Hackers target CCleaner and infect it with malware

Hackers hid malware in CCleaner antivirus software

The malware, which was distributed through the update server for the Windows cleanup utility CCleaner, was apparently inserted by an attacker who compromised the software "supply chain" of Piriform, which was acquired by Avast in July.

Version 5.33 of the CCleaner and version 1.07 of CCleaner Cloud were compromised by hackers on August 15 and used to distribute a type of malware called Floxif, researchers at Cisco-owned cyber security firm Talos Intelligence found.

Piriform's Paul Yung said: "We would like to apologise for a security incident that we have recently found in CCleaner version 5.33.6162 and CCleaner Cloud version 1.07.3191".

CCleaner claims its software is downloaded over 5 million times a week, with over 2 billion installations worldwide. "By exploiting the trust relationship between software vendors and the users of their software, attackers can benefit from users' inherent trust in the files and web servers used to distribute updates", the Talos team wrote. After all, if you ran version 5.33 of CCleaner your PC may have been compromised.

Although malware of all types is most commonly spread through phishing attacks like infected attachments and phony links, a tactic which is seeing a lot of success is infecting trusted platforms.

The company said it had not made the compromise known sooner because that would have been "an impediment to the law enforcement agency's investigation".

"We are taking detailed steps internally so that this does not happen again, and to ensure your security while using any of our Piriform products". The breach could let hackers collect computer names, IP addresses, and lists of what software people use, but no sensitive data was collected, it added. It is thought that the latest version of the app infects PCs, making them part of a botnet; slave computers hackers can use at will to direct traffic for malicious purposes. As Talos describes in its breakdown of the malware attack, it first lays dormant to avoid automated detection systems, before checking to see if it has admin access.

If your system used the compromised version of CCleaner it may actually be a smarter move to roll your system back to a date prior to the release of the versions containing the malicious code to make sure all elements of the bad code are gone.

"We have no indications that any other data has been sent to the server", the company said, adding that working with USA law enforcement, the affected server was shut down on the 15 September "before any known harm" was done. "Users of CCleaner Cloud version 1.07.3191 have received an automatic update", explained the company.

The Cisco Talos researchers recommended that affected systems - of which there could be thousands - should be restored to a state before August 15 2017 or reinstalled. Also, if you have the Cloud version, it should have automatically updated itself by now to the clean version.

He apologised for any inconvenience that had been caused and said the company's investigation into the attack was "ongoing".

Related news: