Piriform’s CCleaner is a popular computer cleaning and optimizing product that many people use. I have my doubts about the real effectiveness of these utilities, but many of my clients swear by it. I have used CCleaner myself several times as one of the tools I used to clean up a malware infection.
Recently, the CCleaner software code was modified to include a malicious backdoor. This warning was published earlier in one of my Weekend Updates, but due to the popularity of this product, warranted a longer article. This affected CCleaner version 5.33.6162 and CCleaner Cloud version 1.07.3191. The software was illegally modified before it was released. The company has initiated an investigation which is ongoing at this time. They have also pushed an update to owners of the affected products. If you have not updated your copy, do it now.
The code modification created a backdoor that was capable of running code downloaded from a server at a remote location on the Internet. Once installed, the malicious code would collect the following information about the local system:
- Name of the computer
- List of installed software, including Windows updates
- List of running processes
- MAC addresses of first three network adapters
- Additional information whether the process is running with administrator privileges, whether it is a 64-bit system, etc.
Presumably, this data collection was the first stage in a more involved attack. Piriform says in their blog that they have identified and either taken down or disabled the servers that were responsible for distributing the altered product.
The information provided on the company blog does not indicate whether the distribution servers were company owned download sites, or third party download sites. But one way to protect yourself for downloading altered software products is to stick with the official company download web sites. Sites such as Major Geeks and Download.com have been on my radar for years because of their habit of pushing additional unwanted crapware on unsuspecting computer users. Now it seems that third party sites may be trafficking in software containing malicious alterations, as well.