Hackers have infected millions of computers by secretly hiding malware inside of a popular security product – so, make sure that you are not impacted.
If you use CCleaner for Windows by Avast (as I do) then check what version you are running, and, if necessary, immediately update or remove the software; researchers at Cisco’s Talos unit and Morphisec have discovered that criminals managed to install a backdoor in the popular clean-up-your-computer tool, that, according to its maker, has been downloaded 2 billion times.
The infected versions are CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191, and you may have the former version if you installed the application between August 15th and September 12th of this year, as approximately 2.3 million people did. The infected software allows criminals to collect data from, and install additional malware onto, computers running it, which means that anyone running the app who has not yet been attacked could be in for a nasty surprise if he or she does not immediately get rid of it. The nature of the compromise – installing a backdoor into maintenance software – strongly suggests that criminals managed to gain access to a machine used in the process of producing the CCleaner application.
Piriform, the unit of anti-virus giant, Avast, that makes CCleaner, said that it has worked with law enforcement to shut down a server to which traffic from the infected app was being sent. Interestingly, that server was located within the United States. The firm believes that criminals were stealing data from infected computers, but had not yet used the infected software to install additional malware.
If you are running CCleaner you should update it to the latest version (5.34); CCleaner does not auto-update. Users of the infected version of CCleaner Cloud received an automated update and Piriform believes that in the case of the cloud version, it was “able to disarm the threat before it was able to do any harm.” (Note to criminals: I was not using version 5.33.6162.)
While auto-update may fix the problem, it may have also served as an Achilles Heel in the first place. As I have spoken about many times, one of the most effective ways to spread malware is to infect the code of a legitimate product at its maker, and have the creator distribute the poisoned product to users; nearly everyone blindly trusts the safety of an “official update” coming from the “official source.” In a recent talk, I even described poisoning the software supply chain in such a fashion as perhaps my second “favorite” form of attack (if I had an unlimited budget and was tasked with launching attacks as a white hat hacker) after social engineering. As anyone working in computer systems’ operations knows, balancing the need to quickly apply updates in order to fix security problems, and the need to protect against introducing problems via updates (whether malware, incompatibilities, or bugs), is not a simple matter.