+32 479670903

Using CCleaner? How to check if you’ve been hacked!

by Pablo Brusseel | September 19, 2017 | 0 Comments
Using CCleaner? How to check if you’ve been hacked!

CCleaner, a popular junk cleaning tool, has been hacked. This means that about 20 million users worldwide have their devices compromised to the attackers. All that by downloading it from the OFFICIAL website!

If you have downloaded CCleaner from August 15 until September 12 2017 then you might want to be slightly worried because your machine has been compromised. The attack is just another supply chain attack where Piriform (may I note, which has recently been acquired by Avast) had it’s official download servers hacked and CCleaner’s installation files swapped with a malicious version built by unknown hackers.

Earlier this year, a similar attack happened for the distribution of the Petya ransomware. Back then, an Ukranian company called MeDoc had it’s supply servers hacked, installing the Petya malware on thousands of computers.

The malware was discovered by Cisco’s Talos Intelligence Group on September 13 and then quickly confirmed by both Piriform and Avast. Both the Windows 32-bit version v5.33.6162 and CCleaner Cloud v1.07.3191 were affected. So check your version number to see if you’re one of the unlucky users.

The malicious software collects all sorts of data and sends it to the attacker’s Command and Control (C&C) servers.

“All of the collected information was encrypted and encoded by base64 with a custom alphabet. The encoded information was subsequently submitted to an external IP address 216.126.x.x (this address was hardcoded in the payload, and we have intentionally masked its last two octets here) via a HTTPS POST request.” Paul Yung, V.P. of Products at Piriform.

The malware collects the following information:

  • Computer name
  • List of installed software, including Windows updates
  • List running processes
  • IP and MAC address
  • Information about the privileges the software is running with
  • Is the computer running on 64 bit or not

 

How to remove the malware

Most people will suggest you check your version number to see if you have been compromised. We suggest however, to never take risks when it comes to security and just update right away.

“The impact of this attack could be severe given the extremely high number of systems possibly affected. CCleaner claims to have over 2 billion downloads worldwide as of November 2016 and is reportedly adding new users at a rate of 5 million a week.” – Talos Intelligence

Piriform, however, says that “only” 3% of it’s users have been affected by the breach. We strongly recommend you update your version to version 5.34 or higher, you can do that by downloading the latest version here.