Posted on September 18th, 2017
I woke up to an inbox full of email this morning about the computer cleaning application CCleaner. I have used it for many years, and recommend it often. It was announced that they were hacked, and the emails ranged in emotion from “Help!” to “Is this a big deal?” There are numerous online articles discussing the attack, but I found that almost all of them offer nothing of value. They generate panic, sell a few clicks on ads, and we all carry on. I hope for this post to provide some actual details and actions to be taken.
WHAT HAPPENED? Criminal hackers infiltrated CCleaner’s systems to introduce a modified version of the software. This new rogue version contained malware. When a user installed this version, available from August 15, 2017 through September 12, 2017, the user’s system was compromised and infected. The infected systems then continuously sent data to the attackers including the name of the computer, installed software and running processes. It does not appear (at this time) to have sent personal data or files. 2.27 million people were using the compromised software.
WHY? This attack was likely part of a larger potential attack. The type of data stolen indicates that the plan may have been to create a large network of compromised computers (Bot-Net) which could then conduct DDOS attacks or other large-scale actions.
WAS I INFECTED? This is the part that no one is clearly explaining. You must meet ALL of the following criteria to have been impacted:
Windows Computers Only – The Mac version does not appear to have been comprised.
32-Bit Versions Only – If you have a 64-bit processor and use the default 64-bit version of CCleaner, you were not compromised. You can identify your version of Windows easily with THIS GUIDE.
CCleaner 5.33.6162 or CCleaner Cloud 1.07.3191: You are much more likely to have the standard version, but some users may be using the premium cloud version. Opening CCleaner will identify the version in the top of the application.
WHAT DO I DO NOW? This is the most vital piece that I have found to be missing from every online article. Avast (who owns CCleaner) says no need to worry, as they have disabled the rogue server and removed all of the malware with the latest release. That is fine for them, but does not mean that your computer is clean. I recommend that EVERY CCleaner user, regardless of whether you were actually infected, take the following actions today:
1) Update your version of CCleaner: Open the application and check for updates, installing any updates. This is actually a better action than deleting CCleaner, because their update removes the malware that was installed. Direct Download link: http://download.piriform.com/ccsetup534.exe
2) Install, update, and run Malware Bytes: This will look for any other malware on your system, including any triggered by the CCleaner attack.
3) Run a complete virus scan: For Windows 10 users, I still recommend simply using the default Windows Defender option. Windows 7 users should use Microsoft Essentials. No AntiVirus is perfect, and finding any reputable third-party options gets more difficult every day.
This attack could have been much worse. I am very disappointed in Avast and CCleaner for allowing this to happen. Fortunately, the damage appears to be minimal and eliminating the threat trivial.