CCleaner, distributed by anti-virus firm Avast, contained malicious backdoor

Graham Cluley

CCleaner, distributed by anti-virus firm Avast, contained malware

CCleaner, distributed by anti-virus firm Avast, contained malware

CCleaner is a popular Windows utility used by many millions of internet users to remove cookies, wiped browsing histories, and clean-up temporary internet files where malware might be lurking.

It’s the kind of tool that many tech-savvy Windows users rely upon to speed up and optimise their PCs.

It’s not the sort of program that they expect to introduce malware onto their systems. But unfortunately, that’s precisely what appears to have occurred.

Ccleaner

Because CCleaner has suffered a “security incident” which saw users updated with a legitimate digitally-signed version of the software which opened a malicious backdoor.

The scale of the potential threat cannot be underestimated. Last year, CCleaner was boasting that it had been downloaded in total over two billion times, and was seeing five million additional users per week.

As a security notification on CCleaner’s support forum explains, CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 were compromised.

Ccleaner security notification

Once in place, the malware would wait five minutes, determine if the user had admin privileges, and then steal information from PCs, such as the computer’s name, a list of installed software and Windows updates, running processes, MAC addresses of network adapters alongside additional information.

The stolen data was then sent to a US-based server under the control of a hacker.

Researchers at Cisco Talos, who first identified the problem, discovered that the installer for CCleaner v5.33 – first delivered to users’ computers by the legitimate CCleaner download servers on August 15, 2017 – was the culprit.

What make things most concerning is that the malicious code was digitally signed using a valid digital certificate issued to the software’s developer Piriform, who were acquired by anti-virus firm Avast just two months ago.

Cetificate

Cisco Talos researchers warn that the fact the binary was digitally signed using the software developer’s valid certificate is of particular concern:

“…it is likely that an external attacker compromised a portion of their development or build environment and leveraged that access to insert malware into the CCleaner build that was released and hosted by the organization. It is also possible that an insider with access to either the development or build environments within the organization intentionally included the malicious code or could have had an account (or similar) compromised which allowed an attacker to include the code.”

Cisco Talos researchers immediately informed Avast of the problem, and offending versions of the CCleaner installer containing the malicious payload are no longer available from the CCleaner download website. Law enforcement agencies have also been informed of the situation, and the third-party server that was set up to receive stolen data has been taken down.

It goes without saying that anyone still using version 5.33 of CCleaner needs to update to the (safe) version 5.34 as soon as possible. This message needs to especially get out to users of the free edition of CCleaner, as it does not feature automated updates and requires them to manually download updates. (Of course, the lack of automatic updates for the free edition of CCleaner may actually have reduced the total number of users put at risk by the compromised version.)

It’s worth pointing out that you may want to go one step further than just downloading a fixed version of CCleaner. After all, if you ran version 5.33 of CCleaner your PC may have been compromised. It might be sensible to roll-back your computer to a backup created before you installed that poisoned version of CCleaner.

And, if you’re in any doubt as to the scale of the potential threat, cast your mind back a few months when ransomware spread around the world after being seeded through a malicious automatic update to a popular Ukrainian accounting software, or when in late 2016 attackers hijacked Ask Toolbar updates to install suspicious code.

For more discussion of the CCleaner security incident, be sure to listen to this episode of the “Smashing Security” podcast:

Smashing Security #045: 'Deloitte fail, CCleaner, and dotards on Twitter'

Listen on Apple Podcasts | Google Podcasts | Other... | RSS
More episodes...

Graham Cluley Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

15 Replies to “CCleaner, distributed by anti-virus firm Avast, contained malicious backdoor”

  1. Typo : "Bad unfortunately, that's precisely what appears to have occurred."

    Yoy must have meant to say: "But unfortunately,"

    1. Thanks – I thought I had fixed that hours ago, but clearly I forgot to press the "Update" button in my CMS.

      You see, manual updating can lead to failure for us bloggers too… ;-)

  2. The timing is suspicious, in that, it was done not long after Avast took over. One has to wonder whether a disgruntled, or perhaps fired, ex-employee was behind this. Especially in light of the digital signed cert. Surely law enforcement will be looking in that direction first.

  3. They say the problem is fixed and it only affected the 32 bit version. I wonder if the hacker may already be working on hacking the 64 bit version next.

    Piriform was bought by anti-virus firm Avast just two months ago. Seems strange that this happened soon after this transaction. I kind of wonder about the credibility is Avast software after this. Maybe a disgruntled employee at Piriform did not like this sell out and sabotaged the CCleaner software.

  4. Thank God I didn't run mine. I have the free version and just updated it. They send out a stern warning. The paid version of Malware Bytes also blocks almost every page unless you allow the page to run. Since I only have a few days left on the trial, I'm not going to bother. An then there's Bitdefender at the end of the month. Their videos on the lack of privacy are really eyeopening.

  5. "We fixed it. Trust us. No other versions were affected." Prior to this discovery, they would have assured us all that NO versions were affected by Malware. My first thought is that their entire Quality Control team should be relieved of their duties.

    How can we ever trust this company again?

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Never miss a thing. Sign up for the free GCHQ newsletter from Graham Cluley.
GET EMAIL UPDATES