[HACKED] A Reminder To Be Vigilant

Category: Security

Piriform, developer of the popular CCleaner software, issued a security bulletin on September 18, 2017. Somehow, malware sneaked into recent versions of CCleaner and CCleaner Cloud. Here is what you need to know...

What Happened to CCleaner?

CCleaner was hacked, and over 2 million users were affected -- this much we know. According to the Piriform security bulletin, the infected CCleaner versions were released in August; specifically, they are CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191. If you have either of those, you should immediately uninstall it and, if necessary, update to the latest version of the program.

If there's any good news here, it is this: The malware that snuck into CCleaner is odd in that it doesn’t do very much. It just sniffs out the victim’s the computer name, IP address, list of installed software, list of active software and list of network adapters and transmits them to a server located in the US. My understanding has always been that any software running locally can access ANYTHING on that machine. So why collect and transmit only this data, which seems harmless?

That rogue data collection server has been shut down. But what the perpetrators hoped to do with this information is anyone’s guess. Mine is that they are scouting older Windows systems in hopes of finding the ones that are unpatched, (perhaps Windows XP machines) and later targeting them with some other customized attack.

CCleaner hacked - what to do?

The CCleaner malware has been found only on 32-bit Windows systems. That doesn’t mean you can keep the infected versions if you have a 64-bit system. Once the malware was discovered, Piriform pushed out a cleaner CCleaner. Be safe and upgrade to the latest version of CCleaner. Users of CCleaner Cloud will be automatically updated.

The malware also infected mobile devices. Piriform claims 130 million total users of CCleaner, including 15 million Android users. If you have the mobile version of CCleaner, remove or update it ASAP. (There is no CCleaner for Apple iOS devices, such as the iPhone or iPad.)

Piriform claims that 2,270,000 of CCleaner’s users have been infected and their system specs transmitted to an unknown party. The fact this malware hasn’t done any significant harm is some comfort, but the question of how these versions of CCleaner got loaded with malware remains.

An Inside Job?

Piriform says the affected versions of CCleaner were infected before they were released to the public. That means it was an inside job; an employee, contractor, or perhaps a software tester slipped the malware into the final versions. That mole may still be in Piriform. The company says they are investigating, and have moved to a new development platform that should prevent this from occurring in future versions.

The Google Play Store screens apps before making them available to download. Obviously, this malware slipped through. It’s not the first malware that has evaded Google Play’s detection; Google removed nearly 100 apps in the past month after users and security researchers reported that the apps did dastardly deeds. Even the best malware detectors are not perfect.

If you have the Google Play Store app on your phone, you automatically have constant anti-malware protection. Open the Play Store app, tap the “three bars” icon in the upper left corner, scroll down a page, and tap “Play Protect.” The slider switch at the bottom right corner of the Play Protect screen should be in the “on” position. If so, Play Protect is constantly scanning all of the apps on your phone. If it detects potential malware, it will alert you. If an app is trying to do something destructive, Play Protect will delete it.

As Good As it Gets

The moral of this tale - aside from “update CCleaner now” - is that you can’t count on anyone else to protect you against malware. Downloading apps only from Google Play Store does not provide 100% security. Neither does getting free software direct from a "trusted" developer. In this case, CCleaner was infected before it left Piriform’s offices.

It's troubling that this malware went undetected for a month. I'm also concerned because Piriform says: "At this stage, we don’t want to speculate how the unauthorized code appeared in the CCleaner software, where the attack originated from, how long it was being prepared and who stood behind it."

So what are the chances that other popular freeware used by millions of people are also similarly affected? After learning about this hack, I'm forced to assume the worst. The best you can do is to keep anti-malware protection running on your local PC and mobile devices at all times, and stay informed.

Your thoughts on this topic are welcome. Post your comment or question below...

Ask Your Computer or Internet Question

  (Enter your question in the box above.)

It's Guaranteed to Make You Smarter...

AskBob Updates: Boost your Internet IQ & solve computer problems.
Get your FREE Subscription!


