CCleaner Gets Used as Malware Host by Hackers

CCleaner

You might be one of the over 2 million affected.

If you use CCleaner, now might be a wise time to upgrade it.  As discovered by Cisco’s Talos division, hackers may have been using a backdoor from a remote location to gather non-essential data from users of the program.

Avast owned Piriform, the makers of CCleaner, believe that nearly 3% of their userbase may have been affected. Specifically, if they used CCleaner 5.33 (available for download between August 15 and September 12), and CCleaner Cloud 1.07 (launched August 24). As per Piriform’s blog post:

The compromise could cause the transmission of non-sensitive data (computer name, IP address, list of installed software, list of active software, list of network adapters) to a 3rd party computer server in the USA. We have no indications that any other data has been sent to the server. Working with US law enforcement, we caused this server to be shut down on the 15th of September before any known harm was done. It would have been an impediment to the law enforcement agency’s investigation to have gone public with this before the server was disabled and we completed our initial assessment. Between the 12th and the 15th, we took immediate action to make sure that our Piriform CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 users were safe – we worked with download sites to remove CCleaner v5.33.6162, we pushed out a notification to update CCleaner users from v5.33.6162 to v5.34, we automatically updated those where it was possible to do so, and we automatically updated CCleaner Cloud users from v1.07.3191 to 1.07.3214.

You can download the new version here. Talos also weighed in on the issue:

In analyzing DNS-based telemetry data related to this attack, Talos identified a significant number of systems making DNS requests attempting to resolve the domains associated with the aforementioned DGA domains. As these domains have never been registered, it is reasonable to conclude that the only conditions in which systems would be attempting to resolve the IP addresses associated with them is if they had been impacted by this malware. While most of the domains associated with this DGA have little to no request traffic associated with them, the domains related to the months of August and September (which correlates with when this threat was active in the wild) show significantly more activity.

So, if you use CCleaner, update it. Otherwise you might be giving away more info than you’d like.

READ:  Lowe's and Virginia Tech Developing Passive Exoskeleton

About Author

B. Simmons

Based out of Glendale California, Bryan is a GAMbIT's resident gaming contributor. Specializing in PC and portable gaming, you can find Bryan on his 3DS playing Monster Hunter or at one of the various conventions throughout the state.

Learn More →