Trojanized CCleaner Investigation: Lucky Break

Backup Server Reveals Secondary Malware Hit Intel, VMware, Fujitsu and Others

Researchers investigating the infection of hundreds of thousands of computers with a trojanized version of a popular software utility, CCleaner, have had a lucky break that gives greater insight into the hackers’ goals.

The trojanized version of CCleaner gave unknown attackers the ability to potentially push secondary malware onto any infected system they desired. But the command-and-control server used by attackers had a small hard drive, and when it was recovered by Avast – with the help of law enforcement agencies – it was only storing three days’ of attack data, listing 18 targeted companies.

Now, however, researchers at Czech anti-virus vendor Avast, which owns Piriform – the British developer of CCleaner – have gained access to a second server storing data that has revealed a list of additional computers that may have been hit with secondary malware by attackers.

CCleaner is a popular Windows utility designed to tidy up hard drives and flush temporary files.

The CCleaner incident represents one of most feared kinds of cyberattacks – attackers messing with a trusted supply chain. In this case, hackers infiltrated a server that distributes CCleaner and replaced the legitimate installer with a trojanized version that contained malicious, hidden code designed to create a stealthy backdoor on the system. The malicious version even carried a valid digital signature, making it appear to be legitimate.