Check out other articles in this category:

Link to this article from your site or blog. Just copy and paste from this box:

This article was posted by on 20 Sep 2017

For Fun: Buy Bob a Snickers.

Prev Article:
Wolfram Alpha: The Answer Calculator

The Top Twenty
Next Article:
Geekly Update - 21 Sep 2017

Most recent comments on "[HACKED] A Reminder To Be Vigilant"

(See all 23 comments for this article.)

Posted by:

Jay R
20 Sep 2017

MBAM picked it up for me yesterday. At first, I thot it was another episode of The Malware Vigilantes War. A quick Google showed me that I was wrong. It was quickly quarantined. I appreciate all that you do, Bob.

Posted by:

James McGee
20 Sep 2017

Thanks Bob for keeping us informed of all these security breeches. I hadn't heard about this one anywhere else. Just checked and it appears I'm ok.

Posted by:

20 Sep 2017

Webroot caught this on my PC's bootup three days ago. It deleted the infected exe and allowed my 64 bit version to continue functioning.

I am more than a little disappointed that Piriform sent out no notices about the issue. I had to go hunting in their user forums to find out anything beyond news reports.

@ Deb, I've read in the Piriform forum that Malwarebytes and other similar programs are blacklisting the entire CCleaner application.

Posted by:

Ron Strong
20 Sep 2017

Avast Internet Security sez MyTurboPc
is malignant. ??

Posted by:

Larry H
20 Sep 2017

No need to even use CCleaner. Never used it with Windows 10, in fact, I read somewhere that it could do more harm then good. Looks like they were correct.

Posted by:

20 Sep 2017

I read where Piriform delayed the announcement while they put the police tracking down the rouge server. Supposedly it was captured as well as the perpitrator... and THEN the announcement was made and a new version released. Credible?

Posted by:

Darcetha Manning
20 Sep 2017

So what are the chances that other popular freeware used by millions of people are also similarly affected? After learning about this hack, I'm forced to assume the worst. The best you can do is to keep anti-malware protection running on your local PC and mobile devices at all times, and stay informed. Quote from Bob Rankin.

Truer words were never spoken, Bob. I agree 100%.

Posted by:

20 Sep 2017

My 64bit W8.1 laptop wouldn't allow CC ver.5.33 to install. Would go part way then crap out with a write error. I tried a number of times with downloads from Piriform and Filehippo but could not get it to work. With the message saying it was a write error I thought it might be a disk error but a couple of different tests found none, so I just continued using CC ver 5.32, which seems to work fine. Maybe Windows was protecting me and I didn't know it until I read this article. Thanks Bob.

Posted by:

20 Sep 2017

According to Malwarebytes, Ccleaner was sold to Avast. Unfortunately, before the program was transferred to Avast, someone (maybe a disgruntled employee) slipped in a bit of ugly.
Ccleaner is a fantastic program as long as you don't get into the "tools" section and mess with things you don't have the knowledge for.
One nice feature is that any programs you no longer want sometimes hide their uninstall feature. Ccleaner knows them and shows the uninstall. In tools find the program and click uninstall. Other tool things can mess up your system if you are not computer literate. Be careful.
Any way it's truly a great software that I have used for many many years and will continue to do so.

Posted by:

21 Sep 2017

I am to the point that I use two different types of 'firewalls'. I don't do automatic updates to any of the software packages installed in my systems whether they are programs or updates to the hardware the system is built around (e.g. graphics subsystem, etc.) and all executable are prevented/blocked from connecting to any outside IP numbers. In addition to the Win10Pro-64bit OS enabled firewall protection, I use WinPatrol Firewall, and Desksoft BWMeter. It takes some alignment to configure them properly since every connection must first be determined to be blocked or not. Afterall, as Mr. Rankin has stated " ...you can’t count on anyone else to protect you against malware."

Posted by:

21 Sep 2017

@Denis - You need to re-install the CCleaner version 5.34 or higher. Anything earlier will be contaminated with the malware.

