By: Shirley Siluk
Anyone who’s recently downloaded CCleaner, a PC optimization tool developed by London-based Piriform, should update the software immediately to avoid malware that was inserted into one version of the program.
It’s uncertain how the malware was slipped into CCleaner, a utility program that Piriform said has been downloaded some 2 billion times since it was first released in 2003. The company said it has contacted law enforcement authorities and is also urging users to download a new, malware-free version of CCleaner released last week.
Before downloading the latest free version of CCleaner, which does not automatically update, users should also restore their systems to a date before August 15, when the malware first appeared.
Researchers at Talos, Cisco’s threat intelligence team, said they discovered the malware after observing that data from CCleaner was being sent to an unknown IP address. They said they immediately notified the security software company Avast, which acquired Piriform in July.
The malware was designed to collect information about users’ PCs, including installed software and MAC addresses of network-connected devices, and then send that data to an external server. Piriform said in a blog post today that a “rogue server” configured to receive stolen data has been shut down and that “other potential servers are out of the control of the attacker.”
‘Exploiting’ Trust Relationships
Talos researchers said the CCleaner malware was particularly worrisome because it somehow made it onto software that could be executed using Piriform’s valid security certificate. As of today, the malware is only detected by very few — just one out of 64 — antivirus programs, according to the researchers.
“This is a prime example of the extent that attackers are willing to go through in their attempt to distribute malware to organizations and individuals around the world,” Talos researchers Edmund Brumaghin, Ross Gibb, Warren Mercer, Matthew Molyett, and Craig Williams wrote today on the Talos blog. “By exploiting the trust relationship between software vendors and the users of their software, attackers can benefit from users’ inherent trust in the files and web servers used to distribute updates.”
The research team noted that the CCleaner malware abused legitimate software much in the same way as the Petya/Nyetya/NotPetya attack did in June. In that attack, which crippled thousands of business machines worldwide, wiper malware was distributed via legitimate tax accounting software from a Ukrainian company called M.E.Doc.
“[W]ith supply chain attacks, the attackers are relying on the trust relationship between a manufacturer or supplier and a customer,” the Talos researchers noted. “This trust relationship is then abused to attack organizations and individuals and may be performed for a number of different reasons. The Nyetya worm that was released into the wild earlier in 2017 showed just how potent these types of attacks can be. Frequently, as with Nyetya, the initial infection vector can remain elusive for quite some time.”
Inside Job or Outside Hack?
In a security notice posted earlier today, Piriform vice president of products Paul Yung apologized to users for the security issue and added, “to the best of our knowledge, we were able to disarm the threat before it was able to do any harm.”
Yung said anyone using CCleaner version 5.33.6162 should update the software to version 5.34, which is available for download via the Piriform Web site.
Anyone using the free version of CCleaner needs to manually download updates because the software does not update automatically. However, “the lack of automatic updates for the free edition of CCleaner may actually have reduced the total number of users put at risk by the compromised version,” U.K. security writer Graham Cluley noted in his blog today.
“It’s worth pointing out that you may want to go one step further than just downloading a fixed version of CCleaner,” he said. “After all, if you ran version 5.33 of CCleaner your PC may have been compromised. It might be sensible to roll-back your computer to a backup created before you installed that poisoned version of CCleaner.”
According to Talos, the impact of the CCleaner malware “could be severe given the extremely high number of systems possibly affected.” Talos researchers said the malware might have been inserted into Piriform’s software either by an external hacker who was able to compromise the company’s development or build environments, of by an insider with access to those environments.
Yung said Piriform is taking detailed steps internally so that this doesn’t happen again. “At this stage, we don’t want to speculate how the unauthorized code appeared in the CCleaner software, where the attack originated from, how long it was being prepared and who stood behind it,” he said. “The investigation is still ongoing.”