Cụ thể, theo
Tập tin thực thi tải xuống có chữ ký hợp lệ của Piriform. Trình cài đặt chứa một “payload độc hại có tính năng Domain Generation Algorithm” (Thuật toán sinh tên miền ngẫu nhiên) cũng như chức năng “Command and Control” đã được mã hoá.
Qua phân tích, Talos Group kết luận rằng payload độc hại đã được phân phối trong thời gian giữa phiên bản 5.33 (ngày 15/8) và phiên bản 5.34 vào ngày 12/9/2017. Họ cho biết có thể “kẻ tấn công bên ngoài đã xâm nhập một phần” trong việc phát triển của Piriform, và sử dụng quyền truy cập để chèn phần mềm độc hại vào bộ CCleaner.
Một lựa chọn khác mà các nhà nghiên cứu xem xét là một nội gián bao gồm mã độc hại. Mã payload độc hại này tạo một khoá Registry ở địa chỉ: HKLM\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\SOFTWARE\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\Piriform\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\Agomo: và dùng nó để lưu nhiều thông tin khác nhau.
Talos Group đã thông báo tình hình cho Avast, công ty mẹ của Piriform. Hiện, Piriform đã khuyến cáo người dùng cần cập nhật phần mềm mới nhất của CCleaner là bản 5.34.
Phiên bản CCleaner 5.33.6162 được công bố vào ngày 15/8 năm nay, bản cập nhật (chưa bị hacker chèn mã độc) được giới thiệu vào ngày 12/9. Trong khi đó bản CCleaner Cloud 1.07.3191 ra mắt vào ngày 24/8, bản cập nhật là ngày 15/9/2017.
Trong thông báo phát đi ngày 18/9, Piriform cho biết những thông tin không nhạy cảm có thể được truyền đến máy chủ ở Mỹ, bao gồm tên máy tính, địa chỉ IP, danh sách những phần mềm đã cài đặt, đang hoạt động, danh sách adapter mạng.
Để kiểm tra độ an toàn cho điện thoại của mình, người dùng CCleaner có thể quét nó trên Virustotal hoặc bằng ClamAV.