Serious Malware Infection Hits CCleaner

A serious malware infection has hit CCleaner, the very popular system maintenance tool. This is obviously a very embarrassing kind of situation, especially since it was in summer last that Avast, the antivirus giant, brought back Ccleaner.

It was security outfit Cisco Talos that noted the malware incidence; they have intimated Avast about their findings. A blog post authored by Edmund Brumaghin, Ross Gibb, Warren Mercer, Matthew Molyett, and Craig Williams of Cisco Talos says- ” For a period of time, the legitimate signed version of CCleaner 5.33 being distributed by Avast also contained a multi-stage malware payload that rode on top of the installation of CCleaner. CCleaner boasted over 2 billion total downloads by November of 2016 with a growth rate of 5 million additional users per week. Given the potential damage that could be caused by a network of infected computers even a tiny fraction of this size we decided to move quickly. On September 13, 2017 Cisco Talos immediately notified Avast of our findings so that they could initiate appropriate response activities.”

Inferences are that it could be an external attacker who compromised CCleaner’s development or built environment to insert the malware. It could also be the work of an insider.

TechRadar reports- “The malicious code in question is a two-stage backdoor which hooks up to a command and control server, capable of running code transmitted from a remote PC with obvious potential for various nastiness. Another worrying point was that this infection apparently went undetected by the vast majority of antivirus software.”

Anyhow, Piriform (Avast is the parent company), the developer of CCleaner, has pulled down the infected version of the software. Paul Yung, Vice President (Products) at Piriform, says in a blog post made on the Piriform blog- “…let me say that the threat has now been resolved in the sense that the rogue server is down, other potential servers are out of the control of the attacker, and we’re moving all existing CCleaner v5.33.6162 users to the latest version. Users of CCleaner Cloud version 1.07.3191 have received an automatic update. In other words, to the best of our knowledge, we were able to disarm the threat before it was able to do any harm.”

Reports say that an investigation has been initiated to find out how the malware made its way into the CCleaner tool.

Forbes quotes Avast chief technology officer Ondrej Vlcek as saying- “2.27 million is certainly a large number, so we’re not downplaying in any way. It’s a serious incident. But based on all the knowledge, we don’t think there’s any reason for users to panic…To the best of our knowledge, the second-stage payload never activated… It was prep for something bigger, but it was stopped before the attacker got the chance.”. Forbes also reports that as per Ondrej Vlcek, “Cisco Talos wasn’t the first to notify Avast of the issues, another unnamed third party was.”