Avast owned CCleaner hasn’t been clean itself for the past month, with hackers piggybacking malware on the software for at least a month. As the maintenance tool is free, its downloads are well into the millions meaning up to 3.9 million users could be affected.
Researchers at Cisco’s Talos Intelligence Group determined that the attack occurred between 15th August until 12th September, affecting versions CCleaner 5.33.6162 and CCleaner Cloud 1.07.3191. The popularity of the application resulted in the researchers’ decision to move quickly on the matter, prompting developers Piriform to release a stable version of CCleaner 5.34 and automatically updating the Cloud server.
The researchers found a “Domain Generation Algorithm (DGA) attached to the executable, as well as a hardcoded Command and Control (C2) functionality.” This gave the attackers capability to harvest data from infected machines such as the computer name, IP address and lists of installed and active software. This is luckily described as “non-sensitive” by Piriform, while there are “no indications that any other data has been sent to the server.”
Curiously, the file was still digitally signed using a valid certificate by the developer, prompting Cisco’s Talos researchers to conclude that “it is likely that an external attacker compromised a portion of their development or build environment and leveraged that access to insert malware into the CCleaner build that was released and hosted by the organization.”
Alternatively, “It is also possible that an insider with access to either the development or build environments within the organization intentionally included the malicious code or could have had an account (or similar) compromised which allowed an attacker to include the code,” the researchers added.
In a statement to Techcrunch, an Avast spokesperson stated that an estimated “2.27 million users had the affected software installed on 32-bit Windows machines,” which could be pushed up to 3.9 million with Piriform’s statement that the affected software could have been “used by up to 3% of [its] users”. Avast now believes that “these users are safe now as our investigation indicates we were able to disarm the threat before it was able to do any harm.”
Nevertheless, Cisco’s Talos recommends to restore affected systems to a state before 15th August 2017 or reinstall the system altogether.
KitGuru Says: Although played down a bit regarding non-sensitive information, backdoor access in any software that potentially allows for outside control is serious business. Just the thought of it has me tempted to run a full reinstall despite not touching the software in a long while. Always proceed with caution when downloading free software, even when the source is reputable but rest assured that Avast is doing its best to control damages and protect customers.