Antivirus firm Avast has admitted inadvertently distributing a trojanised version of CCleaner, a popular PC tune-up tool, for nearly a month, infecting an estimated 2.27 million users.
Cisco Talos discovered that servers distributing the program were leveraged to deliver malware to unsuspecting victims.
"For a period of time, the legitimate signed version of CCleaner 5.33 being distributed by Avast also contained a multi-stage malware payload that rode on top of the installation of CCleaner," researchers explained. "On September 13, 2017, Cisco Talos immediately notified Avast of our findings so that they could initiate appropriate response activities."
CCleaner has been downloaded over 2 billion times, with 5 million additional downloads a week.
Cisco Talos said it came across the malicious downloads while beta-testing a new exploit detection technology. Subsequent analysis revealed that hackers hijacked and hid malware inside versions of Avast's CCleaner application available for download between August 15 and September 12.
Anyone who downloaded the 5.33 version or updated their existing product during this timeframe became infected with a covert backdoor capable of spying on everything they did online.
Cisco Talos contacted Avast on September 13. The anti-malware specialist acted promptly to remove the compromised code. However, infected users are still at risk and will need to clean up their systems. The tainted downloads carried a version of the Floxif malware.
Infosec outfit Morphisec, which said it saw CCleaner.exe installs in August, also notified the firm.
Malware process flow [source: Cisco Talos]
The dodgy software was signed using a valid certificate that was issued to Piriform Ltd by Symantec. Piriform, the original developer of CCleaner, was recently acquired by Avast.
In a statement, Avast acknowledged the problem, adding that users would be protected simply by installing a new version of its software. There's more in a blog post from the CTO and CEO here.
We estimate that 2.27 million users had the v5.33.6162 software, and 5,010 users had the v1.07.3191 of CCleaner Cloud installed on 32-bit Windows machines. We believe that these users are safe now as our investigation indicates we were able to disarm the threat before it was able to do any harm.
There is no indication or evidence that any additional malware has been delivered through the backdoor. In the case of CCleaner Cloud, the software was automatically updated. For users of the desktop version of CCleaner, we encourage them to download and install the latest version of the software.
Ondrej Vlcek, Avast's CTO, told The Register that there was "no indication that the second-stage payload activated" and hence no need to do a wipe and clean install as recommended by Cisco Talos. Vlcek added that the 2.27 million affected, "a small number compared to the overall user base", were largely users who were installing the software from scratch.
Given the presence of this compilation artifact as well as the fact that the binary was digitally signed using a valid certificate issued to the software developer, it is likely that an external attacker compromised a portion of their development or build environment and leveraged that access to insert malware into the CCleaner build that was released and hosted by the organisation. It is also possible that an insider with access to either the development or build environments within the organisation intentionally included the malicious code or could have had an account (or similar) compromised which allowed an attacker to include the code.
The attack is particularly dangerous because it exploits the trust consumers have with their software suppliers, a vector that has been seen before.
"Like the Nyetya malware in late June, in this instance attackers hacked into a legitimate, trusted application and turned it malicious," Cisco Talos concludes. "These types of attacks are often successful because consumers trust that these well-known and broadly used applications are safe." ®