of our users, had been compromised in a sophisticated manner,' the company admits in a statement published yesterday. 'Piriform CCleaner v5.33.6162 was released on the 15th of August, and a regularly scheduled update to CCleaner, without compromised code, was released on the 12th of September. CCleaner Cloud v1.07.3191 was released on the 24th of August, and updated with a version without compromised code on September 15.

'The compromise could cause the transmission of non-sensitive data (computer name, IP address, list of installed software, list of active software, list of network adapters) to a 3rd party computer server in the USA. We have no indications that any other data has been sent to the server. Working with US law enforcement, we caused this server to be shut down on the 15th of September before any known harm was done. It would have been an impediment to the law enforcement agency’s investigation to have gone public with this before the server was disabled and we completed our initial assessment. Between the 12th and the 15th, we took immediate action to make sure that our Piriform CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 users were safe - we worked with download sites to remove CCleaner v5.33.6162, we pushed out a notification to update CCleaner users from v5.33.6162 to v5.34, we automatically updated those where it was possible to do so, and we automatically updated CCleaner Cloud users from v1.07.3191 to 1.07.3214.'

That the attackers concentrated their efforts on the 32-bit version of CCleaner is welcome news, as it leaves users of the 64-bit build unaffected. Even at just three percent of its user base, though, the popularity of CCleaner means up to 2.27 million users installed and used the affected build - a build which has now been removed from Piriform's servers and replaced with an updated version.

Neither Piriform nor Avast have detailed exactly how the breach occurred, though Piriform has stated it is 'taking extra measures to ensure this does not happen again'.


Discuss this in the forums

QUICK COMMENT

SUBSCRIBE TO OUR NEWSLETTER

WEEK IN REVIEW

TOP STORIES

SUGGESTED FOR YOU