Downloaded CCleaner lately? Oo, awks... it was stuffed with malware

OK, OK, well the 2.27 million victims were not Reg readers


Antivirus firm Avast has admitted inadvertently distributing a trojanised version of CCleaner, a popular PC tune-up tool, for nearly a month, infecting an estimated 2.27 million users.

Cisco Talos discovered that servers distributing the program were leveraged to deliver malware to unsuspecting victims.

"For a period of time, the legitimate signed version of CCleaner 5.33 being distributed by Avast also contained a multi-stage malware payload that rode on top of the installation of CCleaner," researchers explained. "On September 13, 2017, Cisco Talos immediately notified Avast of our findings so that they could initiate appropriate response activities."

CCleaner has been downloaded over 2 billion times, with 5 million additional downloads a week.

Cisco Talos said it came across the malicious downloads while beta-testing a new exploit detection technology. Subsequent analysis revealed that hackers hijacked and hid malware inside versions of Avast's CCleaner application available for download between August 15 and September 12.

Anyone who downloaded the 5.33 version or updated their existing product during this timeframe became infected with a covert backdoor capable of spying on everything they did online.

Cisco Talos contacted Avast on September 13. The anti-malware specialist acted promptly to remove the compromised code. However, infected users are still at risk and will need to clean up their systems. The tainted downloads carried a version of the Floxif malware.

Infosec outfit Morphisec, which said it saw CCleaner.exe installs in August, also notified the firm.

Malware process flow [source: Cisco Talos]

The dodgy software was signed using a valid certificate that was issued to Piriform Ltd by Symantec. Piriform, the original developer of CCleaner, was recently acquired by Avast.

In a statement, Avast acknowledged the problem, adding that users would be protected simply by installing a new version of its software. There's more in a blog post from the CTO and CEO here.

We estimate that 2.27 million users had the v5.33.6162 software, and 5,010 users had the v1.07.3191 of CCleaner Cloud installed on 32-bit Windows machines. We believe that these users are safe now as our investigation indicates we were able to disarm the threat before it was able to do any harm.

There is no indication or evidence that any additional malware has been delivered through the backdoor. In the case of CCleaner Cloud, the software was automatically updated. For users of the desktop version of CCleaner, we encourage them to download and install the latest version of the software.

Ondrej Vlcek, Avast's CTO, told The Register that there was "no indication that the second-stage payload activated" and hence no need to do a wipe and clean install as recommended by Cisco Talos. Vlcek added that the 2.27 million affected, "a small number compared to the overall user base", were largely users who were installing the software from scratch.

Given the presence of this compilation artifact as well as the fact that the binary was digitally signed using a valid certificate issued to the software developer, it is likely that an external attacker compromised a portion of their development or build environment and leveraged that access to insert malware into the CCleaner build that was released and hosted by the organisation. It is also possible that an insider with access to either the development or build environments within the organisation intentionally included the malicious code or could have had an account (or similar) compromised which allowed an attacker to include the code.

The attack is particularly dangerous because it exploits the trust consumers have with their software suppliers, a vector that has been seen before.

"Like the Nyetya malware in late June, in this instance attackers hacked into a legitimate, trusted application and turned it malicious," Cisco Talos concludes. "These types of attacks are often successful because consumers trust that these well-known and broadly used applications are safe." ®


Other stories you might like

  • Stolen university credentials up for sale by Russian crooks, FBI warns
    Forget dark-web souks, thousands of these are already being traded on public bazaars

    Russian crooks are selling network credentials and virtual private network access for a "multitude" of US universities and colleges on criminal marketplaces, according to the FBI.

    According to a warning issued on Thursday, these stolen credentials sell for thousands of dollars on both dark web and public internet forums, and could lead to subsequent cyberattacks against individual employees or the schools themselves.

    "The exposure of usernames and passwords can lead to brute force credential stuffing computer network attacks, whereby attackers attempt logins across various internet sites or exploit them for subsequent cyber attacks as criminal actors take advantage of users recycling the same credentials across multiple accounts, internet sites, and services," the Feds' alert [PDF] said.

    Continue reading
  • Big Tech loves talking up privacy – while trying to kill privacy legislation
    Study claims Amazon, Apple, Google, Meta, Microsoft work to derail data rules

    Amazon, Apple, Google, Meta, and Microsoft often support privacy in public statements, but behind the scenes they've been working through some common organizations to weaken or kill privacy legislation in US states.

    That's according to a report this week from news non-profit The Markup, which said the corporations hire lobbyists from the same few groups and law firms to defang or drown state privacy bills.

    The report examined 31 states when state legislatures were considering privacy legislation and identified 445 lobbyists and lobbying firms working on behalf of Amazon, Apple, Google, Meta, and Microsoft, along with industry groups like TechNet and the State Privacy and Security Coalition.

    Continue reading
  • SEC probes Musk for not properly disclosing Twitter stake
    Meanwhile, social network's board rejects resignation of one its directors

    America's financial watchdog is investigating whether Elon Musk adequately disclosed his purchase of Twitter shares last month, just as his bid to take over the social media company hangs in the balance. 

    A letter [PDF] from the SEC addressed to the tech billionaire said he "[did] not appear" to have filed the proper form detailing his 9.2 percent stake in Twitter "required 10 days from the date of acquisition," and asked him to provide more information. Musk's shares made him one of Twitter's largest shareholders. The letter is dated April 4, and was shared this week by the regulator.

    Musk quickly moved to try and buy the whole company outright in a deal initially worth over $44 billion. Musk sold a chunk of his shares in Tesla worth $8.4 billion and bagged another $7.14 billion from investors to help finance the $21 billion he promised to put forward for the deal. The remaining $25.5 billion bill was secured via debt financing by Morgan Stanley, Bank of America, Barclays, and others. But the takeover is not going smoothly.

    Continue reading

Biting the hand that feeds IT © 1998–2022