CCleaner downloads are found to be infected with malware, affecting millions

Avast CEO details how CCleaner malware infection was detected, company response

ccleaner malware infection download ccleaner1
For about 22 days, the CCleaner system maintenance application distributed malware through its official channels. It appears to have been an exploit of the CCleaner installer’s download server, meaning that whenever anyone downloaded the software via official means, they also unwittingly downloaded a piece of malware.

Thankfully, if you update your CCleaner to the latest version, you should be fine. Avast was made aware of the malicious code on September 12, but had to act quickly and covertly to neutralize the threat.

“CCleaner is not a product that could be remotely updated like the other Avast products, which means in order to quote ‘fix’ it, we had to shut down the server that it was communicating with. Which, of course, we don’t own that server — it was part of a server farm — so we had to work with law enforcement to get that server shut down,” Avast CEO Vince Steckler told Digital Trends.

Once the code was detected, Avast had to keep it under wraps so the culprit was unaware the company was on to the malware infection.

“The malicious code was a two-stage code, that is it has a rather innocuous component that transmitted some very basic non-personal data, but there was a second stage which allowed the server to transmit any executable [file] to CCleaner for execution, and that’s the dangerous part,” Steckler said.

After finding it and getting the server shut down, Avast could safely announce what had happened without endangering vulnerable customers.

“We started working with law enforcement on late Tuesday [September 12] afternoon, and we got the server shut down on Friday [September 15] of last week. So that deactivated, or rendered meaningless any of this code — then we could safely go out and make an announcement,” Steckler said.

Although malware of all types is most commonly spread through phishing attacks like infected attachments and phony links, a tactic that is seeing a lot of success is the infection of trusted platforms. Whether it’s hijacking legitimate distribution accounts, or in this case the download servers themselves, it leaves the victims vulnerable to infection even if they observe proper personal security practices.

Marco Cova, senior security researcher at Lastline, told Digital Trends that this “is an example of a software supply chain attack, where an otherwise trusted software vendor gets compromised and the update mechanism of the programs they distribute is leveraged to distribute malware.”

According to Cova, an attack like this is among the most damaging. “This is sort of a holy grail for malware authors because they can efficiently distribute their malware, hide it in a trusted channel, and reach a potentially large number of users,” he said. To make matters worse, the nature of the attack “indicates that attackers were able to control a critical piece of infrastructure used by the vendor.” In other words, the hackers likely had broad access to CCleaner’s systems.

Fortunately, the code was detected before it ever had the chance to hijack vulnerable computers, according to Steckler.

“We’ve never detected that second stage being activated, so we do not believe it ever was,” Steckler added. “It was a very sophisticated hack, and I think the fact that it existed for 22 days without detection by anyone just shows how sophisticated it was.”

The payload for this malware attack has several tasks once installed. As Talos describes in its breakdown of the malware attack, it first lays dormant to avoid automated detection systems, before checking to see if it has admin access. If not, it shuts itself down to avoid detection, but if it does, it proceeds to gather information on the system and then sends it to a remote server for later collection. It then looks to connect to several other domains, leading to the potential download of more malicious software.

Piriform, the software’s developer, has since issued an apology for the exploit affecting so many of its customers. It warns that anyone running CCleaner version 5.33.6162 and CCleaner Cloud version 1.07.3191 could be affected. It suggests anyone running either version update to the latest release, which has been confirmed to be infection free.

It would also be a good idea to run standard antivirus and antimalware checks with your chosen security software. If you don’t have one or aren’t sure which to opt for, these are some of our favorites. And if you’re a Mac use,r you’re not immune. Here are our favorite antivirus options for MacOS.

Even though a fix was issued quickly, one of the worst aspects of this sort of exploit is that it could reduce the trust people have in legitimate sources and institutions. Piriform was purchased by the antimalware company Avast in July, while a fellow antimalware firm, Symantec, issued the infected CCleaner download with its valid security certificate.

