Piriform’s CCleaner is a popular computer cleaning and optimizing product that many people use. I have my doubts about the real effectiveness of these utilities, but many of my clients swear by it. I have used CCleaner myself several times as one of the tools I used to clean up a malware infection.
Recently, the CCleaner software code was modified to include a malicious backdoor. This warning was published earlier in one of my Weekend Updates, but due to the popularity of this product, warranted a longer article. This affected CCleaner version 5.33.6162 and CCleaner Cloud version 1.07.3191. The software was illegally modified before it was released. The company has initiated an investigation which is ongoing at this time. They have also pushed an update to owners of the affected products. If you have not updated your copy, do it now.
The code modification created a backdoor that was capable of running code downloaded from a server at a remote location on the Internet. Once installed, the malicious code would collect the following information about the local system:
- Name of the computer
- List of installed software, including Windows updates
- List of running processes
- MAC addresses of first three network adapters
- Additional information whether the process is running with administrator privileges, whether it is a 64-bit system, etc.
Presumably, this data collection was the first stage in a more involved attack. Piriform says in their blog that they have identified and either taken down or disabled the servers that were responsible for distributing the altered product.
The information provided on the company blog does not indicate whether the distribution servers were company owned download sites, or third party download sites. But one way to protect yourself for downloading altered software products is to stick with the official company download web sites. Sites such as Major Geeks and Download.com have been on my radar for years because of their habit of pushing additional unwanted crapware on unsuspecting computer users. Now it seems that third party sites may be trafficking in software containing malicious alterations, as well.
More information:
Share
OCT
About the Author:
I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com