I found out about all of this, is past weekend. I got an article from The Windows Club and this breach was noted as the most recent Hack Attack.

The Windows Club or TWC only talked about the 32-bit versions. I felt like you Bob - What harm does it do to uninstall and re-install a program? Anywho - I uninstalled CCleaner and re-installed the 5.34 version per recommendation.

If, you want to use a PC or Laptop or Mobile Device - Get yourself some good protection be it Free or Paid. }:O)

Posted by:

21 Sep 2017

Correct me if I am wrong, but Ccleaner was never meant to block malware but to rid the system of junk. I use another software to protect my computers from malware. I will continue to use Ccleaner. It performs well for me.

Posted by:

21 Sep 2017

They found the hack, shut down the server and then went public... I can understand this... nothing like the EquiFax debacle :O
I'm not going to throw out the baby with the bathwater, I'll keep on using Ccleaner as I been using it for years.

Posted by:

David Baker
21 Sep 2017

Hi Bob,
Thank you for all your wonderful info over the years! I use CCleaner Free on all my devices. I just got a auto-update tonight for my desktop machine. I think we're good. Cheers, David

Posted by:

21 Sep 2017

How can an average user be vigilant against compromised versions of applications that are distributed using the software company's own infrastructure?

Posted by:

21 Sep 2017

Those with 64-bit Windows were not entirely safe from this hack. When Ccleaner installs on a 64-bit machine, it installs both 64b and 32b executables.

The 32b version isn't used, but it's there. There is also a registry key (HKLM\software\piriform\agomo) that, if present, shows you were infected at one time. Delete it if so.

Maybe a '2' on a 1-10 malware scale. I'd give Wannacry an 8, Equivfax is a solid 10.

Posted by:

21 Sep 2017

I use to use CCleaner Free until it screwed up my Win 10 Laptop registry; or at-least that is what the laptop Mfg believed. After exhausting all possible repairs, I had to do a reinstall of windows 10! So I deleted CCleaner Free some 7-8 months ago.

Posted by:

21 Sep 2017

I've used CCleaner for years. No reason not to; it's fast and simple. I do not use their registry cleaner just to be safe, but it helps me a lot by cleaning out junk left behind by my browsers that I sometimes get too lazy to do.

This does sound like a vindictive action. I believe Piriform didn't come out with this information right away because they were anxious to track down what happened and didn't want to let the cat out of the bag too soon. However, it wasn't as ridiculous as Equifax, which I still have some nagging questions about how that company handled things.

Posted by:

21 Sep 2017

A 2nd Option:
The great advantage about CCleaner Portable is that it allows you to do just the same without leaving any evidence of use on the computer. In fact, you don't even need to install it. Simply run it from your USB memory stick and you'll have immediate access to all of its features. CCleaner Portable does create some necessary keys in Windows Registry, but these are deleted when the program is closed, so there'll be no trace of it left on the system.

Posted by:

23 Sep 2017

I was quite surprised the other day when my ZoneAlarm said it found a virus in ccleaner.exe and fixed it. I thought I was in the clear since I had the 64-bit version. Sheesh.

There's more reader feedback... See all 23 comments for this article.

Post your Comments, Questions or Suggestions

*     *     (* = Required field)

    (Your email address will not be published)
(you may use HTML tags for style)

YES... spelling, punctuation, grammar and proper use of UPPER/lower case are important! Comments of a political nature are discouraged. Please limit your remarks to 3-4 paragraphs. If you want to see your comment posted, pay attention to these items.

All comments are reviewed, and may be edited or removed at the discretion of the moderator.

NOTE: Please, post comments on this article ONLY.
If you want to ask a question click here.

Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter

Copyright © 2005 - Bob Rankin - All Rights Reserved
About Us     Privacy Policy     RSS/XML

Article information: AskBobRankin -- [HACKED] A Reminder To Be Vigilant (Posted: 20 Sep 2017)
Source: https://askbobrankin.com/hacked_a_reminder_to_be_vigilant.html
Copyright © 2005 - Bob Rankin - All Rights Reserved