Malware discovered in CCleaner put millions of users at risk

By midian182 ยท 33 replies
Sep 18, 2017
Post New Reply
  1. System-cleaning tool CCleaner is one of the most popular programs of its type in the world. According to Avast, which recently acquired maker Piriform, it boasts over 2 billion worldwide downloads and receives 5 million more each week. But it’s just been reported that up to 2.27 million users were put at risk from a backdoor found in a recent version of the program.

    Security firm Cisco Talos warned that version 5.33 of CCleaner, which was downloadable from August 15 to September 11, had been modified to include the Floxif malware. The unaffected version 5.34 was released on September 12, but those who downloaded the tool during the weeks that version 5.33 was available may have unwittingly installed the backdoor.

    Update: The exact versions that were infected were the 32-bit version of CCleaner and CCleaner Cloud 1.07.3191. The 64-bit version of CCleaner was not affected.

    Floxif can gather information about an infected system and send the data back to a hacker’s server. It can also allow other forms of malware, such as ransomware and keyloggers, to make their way onto a victim's computer.

    It’s unclear exactly how the person or persons responsible breached Avast’s systems, but Talos speculates it could have been "an insider with access to either the development or build environments within the organization."

    Paul Yung, Piriform’s Vice President of Products, has tried to play down the attack. In a blog post today, he wrote: "The threat has now been resolved in the sense that the rogue server is down, other potential servers are out of the control of the attacker.”

    "Users of CCleaner Cloud version 1.07.3191 have received an automatic update. In other words, to the best of our knowledge, we were able to disarm the threat before it was able to do any harm."

    The company said it was working with US law enforcement agencies to discover who was behind the incident. “We apologize and are taking extra measures to ensure this does not happen again," it added.

    If you haven’t already done so, you might want to download the latest 5.34 version of CCleaner here. There's also a portable version of the app that doesn't have an installer.

    Permalink to story.

    Last edited by a moderator: Sep 19, 2017
  2. winjer

    winjer TS Member

    The minute I saw that Avast had bought Piriform, I knew that something like this would happen. So I just uninstalled CCleaner.
    Seems like I was right....
    Reehahs, rpjkw11, avoidz and 2 others like this.
  3. tomkaten

    tomkaten TS Maniac Posts: 234   +152

    I had the compromised version on my system.

    Ran MBAM and HerdProtect, system came up clean. Was using the portable version, so maybe that's why my box wasn't compromised ? I guess the hackers altered the installation process to include the malware, not the CCleaner executable, as that would have been much more complicated.
  4. Uncle Al

    Uncle Al TS Evangelist Posts: 4,164   +2,637

    Never did trust it even before Avast bought them out .....
  5. MoeJoe

    MoeJoe Banned Posts: 837   +440

    Avast scooping up Piriform flew under my radar.
    That explains why the rest of the Piriform portfolio has also gone to &^%$ relative to updates and functionality.
    Recuva is junk ware ...
    Last edited: Sep 18, 2017
    Reehahs and cliffordcooley like this.
  6. Kibaruk

    Kibaruk TechSpot Paladin Posts: 3,537   +1,069

    Fudge... and I installed it to give a it a go after one of the Techspot "essentials" post, even when I never believed in it...
  7. p51d007

    p51d007 TS Evangelist Posts: 1,558   +883

    I thought I had an older version, but when I tried to launch it, malwarebytes caught it. Uninstalled, it cleaned, scanned, everything clear now.
    That's what happens when the big boys buy up the independents some times, things go to crap.
  8. OutlawCecil

    OutlawCecil TS Guru Posts: 455   +303

    Go to google and type in "ccleaner builds" (without quotes) and always use the portable version. I do because I carry it on USB drive everywhere I go along with all my other useful tools. The portable version seemed unaffected by this malware so it must have required installation or the exe never got infected. It's also nice because there's no monitoring or automation crapware on the portable version.
    Reehahs and Julio Franco like this.
  9. Julio Franco

    Julio Franco TechSpot Editor Posts: 7,905   +1,118

    Kibaruk likes this.
  10. cliffordcooley

    cliffordcooley TS Guardian Fighter Posts: 10,465   +4,342

    The last version I downloaded was 5.30. I'm still running version 5.25. I don't understand why they are continually updating. I still haven't decided if Avast buying Piriform is good or bad. I'll probably be haunted by that thought for many years to come, as I continue to use their products.
  11. MoeJoe

