Because I have recommended Piriform’s CCleaner utility in this blog (and in other blogs and articles) over the years, I must pass this important news along. It seems that a signed version CCleaner 5.33 32-bit, as distributed by Avast, somehow got infected by malware. Because CCleaner 5.33 32-bit carries malicious payload, users should check to see which version they’ve got installed. If they are indeed running a potentially infected version, they should uninstall it immediately. And of course, they’ll also want to run a deep and thorough virus scan as well.
If CCleaner 5.33 32-bit Carries Malicious Payload, Is the 64-bit Version a Risk?
Fortunately, it is not. Here’s what the Properties windows for the 64-bit version looks like. Right-click your CCleaner menu entry or .exe file to see what you’ve got:
The 64-bit version is clearly labeled as such in the .exe filename.
Unless you’re running 32-bit Windows, you’re unlikely to fall prey to this potential infection vector, though. That’s because the CCleaner installer automatically installs the 64-bit version by default on PCs running 64-bit Windows OSes. And today, that represents the majority of PCs running Windows 7, 8, or 10. (Most stats on such things show that only one or two out of every ten PCs runs a 32-bit OS). That said, if a 5.33 download file is present on your machine you’ll want to delete all copies to eliminate any chance of infection. (If present, it’s named ccsetup533.exe, ccsetup533.zip, or ccsetup533_slim.exe) At present, ClamWin AV appears to be the only widely and freely available AV tool that can detect this malware. And sure enough, it found it on my local PCs:
All versions of the CCsetup 5.33 download are likely to be infected: Securely delete them immediately!
Thus, the risk of infection is real and threatening enough to warrant spreading the word. That also means you should take the time to check to see which version is running on PCs with CCleaner installed. The 32-bit version of the program is named “CCleaner.exe” and is around 7 MB in size. By contrast, the 64-bit version is named CCleaner64.exe and is over 9 MB in size. As for myself, I still wait for the “slim” version of CCleaner to come out from Piriform because it includes no added menu extensions or other bloatware in its code base. Those who do likewise would still find the installer file to be infected, however, as shown above. All CCsetup533 versions I found on my PCs were infected.
More Info on CCleaner 5.33 32-bit Carries Malicious Payload
Here’s the announcement that caught my eye at TenForums.com “CCleaner: A Vast Number of Machines at Risk.” It came by way of Tweakhound from the Cisco Talos blog. The Talos post covers the malware payload in detail and also prescribes remediation strategies, for those who may be affected thereby. An easy way to check for infection on suspect machines is to dump the DNS cache to a text file, then to search for domain names that start with the string “ab” (a full list of DGA domains appears at the end of the Talos blog post linked earlier in this paragraph). Likewise, the presence of IP address 220.127.116.11 is also indicative of potential compromise.
Even if you don’t have this problem, it’s still worth reading through the Talos post. It provides a chilling and thorough analysis of how (and why) the incident occurred.