santiago silver - Fotolia

Manage Learn to apply best practices and optimize your operations.

CCleaner malware: How dangerous is it to enterprises?

A watering hole attack led to CCleaner malware being installed on millions of systems. Nick Lewis explains how the attack worked and why it should concern enterprises.

The CCleaner malware, which placed a backdoor in the widely used system maintenance tool, appears to be more serious than was first thought. Why is the CCleaner malware so dangerous? Should enterprises shy away from using tools like CCleaner?

Software and supply chain security are critical parts of an enterprise's information security program. One common security recommendation is to know what software or systems your enterprise is using so that you know what needs to be secured. Some software may be managed by the enterprise, some may be used by the help desk to fix systems, and some may be used by employees without the knowledge or approval of the enterprise IT department.

Sometimes, the help desk will use tools to investigate an endpoint that may have been infected with malware, and one of those tools is CCleaner. CCleaner software is usually only installed on a few endpoints in an enterprise, but the organization could lose track of the software. Given that CCleaner is used so widely, it's a target for a watering hole attack.

A recent watering hole attack was disclosed in detail by Avast Software, Morphisec and Cisco, and it described how an attacker was able to gain access to Piriform Software Ltd.'s software development environment to add malware to the legitimate CCleaner software -- Avast acquired Piriform last summer. Morphisec notified Avast of suspicious connections from CCleaner, prompting an investigation.

Any time an enterprise is notified of an attack that it didn't internally detect, it is a bit concerning, but not surprising. From the nearly 2.27 million systems that installed the impacted CCleaner, only 40 systems were infected, and most of the systems that installed the impacted CCleaner got an auto-update from Avast that removed the malicious version -- showing one perk of auto-updates.

However, enterprises that didn't have the software auto-updated needed to manually remove it from the impacted systems. In addition to being installed on more than 2 million systems, the CCleaner malware is dangerous because it can place a backdoor on infected systems that appears legitimate because it is signed with one of Piriform's own digital certificates.

The CCleaner malware is also concerning as it demonstrates the complex relationship between software security and downstream impact.

The CCleaner malware is also concerning as it demonstrates the complex relationship between software security and downstream impact. Enterprises need to understand that any piece of software -- or any update -- could be the source of an attack on their system. This calls for a careful evaluation of software security best practices, such as the software build and distribution methods, for any piece of software installed on their systems.

Furthermore, enterprises should be wary of vendors that do not share certification or get certified for their software development lifecycle, and they should carefully assess any software installed in their environment.

Ask the expert:
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)

This was last published in March 2018

Dig Deeper on Malware, virus, Trojan and spyware protection and removal

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

How will the CCleaner watering hole attack impact your use of the tool?
The malware CCleaner was infected with is no longer active, and therefore CCleaner business and consumer users are no longer at risk. As soon we were made aware of the security compromise in September last year we worked immediately to neutralize any threat to our users by:

Working with law enforcement to shut down the server the non-sensitive data was being transmitted to, so the malware was disarmed

Taking multiple steps to update users who had the affected versions

Working with law enforcement to identify the source of the attack

We then built CCleaner in a new infrastructure and released it with a new digital certificate.

It is typical and unfortunate that attackers choose to target widespread and trusted software likes ours, but CCleaner’s new build environment is clean and CCleaner is safe to use.

How can we tell if we are infected and what version was the malware on? Thanks


The compromise was detected in September 2017 isolated to CCleaner version 5.33.6162 and CCleaner Cloud version 1.07.3191. We immediately took steps to neutralize any risk including shutting down the server than non-sensitive data was being transmitted to, so if you were on these versions, you have nothing to worry about.

We communicated updates on our blog:

·       >

Avast Threat Labs are continuing investigations into the source of the attack and sharing updates on their blog:

·        >

Since, CCleaner has been built in a new, clean environment and is safe to use.
Yikes! A popular software utility developed in a programming environment that was compromised by hackers, who managed to insert malware code without the developer's awareness, and then automatically published to users over the internet. And only discovered later by a 3rd party security company!

Yet another wake up call that software (and hardware) developers need to implement more secure development environments & security procedures. And a warning to network admins that every piece of code & every hardware device connected to your network is a potential attack vector. How to stay on top of network security seems like a nearly impossible task.

If something like this gets into your network, how on earth can you detect a newly created backdoor? What affordable backdoor detection tools are available for SMB's who are mandated to protect customer data on their networks?