Over the course of four weeks – and 2.27 million downloads – popular PC-cleaning software CCleaner came bundled with malware. Organizations and people using CCleaner need to check their system for signs of the malware infection.
The good news: There is a way to find out if your computer is infected.
The bad news: CCleaner does not actively remove the infection or auto-update the software.
Here’s what you need to know…
What is CCleaner?
CCleaner is a software application that performs routine maintenance on a user’s PC. How-To Geek refers to it as ‘disk cleanup on steroids.’ Various features include:
- Scanning for and deleting temporary files
- Analyzing the system for performance optimization
- Streamlining the management of installed applications
CCleaner is extremely popular (as noted by Cisco Talos in the demographics below), increasing the potential impact of this malware infection. The estimated number of machines affected by the attack described below is 2.27 million.
CCleaner Bundled with Malware
When testing some of their own anti-malware software, the Talos group noticed that CCleaner was sounding alarms and raising red flags. The application was properly signed with a valid signature, but upon closer examination, they discovered an additional application downloading alongside CCleaner.
It turns out the distribution server delivering CCleaner was compromised and malware was added to the download. The Talos group notes the likely attack scenario was a compromised development environment used to insert the malware with the CCleaner download undetected.
The malware included in the CCleaner download is called Floxif. The primary function is to collect various data from infected computers:
- Computer name
- List of installed software
- List of running processes
- MAC addresses for network interfaces
- Unique IDs for the computer
Note: the malware only executes if you are using an account with administrator privileges.
How can I tell if I’m infected?
The malware-bundled CCleaner was available for download from August 15th to September 12th. Anyone downloading or updating the software during that time likely has the malware infection.
The specific downloadable file in question is the 32-bit version of CCleaner v5.33. CCleaner updated to v5.34 on September 12th, closing the window of infected downloads. Again, anyone with version 5.33 needs to update to a newer version and check their machine for the malware files.
Steps to check the registry key for infection
Open the system’s Registry Editor and navigate to: HKEY_LOCAL_MACHINE\SOFTWARE\Piriform\Agomo.
If you have CCleaner installed, you should be able to find the Piriform under the software folder. Piriform is the original developer of the CCleaner software.
If you have Agomo as a key in the Piriform folder, you are infected with the malware. Under the Agomo key you should find two data values: MUID and TCID. Both are used by the installed malware infection.
Removing CCleaner Malware
The Floxif malware was included in the application’s executable file. Updating CCleaner to v5.34 should rid your system of the malware. As noted above, CCleaner does not have an auto-update process. Affected users will need to proactively install the newer version themselves.
Floxif can install other malware that might steal user credentials. Users should also consider the following security steps after removing the malware:
- Change passwords from another device
- Run a security scan to look for other infections on your machine
- Reinstall Windows to ensure complete removal of malware
The attackers executed a clever and elaborate attack here. A lot of effort was spent to deliver this Floxif malware through legitimate software distribution.
The malware-laced version of CCleaner was legitimately signed and valid. This breaches the level of trust users must have when downloading software from reputable vendors. Products like CCleaner don’t usually attract skepticism, providing attackers a crafty way to stay undetected as they deliver their malware.