Today, September 18th, Piriform announced their CCleaner program had been infected with a malware program. Paul Yung, VP or Products revealed the malware was illegally inserted before their digital signature was added to ensure against the code being modified in the distribution channel.
Paul states that “A suspicious activity was identified on September 12th, 2017” and law enforcement agencies were notified. He added:
…the threat has now been resolved in the sense that the rogue server is down, other potential servers are out of the control of the attacker, and we’re moving all existing CCleaner v5.33.6162 users to the latest version. Users of CCleaner Cloud version 1.07.3191 have received an automatic update.
Users not using the CCleaner cloud version will need to install the latest version. Piriform says just the 32-bit windows versions were infected, however no word from the company if the 32-bit version could be installed on 64-bit computers. They also said to the best of their knowledge they “were able to disarm the threat before it was able to do any harm.” They were able to take down a server that was collecting the data sent by the malware.
Cisco’s Talos threat research group also became aware of this embedded malware. Their blog post states:
On September 13, 2017 Cisco Talos immediately notified Avast of our findings so that they could initiate appropriate response activities.
NOTE: Avast had bought Piriform and distributes CCleaner, hence Talos contacted Avast directly.
For those interested in the in-depth technical details of how the malware acts, visit the Cisco Talos Intelligence Group blog article.
If you are running CCleaner, I advise you to immediately install the latest version.