Hackers compromised CCleaner to infect as many as 2.27 million PCs with malware.
Cisco’s Talos researchers and CCleaner’s maker, UK-based Piriform, confirmed that a version of CCleaner available since August carried malware that installed a backdoor on Windows systems.
The distribution technique, known as a supply chain attack, is the method used to spread the NotPetya in June, which initially infected systems that installed a compromised version of a widely-used Ukraine accounting software package. The attack is effective as it exploits the assumed trust between a user and supplier.
The compromised version was also signed with a legitimate digital certificate, according to Talos researchers, meaning it wouldn't have been detected by antivirus.
The malware’s main purpose is to profile a victim’s system and send that information to a server located in the US. While it is capable of downloading a second piece of malware, Piriform says it hasn’t seen it executed.
The CCleaner is a popular tool for cleaning out 'crap-ware', helping remove temporary files, browser caches, log files and other junk from a system.
Prague-based antivirus vendor Avast acquired Piriform in July, at the time saying CCleaner added 130 million new consumers to Avast.
The compromised version of CCleaner and CCleaner Cloud may have been downloaded by as many as 2.27 million users, or about three percent of its users with 32-bit Windows PCs, according to Piriform.
The company believes it was able to disarm the malware before it harmed users. It has released updates and removed the compromised versions from its website.
The affected software included version 5.33.6162 of CCleaner, and version 1.07.3191 CCleaner Cloud for 32-bit Windows, which were released on 15 August and 25 August, respectively.
Users of CCleaner Cloud have already received an automatic update that removes the threat. CCleaner users have received a notification to update to a new version, but Monday's warning is the first time they've been told why. CCleaner users need to install version 5.34 or higher.
According to Pirform, Avast discovered the the two products were compromised on 12 September. It disabled a rogue download server on September 15 as part of its cooperation with US law enforcement's investigation.
Data transmitted to the attacker’s server included the computer’s name, IP address, a list of installed software, a list of active software, and a list of network adapters.
Piriform hasn't said when or how the attacker inserted the malware.
“At this stage, we don’t want to speculate how the unauthorized code appeared in the CCleaner software, where the attack originated from, how long it was being prepared and who stood behind it. The investigation is still ongoing,” said Piriform’s VP of products, Paul Young.
That a legitimate Piriform certificate was used to sign the comprised software suggests Pifirom's development environment could have been compromised, according to Cisco's Talos researchers.