CCleaner came bundled with malware for a month and nobody noticed

The company stated that they released the uncompromised CCleaner version on September 12th and they again unveiled the CCleaner Cloud clean version on September 15th, 2017.

CCleaner, the popular file clean-up and performance optimization utility for Windows, has been hacked to spread malware to users of the 32-bit version.

Talos reached out to Avast Piriform, the company behind CCleaner, on September 13.

Anyone who uploaded CCleaner between August 15 to September 12 are advised to manually download and update their software immediately.

They said updating CCleaner to its latest version, 5.34, removes the offending malware, while users of CCleaner Cloud should already have received a software update addressing the issue. After looking into the problem, they realized that CCleaner version 5.33 came together with risky malware.

The malicious payload also collected and encrypted the name of the computer, a list of installed software and Windows updates, a list of running processes, MAC addresses of the first three network adapters, and additional information such as whether the infected machine had administrator privileges, according to Piriform. Piriform Ltd., the maker of CCleaner, confirmed in a blog post today that certain versions of the software were compromised with a hidden backdoor that may have allowed hackers to harvest data from users.


The company says 2.27m users were infected, but added that "we believe that these users are safe now as our investigation indicates we were able to disarm the threat before it was able to do any harm".

However, those running the standard version will want to ensure they have updated to the latest version, particularly if they downloaded it in the past month. As a result, computers sent IP addresses and a list of installed applications from the users' computers to a server located in the US.

Piriform, which develops the CCleaner software created to remove unwanted files from Android phones and Windows PCs, said it had identified "suspicious activity" in two versions of the program which it found had been "illegally modified".

"The compromise could cause the transmission of non-sensitive data...to a 3rd party computer server in the United States of America", the company said.

You can download version 5.34 of CCleaner here. But owner Avast Piriform says it prevented the breach harming customers.

Researchers with Cisco's Talos Intelligence Group found that CCleaner was compromised by what's known as a "supply chain attack".

  • David Armstrong