Navigating the vast expanse of the internet can be a messy business for your computer. Websites you visit install cookies, browsing histories quickly amass and unwanted files are easily left undeleted. The result? A clogged up and slow PC.
For many, CCleaner was the ideal option for a quick PC spring-clean. Well, there’s some bad news…
It turns out that CCleaner, developed by a subsidiary of cybersecurity firm Avast, was compromised with malware. Researchers at Talos have detailed that version 5.33 of the software included malware that was distributed by hacked servers.
“The legitimate signed version of CCleaner 5.33 being distributed by Avast also contained a multi-stage malware payload that rode on top of the installation of CCleaner,” Talos wrote in its blog post revealing the problem. The team found that the legitimate version of the software contained malware that would operate in the background of a user’s computer.
CCleaner, which is available for Mac and PC, deletes unwanted files, browser clutter and other unwanted computer paraphernalia. Released in 2003, it has since been downloaded more than two billion times.
In response to the incident, Piriform said it was told about the issue on September 12. The company said CCleaner was “illegally modified” before it was released to the public and a “two-stage backdoor” had been inserted.
The first part of the malware collected the name of the computer, software installed on it, processes running, MAC address, and whether administrator privileges were being used at the time. This information was then sent to an unidentified IP address. Piriform says it hasn’t detected the second stage of the malware working.
“At this stage, we don’t want to speculate how the unauthorised code appeared in the CCleaner software, where the attack originated from, how long it was being prepared and who stood behind it,” Piriform wrote on its blog. Overall the company believes that 2.27 million users had installed the affected version of the software on 32-bit Windows machines. It also said it “disarmed the threat before it was able to do any harm”.
While the spread of malware is common, the compromise of CCleaner is the second prominent incident this year where malicious code has been distributed by a legitimate-looking software update. When the Petya/NotPetya malware infected computers across Ukraine and the world in July, it was spread by an infected piece of software. Accounting firm MeDoc unknowingly disseminated the malware through an automatic software update.
Worryingly, it appears to be part of a growing trend. “By exploiting the trust relationship between software vendors and the users of their software, attackers can benefit from users’ inherent trust in the files and web servers used to distribute updates,” the Talos team wrote.
“In many organisations data received from commonly software vendors rarely receives the same level of scrutiny as that which is applied to what is perceived as untrusted sources.”