CCleaner infected with Malware

19/09/2017
Lee Sanders

Lee Sanders

Founder of Computer Consultant Professionals and with over 20 years of industry experience, Lee specialises in tailored technology solutions that help businesses grow.

About the Attack:

Pirform released an announcement yesterday (18th September, 2017) informing their users that CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 had been compromised, as an attacker managed to place malicious code inside the official CCleaner releases. Users who had installed either of these versions, estimated to be 2.27 million people, may have had non-personally identifiable information stolen, such as what software is installed, what programs you were running and more. Ultimately, it appears that the infection was intended to be a Command & Control style infection, allowing a remote controller to issue commands to infected machines, commonly used to launch attacks against other systems.

So far, there has been no statement as to how the infection got there, but Pirform has stated they are working with US law enforcement and there is no evidence that the control servers (which has now been shut down) had done any harm.

Security company Avast acquired Pirform in July and spokesperson from Avast has told TechCrunch “We believe that these users are safe now as our investigation indicates we were able to disarm the threat before it was able to do any harm.”

Removing the Infection:

Uninstalling CCleaner will remove the registry keys and the infected executable. Upgrading CCleaner will only replace the infected executable with a non-infected version, as reported by Bleeping ComputerAdvice from Talos Intelligence suggests the only way to be safe is to revert to a previous back or reinstall your computer.

We are currently investigating these claims. At this time, we recommend uninstalling CCleaner and using virus scanning software to detect and remove any infected files.

Advanced users may find out if they are currently infected by seeing it the following registry key exists;

HKLM\SOFTWARE\Piriform\Agomo\MUID
HKLM\SOFTWARE\Piriform\Agomo\TCID

We have already scanned all of our clients machines and have removed CCleaner where an infected copy has been found. We will be deploying advanced scanning methods this week to ensure our clients stay safe.

You can contact us today to find out more about our maintenance and security services to ensure your business stays safe.

Hot industry news & trends