During beta testing of new security tool, Cisco Talos discovered malicious code in the 32-bit version of the CCleaner 5.33 installer by London-headquartered Piriform, now part of Avast. CCleaner has more than 2 billion downloads worldwide and is downloaded as often as 5 million times per week.
In the period before detection, the affected version of CCleaner was downloaded about 2.27 million times.
In June 2017, Microsoft confirmed that, in some cases, NotPetya hijacked the auto update facility of the M.E.Doc tax accounting software that is widely used in Ukraine, which is why the country was particularly hard hit. Piriform said it's working with U.S. law enforcement to determine who was responsible for the bug.
As a security notification on CCleaner's support forum explains, CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 were compromised.
"The compromise could cause the transmission of non-sensitive data (computer name, IP address, list of installed software, list of active software, list of network adapters) to a 3 party computer server in the USA".More news: Korea of military options
Thousands of Australians are today finding out that the CCleaner software that they downloaded to fix and clean up their PC's has unwittingly downloaded malware.
"To the best of our knowledge, we were able to disarm the threat before it was able to do any harm", Yung says. We strongly recommend our readers to update their CCleaner app to the latest version.
"If even a small fraction of those systems were compromised an attacker could use them for any number of malicious purposes", Talos added.
"Users of our cloud version have received an automated update". The report said the malicious version was hosted on the servers for download as recently as September 11, after which a new version of the software was released (version 5.34).
But security expert Marco Cova from Lastline said the incident was concerning because of the intimate access gained to Piriform's software.
"At this stage, we don't want to speculate how the unauthorised code appeared in the CCleaner software, where the attack originated from, how long it was being prepared and who stood behind it", Piriform wrote on its blog. "We are working with U.S. law enforcement in their investigation", the company said.
Updated versions of CCleaner and CCleaner Cloud have since been released; users of the former should download version 5.34 of CCleaner if they've not already done so, while CCleaner Cloud customers will have already received the update to 1.07.3214.