For one month, the installer for a widely used, free Windows utility called CCleaner also installed a malicious payload that was designed to allow attackers to push additional malware onto infected PCs.
The alert over the software flaw was publicly sounded Monday by security researchers at Cisco Talos, who say they discovered the flaw last week and immediately alerted CCleaners’ developer Piriform, which has since confirmed the security problem and issued new, clean versions of CCleaner.
CCleaner is a Windows utility designed to enable users to perform routine maintenance on their systems, including removing temporary files and optimizing hard disk performance.
Prague-based anti-virus firm Avast, which acquired Piriform in July, says CCleaner is used by 130 million, although some of those use the Android version, which was not affected. Piriform says that 3 percent of CCleaner users may have used the trojanized versions.
“The actual number of users affected by this incident was 2.27 million, write Avast CEO Vince Steckler and Ondřej Vlček, executive vice president and general manager of Avast’s consumer business, in a blog post. “And due to the proactive approach to update as many users as possible, we are now down to 730,000 users still using the affected version (5.33.6162). These users should upgrade even though they are not at risk as the malware has been disabled on the server side.”
Piriform says that it did not issue an immediate security alert because it was working with law enforcement to seize the command-and-control server. “Working with U.S. law enforcement, we caused this server to be shut down on the 15th of September before any known harm was done. It would have been an impediment to the law enforcement agency’s investigation to have gone public with this before the server was disabled and we completed our initial assessment,” the company says.
This type of campaign – trojanizing a legitimate application – is often referred to as a supply chain attack, in which attackers subvert the relationship between a supplier and its customers. “This trust relationship is … abused to attack organizations and individuals and may be performed for a number of different reasons,” according to Cisco Talos.
In another campaign earlier this year, NotPetya malware was infecting Ukrainian organizations after attackers compromised an update server – and potentially also software development environment – maintained by Kiev-based accounting software vendor M.E. Doc.
