Skip to main content
  1. Home
  2. Computing
  3. Web
  4. News

CCleaner downloads are found to be infected with malware, affecting millions

Avast CEO details how CCleaner malware infection was detected, company response

Add as a preferred source on Google

For about 22 days, the CCleaner system maintenance application distributed malware through its official channels. It appears to have been an exploit of the CCleaner installer’s download server, meaning that whenever anyone downloaded the software via official means, they also unwittingly downloaded a piece of malware.

Thankfully, if you update your CCleaner to the latest version, you should be fine. Avast was made aware of the malicious code on September 12, but had to act quickly and covertly to neutralize the threat.

Recommended Videos

“CCleaner is not a product that could be remotely updated like the other Avast products, which means in order to quote ‘fix’ it, we had to shut down the server that it was communicating with. Which, of course, we don’t own that server — it was part of a server farm — so we had to work with law enforcement to get that server shut down,” Avast CEO Vince Steckler told Digital Trends.

Once the code was detected, Avast had to keep it under wraps so the culprit was unaware the company was on to the malware infection.

“The malicious code was a two-stage code, that is it has a rather innocuous component that transmitted some very basic non-personal data, but there was a second stage which allowed the server to transmit any executable [file] to CCleaner for execution, and that’s the dangerous part,” Steckler said.

After finding it and getting the server shut down, Avast could safely announce what had happened without endangering vulnerable customers.

“We started working with law enforcement on late Tuesday [September 12] afternoon, and we got the server shut down on Friday [September 15] of last week. So that deactivated, or rendered meaningless any of this code — then we could safely go out and make an announcement,” Steckler said.

Although malware of all types is most commonly spread through phishing attacks like infected attachments and phony links, a tactic that is seeing a lot of success is the infection of trusted platforms. Whether it’s hijacking legitimate distribution accounts, or in this case the download servers themselves, it leaves the victims vulnerable to infection even if they observe proper personal security practices.

Marco Cova, senior security researcher at Lastline, told Digital Trends that this “is an example of a software supply chain attack, where an otherwise trusted software vendor gets compromised and the update mechanism of the programs they distribute is leveraged to distribute malware.”

According to Cova, an attack like this is among the most damaging. “This is sort of a holy grail for malware authors because they can efficiently distribute their malware, hide it in a trusted channel, and reach a potentially large number of users,” he said. To make matters worse, the nature of the attack “indicates that attackers were able to control a critical piece of infrastructure used by the vendor.” In other words, the hackers likely had broad access to CCleaner’s systems.

Fortunately, the code was detected before it ever had the chance to hijack vulnerable computers, according to Steckler.

“We’ve never detected that second stage being activated, so we do not believe it ever was,” Steckler added. “It was a very sophisticated hack, and I think the fact that it existed for 22 days without detection by anyone just shows how sophisticated it was.”

The payload for this malware attack has several tasks once installed. As Talos describes in its breakdown of the malware attack, it first lays dormant to avoid automated detection systems, before checking to see if it has admin access. If not, it shuts itself down to avoid detection, but if it does, it proceeds to gather information on the system and then sends it to a remote server for later collection. It then looks to connect to several other domains, leading to the potential download of more malicious software.

Piriform, the software’s developer, has since issued an apology for the exploit affecting so many of its customers. It warns that anyone running CCleaner version 5.33.6162 and CCleaner Cloud version 1.07.3191 could be affected. It suggests anyone running either version update to the latest release, which has been confirmed to be infection free.

It would also be a good idea to run standard antivirus and antimalware checks with your chosen security software. If you don’t have one or aren’t sure which to opt for, these are some of our favorites. And if you’re a Mac use,r you’re not immune. Here are our favorite antivirus options for MacOS.

Even though a fix was issued quickly, one of the worst aspects of this sort of exploit is that it could reduce the trust people have in legitimate sources and institutions. Piriform was purchased by the antimalware company Avast in July, while a fellow antimalware firm, Symantec, issued the infected CCleaner download with its valid security certificate.

“We rely very much on the trust of our users, we want our users to know that they can continue to trust us to protect and support their computers,” Steckler said. “CCleaner is a great product, it did get compromised, and we will be working with law enforcement here to figure out how it got compromised, and if it’s something we can publicize later on, we will.”

Having the rug pulled out from a legitimate download like this makes it much harder for those with little security knowledge to know where to turn to protect themselves online. If the very companies that purport to do so can aid in the proliferation of malware themselves, who can you trust?

Updated with remarks from Avast CEO Vince Steckler. 

Jon Martindale
Jon Martindale covers how to guides, best-of lists, and explainers to help everyone understand the hottest new hardware and…
Brave’s new Container feature is a lifesaver for anyone juggling multiple accounts
With this feature, you won't need to open three different browsers
Brave browser 3D logo

Brave has added Containers to its desktop browser, giving users a built-in way to keep different accounts, sessions, and browsing activity separate. The feature is available in Brave 1.92 for Windows, macOS, and Linux, and is rolling out in phases over the next few days.

Containers have been a highly requested feature, especially for users who regularly switch between work, personal, developer, or creator accounts. Once enabled, they let users open tabs in separate spaces where cookies and site storage are not shared outside that container.

Read more
Intel may bring back older desktop CPUs because DDR5 is getting too expensive
Older Intel Core CPUs from 10th to 14th Gen may get a second life
Intel Core i5-12400F box sitting in front of a gaming PC.

Intel may be preparing an unusual response to the ongoing memory crunch. According to Chinese outlet ITHome, citing ChannelGate, the company’s latest production plan includes restarting production of 13th-gen and 14th-gen Core processors.

The move is expected to increase supply across Intel’s 10th, 12th, 13th, and 14th Gen CPU families, especially in mainland China. For DIY PC builders, the timing is important. DDR5 memory prices have climbed sharply, making newer platforms harder to justify for anyone trying to build an affordable gaming PC.

Read more
Amazon wants to design in-house chips for Kindles, Fire TV, and Echo speakers
Apple did it first. Amazon is doing it now, starting with 40 million chips a year and a partner most people have never heard of.
Amazon Kindle Scribe dark mode featured image.

Apple's decision to design its own chips reshaped the consumer electronics industry. Amazon may be about to make the same call, just about two decades later.

Supply chain analyst Ming-Chi Kuo reports that Amazon is preparing to shift away from externally sourced processors for its consumer electronics lineup, marking what he describes as the company's first major processor procurement change in 20 years. The transition is expected to begin in 2027.

Read more