“We rely very much on the trust of our users, we want our users to know that they can continue to trust us to protect and support their computers,” Steckler said. “CCleaner is a great product, it did get compromised, and we will be working with law enforcement here to figure out how it got compromised, and if it’s something we can publicize later on, we will.”

Having the rug pulled out from a legitimate download like this makes it much harder for those with little security knowledge to know where to turn to protect themselves online. If the very companies that purport to do so can aid in the proliferation of malware themselves, who can you trust?

Updated with remarks from Avast CEO Vince Steckler. 

Product Review

Ring Alarm makes DIY home security simple and affordable enough for everyone

Ring first made waves with its video doorbell, and now the Amazon-owned company is moving on to home security with the Ring Alarm. You can install the sensors and keypads yourself, then have Ring professionally monitor your home.
Computing

PewDiePie supporters hack printers, hope to boost his subscription numbers

In an attempt to garner more subscribers for their favorite vlogger and secure his status as having the most YouTube subscribers, PewDiePie supporters claimed to have hacked thousands of printers worldwide.
Home Theater

What is Terrarium TV? Here’s everything you need to know

Terrarium TV offered a way to watch movies & TV for free, but now after a troubled existence, the app's developer has shut it down, and offered an ominous message to users on his way out.
Computing

Windows Update not working after October 2018 patch? Here’s how to fix it

Windows update not working? It's a more common problem than you might think. Fortunately, there are a few steps you can take to troubleshoot it and in this guide we'll break them down for you step by step.
Computing

ZSpace’s laptop brings education to life with its own 3D technology

The ZSpace laptop wants to overhaul education and training by offering affordable access to 3D mixed reality through a bespoke screen and glasses technology that is already supported by a wide array of applications.
Computing

Former Microsoft intern claims Google may have sabotaged Edge browser

Google's Chrome web browser has been able to establish such dominance that Microsoft is abandoning its web rendering engine, switching Edge over to Chromium, but did Google play dirty in an attempt to force Microsoft to make the decision?
Computing

ViewSonic’s 1080p gaming monitor lets you experience the action in style

ViewSonic is catering to gamers with its latest monitor, the XG240R. Featuring a 1080p 144Hz panel, RGB lighting, and a fast 1ms response time, you can conquer your opponents and do it in style.
Computing

Here’s why you might still be using Wi-Fi after cellular 5G launches

Cellular 5G might be around the corner and promising to deliver lightning fast speeds, but the folks over at the Wi-Fi Alliance have a few reasons why they think you shouldn't dump Wi-Fi just yet.
Computing

Pinning websites to your taskbar is as easy as following these quick steps

Would you like to know how to pin a website to the taskbar in Windows 10 in order to use browser links like apps? Whichever browser you're using, it's easier than you might think. Here's how to get it done.
Computing

Detangle your desk with a mighty wireless mouse. Here are our six favorites

If you're looking for the best wireless mouse on the market, we've got the list for you!. These six models have something for everyone, whether you're a hardcore gamer or simply looking to ward off carpal tunnel.
Web

Canceling Amazon Prime is easy, and you might get a refund

Don't be intimidated. Learning how to cancel Amazon Prime is easier than you might think. You might even get a partial or full refund on the cost, depending on how much you've used it. Check out our quick-hit guide for doing so.
Computing

Convert your PDFs into convenient Word documents

PDF files are great, but few document types are as malleable as those specific to Microsoft Word. Here's how to convert a PDF file into a Word document, whether you prefer to use Adobe's software suite or a freemium alternative.
Computing

Delete tracking cookies from your system by following these quick steps

Cookies are useful when it comes to saving your login credentials and other data, but they can also be used by advertisers to track your browsing habits across multiple sites. Here's how to clear cookies in the major browsers.
Computing

After rocky start, Windows 10 October 2018 update is finally available to all

The Windows 10 October 2018 update is now available for everyone to download. After a serious bug derailed its initial release, the update is back and users are now able to check for it through Windows Update.