pixel_dreams - Fotolia

Hackers installed backdoor in CCleaner, Avast’s Piriform warns

Avast-owned Piriform has warned that some versions of its CCleaner software was compromised by hackers that would allow them to install malware on users’ computers

Business and consumer users of Piriform’s CCleaner software are being urged to ensure they are using the latest versions that do not contain a hacker-inserted backdoor.

CCleaner, software that is designed to speed up PC and smartphone performance by removing unneeded or unecessary files, is the latest victim of hackers hijacking legitimate software to spread malware and gain access to infected systems.

The compromised CCleaner software could potentially give hackers access to the user’s computer and other connected systems to steal sensitive personal data and credentials that could be used for online banking or other online activities, Cisco’s cyber security research team, Cisco Talos, has warned.

“Supply chain attacks are a very effective way to distribute malicious software into target organisations. This is because with supply chain attacks, the attackers are relying on the trust relationship between a manufacturer or supplier and a customer,” the research team said in a blog post.

In June 2017, Microsoft confirmed that, in some cases, NotPetya hijacked the auto update facility of the M.E.Doc tax accounting software that is widely used in Ukraine, which is why the country was particularly hard hit.

According to the Avast-owned Piriform, only the 32-bit version of the v5.33.6162 of CCleaner and the v1.07.3191 of CCleaner Cloud were affected.

But that means up to 2.27 million users could be vulnerable, and Piriform is urging all users of the affected versions to download v5.34.

Read more about malware

However, the company claims to have resolved the problem quickly, and said it believes no harm was done to any of its users in a blog post. “We apologise and are taking extra measures to ensure this does not happen again,” the company said.

According to Piriform, its new parent company Avast had found the affected versions of the software had been compromised on 12 September.

Further investigation revealed that the software code had been illegally modified before it was released to the public, according to Paul Yung, vice-president for products at Piriform.

“The modification of the CCleaner.exe binary resulted in an insertion of a two-stage backdoor capable of running code received from a remote IP address on affected systems,” he wrote in a blog post.

A regular scheduled update to CCleaner without the compromised code was released on the same day, and an updated version of CCleaner Cloud without the compromised code was released three days later.

However, that still means downloads of CCleaner in the four weeks since its release on 15 August and downloads of CCleaner Cloud in the three weeks since its release on 24 August were compromised.

Transmission of “non-sensitive data”

Piriform said the compromise could cause the transmission of “non-sensitive data” such as computer name, IP address, list of installed software, list of active software and list of network adapters to a third-party computer server in the US.

“We have no indications that any other data has been sent to the server,” the company said, adding that working with US law enforcement, the affected server was shut down on the 15 September “before any known harm” was done.

The company said it had not made the compromise known sooner because that would have been “an impediment to the law enforcement agency’s investigation”.

However, Piriform said it had taken action to ensure users of the affected versions of CCleaner were safe by removing them from download sites.

Update notification

The company said it notified CCleaner v5.33.6162 to update to v5.34 and automatically updated CCleaner Cloud users to v1.07.3214.

“We are continuing to investigate how this compromise happened, who did it and why. We are working with US law enforcement in their investigation,” the company said.

Despite the release of updated versions of the compromised software, the Cisco Talos research team is advising all those who downloaded the compromised versions of CCleaner to wipe their computers.

Because the malware remains present, even after users update the CCleaner software, affected users should remove and reinstall everything on the machine and restore files and data from a backup made before 15 August.

The Cisco Talos researchers believe it is critical to remove the compromised version of the CCleaner software and associated malware, because its structure means it has the ability to hide on the user’s system and call out to check for new malware updates for up to a year.

Read more on Hackers and cybercrime prevention