Two versions of popular cleanup tool CCleaner for 32-bit Windows machines contained well-hidden malware.
The regular and cloud-based versions of CCleaner, which has been downloaded over 2 billion time worldwide as of November 2016 and adds about 5 million new users a week, have since been patched and the US-based server to which the malicious code sent system information has been shut down.
According to security researchers at Cisco Talos, who spotted the code, the malware was so cleverly hidden within an update, it received a Symantec security certificate. "Upon closer inspection, the executable in question was the installer for CCleaner v5.33, which was being delivered to endpoints by the legitimate CCleaner download servers," the Cisco Talos team says.
Cisco Talos says the malicious version of CCleaner was released on Aug. 15; it notified Piriform—CCleaner's UK-based developer, which was acquired by Avast in July—on Sept. 13 and the server was shut down.
Piriform revealed that the malware collected system information—including lists of installed software and Windows updates, MAC addresses of network adapters, PC names and information from the Windows registry key; all of which was sent to a remote server.
"The threat has now been resolved in the sense that the rogue server is down, other potential servers are out of the control of the attacker, and we're moving all existing CCleaner v5.33.6162 users to the latest version [5.34]," Piriform's vice president of products, Paul Yung, said in a post. "Users of CCleaner Cloud version 1.07.3191 have received an automatic update [to 1.07.3214]. In other words, to the best of our knowledge, we were able to disarm the threat before it was able to do any harm."
While such information isn't sensitive (i.e. it can't be used to personally identify you), it's nonetheless useful to hackers who want to get a better idea of the types of systems potential targets are running.
Cisco Talos suspects the attack was possible thanks either to CCleaner's build environment being compromised or someone with inside access. Piriform did not immediately respond to a request for comment on the attack's distribution and where most affected systems were located.
Updated versions of CCleaner and CCleaner Cloud have since been released; users of the former should download version 5.34 of CCleaner if they've not already done so, while CCleaner Cloud customers will have already received the update to 1.07.3214.