CCleaner, distributed by anti-virus firm Avast, contained malicious backdoor

Digitally-signed version of CCleaner 5.33 secretly stole information from users’ computers.

CCleaner, distributed by anti-virus firm Avast, contained malware

CCleaner is a popular Windows utility used by many millions of internet users to remove cookies, wiped browsing histories, and clean-up temporary internet files where malware might be lurking.

It's the kind of tool that many tech-savvy Windows users rely upon to speed up and optimise their PCs.

It's not the sort of program that they expect to introduce malware onto their systems. But unfortunately, that's precisely what appears to have occurred.

Ccleaner

Because CCleaner has suffered a "security incident" which saw users updated with a legitimate digitally-signed version of the software which opened a malicious backdoor.

The scale of the potential threat cannot be underestimated. Last year, CCleaner was boasting that it had been downloaded in total over two billion times, and was seeing five million additional users per week.

As a security notification on CCleaner's support forum explains, CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 were compromised.

Ccleaner security notification

Once in place, the malware would wait five minutes, determine if the user had admin privileges, and then steal information from PCs, such as the computer's name, a list of installed software and Windows updates, running processes, MAC addresses of network adapters alongside additional information.

The stolen data was then sent to a US-based server under the control of a hacker.

Researchers at Cisco Talos, who first identified the problem, discovered that the installer for CCleaner v5.33 - first delivered to users' computers by the legitimate CCleaner download servers on August 15, 2017 - was the culprit.

What make things most concerning is that the malicious code was digitally signed using a valid digital certificate issued to the software's developer Piriform, who were acquired by anti-virus firm Avast just two months ago.

Cetificate

Cisco Talos researchers warn that the fact the binary was digitally signed using the software developer's valid certificate is of particular concern:

"...it is likely that an external attacker compromised a portion of their development or build environment and leveraged that access to insert malware into the CCleaner build that was released and hosted by the organization. It is also possible that an insider with access to either the development or build environments within the organization intentionally included the malicious code or could have had an account (or similar) compromised which allowed an attacker to include the code."

Cisco Talos researchers immediately informed Avast of the problem, and offending versions of the CCleaner installer containing the malicious payload are no longer available from the CCleaner download website. Law enforcement agencies have also been informed of the situation, and the third-party server that was set up to receive stolen data has been taken down.

It goes without saying that anyone still using version 5.33 of CCleaner needs to update to the (safe) version 5.34 as soon as possible. This message needs to especially get out to users of the free edition of CCleaner, as it does not feature automated updates and requires them to manually download updates. (Of course, the lack of automatic updates for the free edition of CCleaner may actually have reduced the total number of users put at risk by the compromised version.)

It's worth pointing out that you may want to go one step further than just downloading a fixed version of CCleaner. After all, if you ran version 5.33 of CCleaner your PC may have been compromised. It might be sensible to roll-back your computer to a backup created before you installed that poisoned version of CCleaner.

And, if you're in any doubt as to the scale of the potential threat, cast your mind back a few months when ransomware spread around the world after being seeded through a malicious automatic update to a popular Ukrainian accounting software, or when in late 2016 attackers hijacked Ask Toolbar updates to install suspicious code.

For more discussion of the CCleaner security incident, be sure to listen to this episode of the "Smashing Security" podcast:

Subscribe: Apple Podcasts | Google Play | Overcast | Stitcher | RSS for you nerds.

Tags: , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

Subscribe to the free GCHQ newsletter

, ,

15 Responses

  1. Mathieu

    September 18, 2017 at 1:48 pm #

    Typo : "Bad unfortunately, that's precisely what appears to have occurred."

    Yoy must have meant to say: "But unfortunately,"

    • Graham Cluley in reply to Mathieu.

      September 18, 2017 at 1:52 pm #

      Thanks – I thought I had fixed that hours ago, but clearly I forgot to press the "Update" button in my CMS.

      You see, manual updating can lead to failure for us bloggers too… ;-)

      • Vic Eizenga in reply to Graham Cluley.

        September 19, 2017 at 5:50 am #

        Avast did make Ccleaner

      • Michael Ponzani in reply to Graham Cluley.

        September 19, 2017 at 2:49 pm #

        Ah, you updated it.

    • JavaJoe in reply to Mathieu.

      September 18, 2017 at 2:30 pm #

      A report on a significant security breach, and you're concerned about the grammar! Too funny.
      <wags head>

  2. zdest33

    September 18, 2017 at 2:28 pm #

    3% of 2 billion downloads, is still a lot – but no where near 2 billion.

  3. mark

    September 18, 2017 at 2:36 pm #

    The backdoor was only in the 32 bit version. If you have the 64 bit version you were not effected.

    • Michael Ponzani in reply to mark.

      September 19, 2017 at 2:50 pm #

      Affected.

  4. DeepSysAdmin

    September 18, 2017 at 3:24 pm #

    Just delete your own history and run disk cleanup – all baked into your web browser (s) and windows.

  5. drsolly

    September 18, 2017 at 5:04 pm #

    This is the standard nightmare of every antivirus company.

  6. David L

    September 18, 2017 at 7:02 pm #

    The timing is suspicious, in that, it was done not long after Avast took over. One has to wonder whether a disgruntled, or perhaps fired, ex-employee was behind this. Especially in light of the digital signed cert. Surely law enforcement will be looking in that direction first.

  7. Joe

    September 18, 2017 at 7:04 pm #

    They say the problem is fixed and it only affected the 32 bit version. I wonder if the hacker may already be working on hacking the 64 bit version next.

    Piriform was bought by anti-virus firm Avast just two months ago. Seems strange that this happened soon after this transaction. I kind of wonder about the credibility is Avast software after this. Maybe a disgruntled employee at Piriform did not like this sell out and sabotaged the CCleaner software.

  8. Michael Ponzani

    September 19, 2017 at 2:58 pm #

    Thank God I didn't run mine. I have the free version and just updated it. They send out a stern warning. The paid version of Malware Bytes also blocks almost every page unless you allow the page to run. Since I only have a few days left on the trial, I'm not going to bother. An then there's Bitdefender at the end of the month. Their videos on the lack of privacy are really eyeopening.

  9. Dave

    September 20, 2017 at 2:03 pm #

    "We fixed it. Trust us. No other versions were affected." Prior to this discovery, they would have assured us all that NO versions were affected by Malware. My first thought is that their entire Quality Control team should be relieved of their duties.

    How can we ever trust this company again?

  10. Tammi

    October 11, 2017 at 6:50 am #

    Oh crap, I'm still using v5.32.6129 and the 64bit version at that. I miss all the fun.

Leave a Reply