CCleaner, a subsidiary of anti-virus giant Avast and security software for Windows was compromised by hackers last month potentially allowing them to take control of a device by inserting a backdoor that might have downloaded malicious software including malware, ransomware, spyware or keyloggers – Currently, there are approximately 2.5 million affected users while the company claims it has had over 2 billion total downloads by November of 2016.
The targeted CCleaner software that was bought by Avast in July 2017 from its original developers Piriform allows Windows users (and other OS) to scan and clean unwanted files (including temporary internet files, where malicious programs and code tend to reside) and invalid Windows Registry entries from a computer. But according to security researchers at Cisco Talos, the software itself was compromised by a backdoor and compared it to the dangerous Petya dick viper attack that originated from Ukraine, spread across Europe and also targeted firms in the United States.
According to Cisco Talos’ blog post, the download server for CCleaner was compromised with a backdoor on September 11, 2017, and the firm was able to identify the threat on September 13, 2017.
“We identified that even though the downloaded installation executable was signed using a valid digital signature issued to Piriform, CCleaner was not the only application that came with the download. During the installation of CCleaner 5.33, the 32-bit CCleaner binary that was included also contained a malicious payload that featured a Domain Generation Algorithm (DGA) as well as hardcoded Command and Control (C2) functionality. We confirmed that this malicious version of CCleaner was being hosted directly on CCleaner’s download server as recently as September 11, 2017,” said Cisco.
“In reviewing the Version History page on the CCleaner download site, it appears that the affected version (5.33) was released on August 15, 2017. On September 12, 2017, version 5.34 was released. The version containing the malicious payload (5.33) was being distributed between these dates. This version was signed using a valid certificate that was issued to Piriform Ltd by Symantec and is valid through 10/10/2018. Piriform was the company that Avast recently acquired and was the original company who developed the CCleaner software application,” Cisco further explained.
Update your CCleaner
Avast has acknowledged the attack and urged users to update CCleaner software to version 5.34 or higher. In a blog post, vice president of product at Piriform Paul Yung wrote that “Based on further analysis, we found that the 5.33.6162 version of CCleaner and the 1.07.3191 version of CCleaner Cloud was illegally modified before it was released to the public, and we started an investigation process.
“The threat has now been resolved in the sense that the rogue server is down, other potential servers are out of the control of the attacker.
“Users of CCleaner Cloud version 1.07.3191 have received an automatic update. In other words, to the best of our knowledge, we were able to disarm the threat before it was able to do any harm.”
However, free users of CCleaner are urged to update the software manually since the “free version” doesn’t automatically update itself. Therefore, users have to do it manually.
At the moment it is unclear who is behind this attack but based on its success it is easy to guess that the attack was highly sophisticated and attackers knew what they were on to. It is possible that attackers got hold of a zero-day vulnerability in the download server of CCleaner that allowed them to carry out their campaign without suspicion.