CCleaner: 2m users install anti-malware program … that contains malware

More than two million users of anti-malware tool CCleaner installed a version of the software that had been hacked to include malware, the app’s developer confirmed on Monday.

Piriform, the developer of CCleaner now owned by security firm Avast, says that its download servers were compromised at some point between 15 August, when it released version v5.33.6162 of the software, and 12 September, when it updated the servers with a new version.

In that period, a trojan was loaded into the download package which sent “non-sensitive data” from infected users’ computers back to a server located in the US. The data, according to Piriform, included “computer name, IP address, list of installed software, list of active software, list of network adapters”.

As well as the data leak, however, the infection also resulted in a “second stage payload” being installed on to the affected computer – another piece of malware, which Piriform says was never executed.

“At this stage, we don’t want to speculate how the unauthorised code appeared in the CCleaner software, where the attack originated from, how long it was being prepared and who stood behind it,” the company’s vice president, Paul Yung, said.

The company says 2.27m users were infected, but added that “we believe that these users are safe now as our investigation indicates we were able to disarm the threat before it was able to do any harm”. By taking down the “command and control” server, Piriform may have prevented the infection being used to inflict further damage.

The breach was independently discovered by Cisco’s Talos Intelligence research team, who notified Piriform on 13 September, one day after the clean version of the software had been released in a regularly scheduled update. Talos recommends that affected systems be restored “to a state before August 15, 2017, or reinstalled”, advice which Piriform does not repeat.

Compromising downloads to trusted software is an increasingly common route by which malware authors infect devices. The method, known as a “supply chain” attack, works because “the attackers are relying on the trust relationship between a manufacturer or supplier and a customer”, Talos says.

In March 2016, a compromised version of BitTorrent client Transmission spread ransomware on Macs for three days, the first functioning ransomware attack on the operating system. Notoriously, a successful hack on Ukrainian accounting software MeDoc was responsible for seeding the NotPetya “ransomworm” – a self-replicating piece of ransomware – that took down companies including Merck, Maersk and Cadbury’s.