    MoeJoe Banned Posts: 837   +440


  12. Puiu

    Puiu TS Evangelist Posts: 3,034   +1,461

    It's annoying that someone did that (most likely an inside job from an ***** dev), but it's the best tool you can get for when you want to clean your temp files, cached files, etc.
  13. mingthem

    mingthem TS Rookie

    Your story and others about this issue ignore the statement on Piriform's site that only the 32 bit version of 5.33 was affected. That doesn't make this a good thing, but it severely limits the number of users potentially affected by this problem.

    I heartily agree that Piriform's acquisition by Avast is potentially a bad thing for CCleaner, until proven otherwise. They are likely to lay off the core developers of the product to save money, as often happens.
    Godel likes this.
  14. jaydear

    jaydear TS Rookie

    All this hubbub about v5.33 yet you still have a download link for that version on your website!!! WTF?
  15. Julio Franco

    Julio Franco TechSpot Editor Posts: 7,905   +1,118

    No, we don't.
  16. mrjgriffin

    mrjgriffin TS Addict Posts: 277   +124

    So if we get infected by 5.33 will upgrading to 5.34 clean the infection? avast has alot of standalone tools for specific malware and I am wondering why they didn't release a tool for this? I literally just uninstalled avast from my pc 2 days ago too ironic.
    MoeJoe likes this.
  17. MoeJoe

    MoeJoe Banned Posts: 837   +440

    From their website ...

    Made by a company you trust

    Piriform are global leaders in PC optimization software which is so good it's been downloaded in every country worldwide and installed more than 2 billion times.
  18. gspbeetle

    gspbeetle TS Rookie

    Is this wrong pic used or it also affects he andriod version? I don't even...
    It says version 5.33 affected, thats most likely the PC version.
    MoeJoe likes this.
  19. MoeJoe

    MoeJoe Banned Posts: 837   +440

    Redaction is L o L !
  20. MoeJoe

    MoeJoe Banned Posts: 837   +440

    Copy pasta from other offending sites. It's not an Android app issue. That photo is sloppy, fake news.
  21. captaincranky

    captaincranky TechSpot Addict Posts: 13,785   +3,203

    Not a problem for me. I have version 5.31.6105. I've grown accustomed to patently ignoring update notices, especially those from M$. Ignoring those from Piriform was as easy as falling off a log..

    I should probably change my screen name to "SystemUncompromised", but it's just too damned cumbersome.

    The photo is of a slightly earlier version, but it looks like CCleaner to me.

    So is it a question of "fake news", or merely a "pompous member" problem?

    Is English your 3rd, 4h. or 5th language? :confused:
  22. MoeJoe

    MoeJoe Banned Posts: 837   +440

    When you come late to the party ... you see the revised photo. Bravo.
    And kudos to TS for the mod.

    Originally it was of the Android Android App - like so many of the other so-called news feeds.
  23. captaincranky

    captaincranky TechSpot Addict Posts: 13,785   +3,203

    Are you suggesting you would have liked me here sooner?

    FWIW, I don't think you'd have had to put up a bunch of nonsense about "fake news", to get them to change it

    So? Copy and paste is the way of the internet "world". I differentially compare everything I read on the web, Bad habit I suppose, but I don't start flaming about what I've found.

    Even copy and paste news is valuable in most cases. Not to mention that here at Techspot we have you to look out for it for us.

    What I find disturbing, is that you only rarely see responses to the many varied topics in the "Weekend Tech Reading" column. I've seen some pretty darned relevant stuff in there..

    Apparently, if staff doesn't grind it up and spoon feed it to you, (as you feel you're entitled), it won't be read.
  24. MoeJoe

    MoeJoe Banned Posts: 837   +440

    Not going to have a philosophical back & forth with you Cranky.
    Because you are cranky ... and obviously easily triggered by a simple turn of the 'crank'.
    Plus you assume way too much.

    And as far as "worth" and "entitlements" are concerned ... L M A O.
  25. captaincranky

    captaincranky TechSpot Addict Posts: 13,785   +3,203

    You're so deep, I'm jealous. Give us a kiss.

Similar Topics

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...