CCleaner has been infected with malware

[German]Piriform's cleaning tool for Windows, CCleaner, now belonging to Czech Anti Virus vendor AVAST, has been compromised and served malware for a month.


My credo is: keep your fingers off to system cleaners – but many users swear at CCleaner from Piriform. This free system cleaner for Windows is often used by many users. Some time ago, CCleaner was taken over by the Czech security company AVAST.

(Source: Talos)

Some versions of CCleaner app, downloaded between August 15. and September 12, 2017 has been delivered with an infected Floxif malware installer. This was published by a new report vom Cisco Talos.

The malware then retrieved additional code from the malware server and transmitted data such as the IP address, computer name, installed software and existing network adapters to a server in the USA. This happened from August 15, 2017 with CCleaner 5.33 and from August 24, 2017 with CCleaner Cloud 1.07.

Talos assumes that the server through which the CCleaner installer was distributed was compromised. The installer was signed with a valid certificate. Piriform has confirmed this incident today within a blog post. According to the blog post, only 32 bit Windows version has been affected. The malware has been found in CCleaner version 5.33.6162 and CCleaner Cloud Version 1.07.3191. Newer versions of CCleaner are free of malware. AVAST says, that 3 % of all CCleaner installs are effected – but this are 2.27 million affected machines. AVAST intends to add a new signature to its antivirus scanners and will inform affected users. Further details may be found at the report from Cisco Talos and at Bleeping Computer.


Addendum: AVAST has posted this article, explaining further details about the hack. Details about the backdoor may be found at

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security, Windows and tagged , . Bookmark the permalink.

3 Responses to CCleaner has been infected with malware

  1. Kat says:

    Interesting news about CCleaner, which makes me wonder after an incident that occurred recently.

    Last Tuesday (Sept 12), I downloaded the most recent version of the 32-bit CCleaner (v5.34) on a Windows 7 (32-bit) machine. When I initiated a reboot – unrelated to the new CCleaner update since it's not required – Avast anti-virus software was automatically (and mysteriously) installed after the reboot. Since the only change I've made to my machine was the installation of CCleaner, it appears Avast AV installation file may have piggybacked on the CCleaner 3.34 (32-bit) download as the date and time of the installation are nearly identical.

    The above mentioned incident – in addition to the recent news of CCleaner being infected with malware – raises a question of whether it's possible the malicious code was a part of CCleaner (v5.33) and was intended to collect data (computer name, IP address, list of installed software, list of active software etc) as a shady business practice on Avast's end to have it piggyback with CCleaners monthly version update then automatically installed?

    I'm not a conspiracy theorist by any stretch of the imagination but the type of non-sensitive data procured by this malware would only serve other software vendors like Avast as a way of mining information for a companies benefit.

  2. Kat says:

    Thanks for the additional info.

    "Some media reports suggest that the affected systems needed to be restored to a pre-August 15th state or reinstalled/rebuilt. We do not believe this is necessary. (About 30% of CCleaner users also run Avast security software, which enables us to analyze behavioral, traffic and file/registry data from those machines.) Based on the analysis of this data, we believe that the second stage payload never activated, i.e. the only malicious code present on customer machines was the one embedded in the ccleaner.exe binary. Therefore, we consider restoring the affected machines to the pre-August 15 state unnecessary. By similar logic, security companies are not usually advising customers to reformat their machines after a remote code execution vulnerability is identified on their computer."

    Perhaps the unrequested AVAST AV download that piggybacked on the updated CCleaner version (3.34) I experienced was simply the company's attempt in mitigating the malicious code on infected machines.

    If Avast was a little more transparent at the time they were informed of the hack, perhaps speculation wouldn't be so rampant.

Leave a Reply

Your email address will not be published. Required fields are marked *