News

CCleaner maker apologises after hackers hid malware in its software

The malicious code attempted to connect computers with recently registered web domains.
The malicious code attempted to connect computers with recently registered web domains. The malicious code attempted to connect computers with recently registered web domains.

A security firm has apologised after hackers inserted malicious code into versions of its software that were downloaded by customers.

Piriform, which develops the CCleaner software designed to remove unwanted files from Android phones and Windows PCs, said it had identified “suspicious activity” in two versions of the program which it found had been “illegally modified”.

The malicious code attempted to connect computers with recently registered web domains – a common tool used by hackers to download further malware onto infected computers.

Piriform, which is owned by Avast, claimed it has managed to remove the compromised versions of CCleaner “before it was able to do any harm”.

The company said it first noticed the issue on September 12 and released safe versions of both programs within three days, but the modified version of the software had been available for a month.

Piriform’s Paul Yung said: “We would like to apologise for a security incident that we have recently found in CCleaner version 5.33.6162 and CCleaner Cloud version 1.07.3191.

“A suspicious activity was identified on September 12 2017, where we saw an unknown IP address receiving data from software found in version 5.33.6162 of CCleaner, and CCleaner Cloud version 1.07.3191, on 32-bit Windows systems.

“Based on further analysis, we found that the 5.33.6162 version of CCleaner and the 1.07.3191 version of CCleaner Cloud was illegally modified before it was released to the public, and we started an investigation process.

Technology Stock
Technology Stock
(Dominic Lipinski/PA)

“We also immediately contacted law enforcement units and worked with them on resolving the issue.”

Yung said the company could not yet confirm how the malicious code had appeared in the software, but an investigation was “ongoing”.

“Before delving into the technical details, let me say that the threat has now been resolved in the sense that the rogue server is down, other potential servers are out of the control of the attacker, and we’re moving all existing CCleaner v5.33.6162 users to the latest version,” he said.

“Users of CCleaner Cloud version 1.07.3191 have received an automatic update. In other words, to the best of our knowledge, we were able to disarm the threat before it was able to do any harm.

Red light indicating virus warning.
Red light indicating virus warning. (olm26250/Getty Images/iStockphoto)
(Olm26250/Getty Images)

“We are taking detailed steps internally so that this does not happen again, and to ensure your security while using any of our Piriform products.

“Users of our cloud version have received an automated update. For all other users, if you have not already done so, we encourage you to update your CCleaner software to version 5.34 or higher.”

The company said because few users automatically downloaded new versions of the software, the impact of the malicious code had been limited.

Internet Browsing Stock
Internet Browsing Stock
(Yui Mok/PA)

But security expert Marco Cova from Lastline said the incident was concerning because of the intimate access gained to Piriform’s software.

“This (incident) is very troublesome because it indicates that attackers were able to control a critical piece of the infrastructure used by the vendor,” he said.

“I expect that a lot of software vendors will be reviewing the security of their build and distribution channels as a consequence of this finding.”