CCleaner installer included backdoor – update for a month

Spread the love

Piriform reports that the Windows installer of the popular cleaning software CCleaner contained malware in the form of a backdoor for about a month. The installer was available for download from the developer’s site, which was recently acquired by Avast.

Piriform writes that the infected version of CCleaner bears the number 5.33.6162 and is suitable for 32-bit Windows systems. In addition, version 1.07.3191 of CCleaner Cloud was affected. The company reports that the malware is a backdoor, which consists of two components. The first component aimed to collect information about the infected system and send it back to a command and control server under the control of the attackers. This included information such as the name of the computer, running processes, installed software and the MAC addresses of the first three network adapters.

The malware was then able to pull in a second component and execute code, the company said. Cisco’s security unit Talos, which it claims discovered the malware, does not state exactly what its capabilities are, but only writes that “performing various malicious actions” was possible. Piriform claims there is no evidence that the second component’s payload has actually been executed and claims its activation is “very unlikely.” The company does not say why.

Both Piriform and Talos state that the malware’s code was aimed at preventing or at least complicating detection. Talos claims the malicious software came to light during beta testing of a new security product. In its analysis, the company writes that it is likely that the attackers must have had access to the Piriform development environment in order to add the malicious code to the installer. A valid certificate for the installer was present.

The malicious version of CCleaner was available for download between August 15 and September 12. For the Cloud version, the period was between August 24 and September 15, according to Piriform. The company recommends that users update the CCleaner software. Talos goes a step further, recommending users who have installed the malicious version to roll back their Windows systems to a date before August 15th or perform a reinstall.

Piriform estimates that three percent of its CCleaner users are affected. On its website, the company reports that there have been 2 billion downloads to date and that there are 5 million installations per week. Piriform says it does not want to make any assumptions about the identity of the attackers and is working with American investigative services. The company was recently acquired by security firm Avast, which is also conducting an investigation. The current attack concerns a so-called supply chain attack, in which a legitimate product is provided with malicious code. The same was seen, for example, with the distribution of the NotPetya malware via the accounting software MeDoc.

Update, 12:42 PM: Avast tells Forbes that an estimated 2.27 million users have installed the malicious versions. The company bases its statement that the second component of the malware was not executed on a scan of infected computers on which its software is installed. Tweaker temp00 reports that the presence of a particular registry entry may indicate infection.

Course of the malware, according to Talos

You might also like
Exit mobile version