CCleaner is a popular program that is used by millions of consumers to try and make their computers run faster. It attempts to accomplish this by cleaning out remnants of uninstalled programs and by clearing certain temporary data of installed programs. It cleans out browser caches, cookies, histories, form data as well as windows temporary files. It also attempts to repair Windows registry problems such as unused file extension entries and missing references to application paths. It can even go as far as uninstalling programs or changing the list that runs at startup.
The application has been evolving since its inception in 2003. In 2009, CNET editors gave it a 5/5 rating, saying it was a “must-have tool”.
In September 2017, 2 versions of CCleaner (32-bit CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191) were found to be infected with a backdoor that allowed hackers to exfiltrate information from an end-user’s PC as well as to download and install a secondary payload. These versions were available for almost a month before being withdrawn. Avast (the company that owns the software maker – Piriform) said that while available, the infected PC version was downloaded (and presumably installed) over 2 million times.
The infection was first identified by Morphisec (an end-point security company) late August when it was blocked by their security product and they began an immediate investigation. They evaluated logs supplied by their customers before reporting it to Avast within 72 hours so that a clean version could be created and published.
According to Morphisec’s VP for R&D, Michael Gorelik: “A backdoor transplanted into a security product through its production chain presents a new unseen threat level which poses a great risk and shakes customers’ trust.”
It appears that the malicious code was modified on or before the build server within Piriform. The modified code loaded an extra library to project that collected information from the computer and sent it on to a command and control server, as well as having the ability to download additional code that could be used to perform almost any task. Once the initial malware is installed with elevated rights (many people click ok when told that the installer requires elevated rights because they are expecting the application to request this), the application can literally do what it likes. This includes connecting to the Internet. In the interconnected society of today, this is the expected norm.
Cisco has their own security investigation team who also identified the issue. They posted an in-depth analysis of the infection and highlighted the following:
- The attack was highly targeted. Although over 2 million computers were infected, the attackers (who controlled the secondary payload) implemented checks to see whether to go ahead, or go to the original Piriform website.
- Targets included high profile companies such as Singtel, Intel, Microsoft, Samsung, Sony, and HTC. Also included were Mobile Network Operators O2 and Vodaphone, and even Cisco themselves.
- The malware would regularly contact its control server and update the database with information on hostnames, IP addresses, process names and more.
Avast recommends updating to their latest CCleaner version, but this does not guarantee a clean computer. Removing the infected CCleaner could leave the secondary payload active and users are advised to scan their computer with an anti-malware program and make sure their anti-virus is up to date. Cisco recommends users restore from backups or reinstall completely.