CCleaner: Extremely popular cyber security program infected millions of users with a virus

A highly embarrassing error for the program

Aatif Sulleyman
Friday 22 September 2017 13:44 BST
Refuge, which is the UK’s largest provider of shelters for domestic abuse victims, says the problem is growing
Refuge, which is the UK’s largest provider of shelters for domestic abuse victims, says the problem is growing (Getty/iStock)

More than two million people used an extremely popular software cleaning tool that had been infected with malware.

CCleaner was compromised “in a sophisticated manner” in August, and the problem was only spotted and fixed in mid-September.

It's available on Android and Mac, but only the Windows version was affected.

Piriform, which is owned by Avast and develops the software, has fixed the issues and apologised to users.

“We estimate that 2.27 million people used the affected software,” said Piriform. “We resolved this quickly and believe no harm was done to any of our users.”

The malicious code attempted to connect computers with recently registered web domains – a common tool used by hackers to download further malware onto infected computers.

“Our new parent company, the security company Avast, determined on the 12th of September that the 32-bit version of our CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 products, which may have been used by up to 3% of our users, had been compromised in a sophisticated manner,” it said.

The company says it released safe versions of both programs within three days, but the modified version of the software had been available for a month.

It added: “The compromise could cause the transmission of non-sensitive data (computer name, IP address, list of installed software, list of active software, list of network adapters) to a 3rd party computer server in the USA.

“We have no indications that any other data has been sent to the server. Working with US law enforcement, we caused this server to be shut down on the 15th of September before any known harm was done.”

It’s a particularly embarrassing error, because people use CCleaner to clean up their devices.

Piriform's vice president of products, Paul Yung, said: "We would like to apologize for a security incident that we have recently found in CCleaner version 5.33.6162 and CCleaner Cloud version 1.07.3191.

"A suspicious activity was identified on September 12 2017, where we saw an unknown IP address receiving data from software found in version 5.33.6162 of CCleaner, and CCleaner Cloud version 1.07.3191, on 32-bit Windows systems.

"Based on further analysis, we found that the 5.33.6162 version of CCleaner and the 1.07.3191 version of CCleaner Cloud was illegally modified before it was released to the public, and we started an investigation process.

"We also immediately contacted law enforcement units and worked with them on resolving the issue."

Mr Yung said the company could not yet confirm how the malicious code had appeared in its software and “would not like to speculate”, but added that an investigation was "ongoing".

"Before delving into the technical details, let me say that the threat has now been resolved in the sense that the rogue server is down, other potential servers are out of the control of the attacker, and we're moving all existing CCleaner v5.33.6162 users to the latest version," he said.

"Users of CCleaner Cloud version 1.07.3191 have received an automatic update. In other words, to the best of our knowledge, we were able to disarm the threat before it was able to do any harm.We are taking detailed steps internally so that this does not happen again, and to ensure your security while using any of our Piriform products.

"Users of our cloud version have received an automated update. For all other users, if you have not already done so, we encourage you to update your CCleaner software to version 5.34 or higher."

The latest version of CCleaner is available to download here.

Additional reporting by PA

Join our commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies


Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in