What is a piriform virus

CCleaner malware

CCleaner is a utility designed to delete unwanted files from computers. The software removes temporary files that are taking up unnecessary disk space and invalid Windows registry keys. The cleanup also deletes harmful files in the system. In January 2017, CNET awarded the program a “very good” rating.

However, in September 2017, CCleaner malware was discovered. Hackers injected malicious code into the legitimate program designed to steal data from users. So they turned a tool designed to keep malware off computers into a serious threat to confidential and personal data.

The threat in detail

The malware consisted of two Trojans, Trojan.Floxif and Trojan.Nyetya, which were injected into the free programs CCleaner Version 5.33.6162 and CCleaner Cloud Version 1.07.3191. It is believed that the hackers invaded CCleaner's build environment to inject the malware.

According to various reports, the malware is able to collect certain data from an infected computer system, including IP addresses and information about installed and active software, and send it to a third-party server in the USA.

CCleaner's parent company Avast Piriform found the malware on September 12, 2017 and immediately took the necessary steps to fix the problem. At first it was thought that the infection was limited to the versions mentioned that ran on 32-bit Windows systems, and that downloading upgrade versions of the program would solve the problem. It is estimated that more than two million users were infected.

However, the company soon realized that the malware infection was more serious than originally thought. Cisco Talos discovered a second tier payload. This payload was targeted at around 20 of the largest technology companies, including Google, Microsoft, Cisco, and Intel, and infected 40 computers.

Commented on the payload, Wired said, “Cisco claims that it received a digital copy of the hackers' command and control server from an unspecified source involved in the CCleaner investigation. The server contained a database of all compromised computers, which transmitted information to the hackers' computer between September 12 and 16. "

While there is no clear evidence to identify who was responsible for the CCleaner malware, investigators found a link to a Chinese group of hackers known as the Axiom.

The CCleaner malware has the same code as tools from Axiom, and a timestamp on a compromised server indicated a Chinese time zone. However, time stamps can be changed, which made it difficult to determine the exact origin.

In addition, large tech companies were targeted, raising concerns that the CCleaner malware might be part of a government sponsored attack. Investigations into those responsible for this attack are still ongoing (as of the end of 2017).

How do you get rid of CCleaner malware?

After the CCleaner malware was first discovered, it was recommended that users upgrade to the latest version of the program. This approach was based on the assumption that this was an isolated incident and that later versions would be safe. However, with the exposure of the second stage payload, removing the malware and protecting it became much more complicated.

A disaster recovery plan may be the only way to effectively ensure that your computer is free of CCleaner malware. Investigators recommend restoring system backups from before August 15, the day the first infected programs were released.

It is best to uninstall the infected version of CCleaner and run antivirus scans to make sure the system is clean. If you do decide to reinstall CCleaner, you should choose the latest version available, or at least version 5.34 or higher.

CCleaner is known as an excellent tool for getting rid of malicious programs hiding in the depths of computer systems. However, as the malware incident proves, even the programs that protect our computers from threats are not immune to hackers.

More articles:

Further products: