After Hack, Registry-Cleaning App CCleaner Infected Users With Malware

When you download an app meant to clean your computer, you assume that it’s supposed to remove junk from your machine, not add more. Yet for about a month, downloads of the popular program CCleaner came with a free bonus dose of malware, installed on millions of PCs around the world.

Clean up some crap, add some crap

CCleaner is a shortened and cleaned-up name; the program was once better known as “Crap Cleaner.” The security software company Avast recently acquired the company that created it, Piriform.

It helps speed up systems, remove temporary files, and delete programs while actually fully removing them from one’s system. It’s a free app with paid upgrades that unlock more features, and has been downloaded billions of times.

The compromised version of the program was distributed between Aug. 15, 2017 and Sept. 11, 2017. It was part of the Windows and cloud versions of CCleaner, distributed as version 5.33.6162. Yes, the malware installer piggybacked on the official versions of the app.

Since the compromised program came with a genuine Norton signature and was on the company’s servers, the investigation shows that baddies probably gained access to the company’s systems either by posing as one of its developers or using a developer’s login to add the extra malware to the program.

So what should I do?

Piriform pushed a malware-free version of the program to users, and you should make sure that you’ve updated your copy to the latest version if you’re a CCleaner user.

The good news is that the malware was two-stage, and the malicious program hadn’t been installed on target computers… yet. Piriform and other experts believe that the end game here was probably to stage a future botnet attack on an outside target, turning your PC into part of a zombie army attacking… someone.

If you want the super-technical details of how the malware worked and how this happened, read up at Cisco Talos, the research group that discovered the mostly-hidden malware, and Piriform’s news site.