CCleaner Hacked, Infecting Millions With Backdoor Malware

The widely used software tool that helps users get rid of unwanted files and applications on Windows was exploited by unknown hackers.


More than 2 billion users around the world have downloaded the Piriform CCleaner tool to help remove unwanted files and keep their systems secure. Now those users are at risk, as on Sept. 18, Piriform publicly revealed that its servers had been hacked, with attackers modifying CCleaner with a backdoor that possibly infected millions of users.

"We estimate that 2.27 million users had the affected software installed on 32-bit Windows machines," a spokesperson for software security vendor Avast told eWEEK. "We believe that these users are safe now as our investigation indicates we were able to disarm the threat before it was able to do any harm."

Avast acquired Piriform in July, and in a statement Piriform thanked Avast Threat Labs for analyzing the attack. Piriform has contacted law enforcement, shut down the impacted download server and updated CCleaner to version 5.34.

"A suspicious activity was identified on September 12th, 2017, where we saw an unknown IP address receiving data from software found in version 5.33.6162 of CCleaner, and CCleaner Cloud version 1.07.3191, on 32-bit Windows systems," Paul Yung, vice president of products at Piriform, wrote in a statement. "Based on further analysis, we found that the 5.33.6162 version of CCleaner and the 1.07.3191 version of CCleaner Cloud was illegally modified before it was released to the public, and we started an investigation process."

According to Piriform, CCleaner was modified by an unknown attacker to include a two-stage backdoor. Such a backdoor is capable of receiving and running code from an attacker command and control server.

"At this stage, we don't want to speculate how the unauthorized code appeared in the CCleaner software, where the attack originated from, how long it was being prepared and who stood behind it," Yung stated.

While Avast and Piriform are not speculating on how long the attackers might have been in the CCleaner servers, Cisco's Talos research group has made its own observations. Although Piriform's disclosure only mentioned Avast Threat Labs as helping in the analysis, Cisco Talos claims that it reported the security issue to Avast on Sept. 13.

The Cisco Talos researchers noted that they discovered the CCleaner malware while performing customer beta testing of a new exploit detection technology. According Cisco's analysis, the infected version of CCleaner was first released on Aug. 15, meaning that users were exposed to risk of infection from the backdoor for approximately one month. 

It's not currently known how the CCleaner attackers were able to modify the code to include the backdoor code. Cisco Talos researchers speculate that attackers could have compromised a developer account that provided access or possibly were able to directly exploit a system within the CCleaner build environment.

Infecting legitimate software with malware is not a new hacker technique and has been used in multiple attacks. In the recent NotPetya ransomware incident, an alleged root cause was a malware-infected update of widely used Ukrainian tax software. One of the ways that some organizations attempt to secure downloads is with an approach known as The Update Framework (TUF), which provides controls to help secure updates.

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.