The attack was described thusly by researchers at Cisco Talos: “the legitimate signed version of CCleaner 5.33. . .also contained a multi-stage malware payload that rode on top of the installation of CCleaner.” CCleaner’s parent company, Piriform (who was recently bought by terrible antivirus company Avast), acknowledged the issue shortly thereafter.
Since CCleaner claims to have millions of downloads per week, that is potentially a severe issue.
What Does the Malware Do?
The malware did not actively harm systems, but it did encrypt and collect information that could be used to harm your system in the future. In particular, according to Piriform, it created a unique identifier for the computer and collected:
- Name of the computer
- List of installed software, including Windows updates
- List of running processes
- MAC addresses of first three network adapters
- Additional information whether the process is running with administrator privileges, whether it is a 64-bit system, etc.
Was I Affected?
Thankfully, it looks like this malware only affected a certain subset of CCleaner users. In particular, it affected:
- Users running the 32-bit version of the application (not the 64-bit version)
- Users running version 5.33.6162 of CCleaner or CCleaner Cloud 1.07.3191, released on August 15th, 2017
Since many users likely use the 64-bit version of the application, and CCleaner Free does not automatically update, this is good news for a lot of people.
(Update: A few days after this news broke, a second payload was discovered that affected 64-bit users—but it was a targeted attack against tech companies, so it’s unlikely most home users were affected.)
If you are on a 32-bit version of Windows and think you might have downloaded CCleaner during the affected timeframe, here’s how to check what version you have. Open CCleaner and look in the top-left corner of the window—you should see a version number under the program name.
If that version is before version 5.33.6162, then you are not affected, and you should manually download the latest version now. If that version is 5.34 or later, your current version isn’t affected, but if you updated CCleaner in between August 15th and September 12th, and are on a 32-bit system, you may still have been affected. (If you’re comfortable going into the registry, you can open Registry Editor and navigate to
HKLM\SOFTWARE\Piriform and see if there is a key labeled
Agomo:MUID . If that key exists, it means you had the infected software on your system at one point in time.)
What Should I Do?
While nothing immediately harmful was discovered, Cisco Talos recommends restoring your system to a state before August 15, 2017 from a backup if you were affected. You should probably run an antivirus and MalwareBytes scan on your system and your backups to ensure no malware is left installed.
Alternatively, they say, you can reinstall Windows completely—yes, it’s a bit of a nuclear option, but it’s the only way to completely know your system is clean after an event like this.