Infected CCleaner Utility Highlights Dangers of Software Supply Chain Attacks
More than 2 million users are estimated to have downloaded a maliciously modified version of a software utility owned by antivirus firm Avast.
The affected application, CCleaner, helps users perform routine maintenance on their systems, and provides functionality such as temporary files deletion, performance optimization analysis, and application management. Developed by Piriform Ltd, which was acquired by Avast in July, the software had around 2 billion total downloads as of November 2016.
The infected CCleaner versions include 32-bit CCleaner v5.33.6162, released on August 15, and CCleaner Cloud v1.07.3191, which was released on August 24. The issue was discovered last week, nearly a month after the infected application was made available for download.
No information on how the compromise happened has been provided as of now, but Cisco Talos security researchers discovered that the infected CCleaner installers were signed with a valid certificate and were being hosted directly on CCleaner’s download server.
“The presence of a valid digital signature on the malicious CCleaner binary may be indicative of a larger issue that resulted in portions of the development or signing process being compromised. Ideally this certificate should be revoked and untrusted moving forward,” Cisco says.
The installers were infected with a malware known as Floxif, and was modified in such a way to execute the malicious code during the legitimate application’s installation process. The malicious code includes steps designed to evade detection, and terminates execution if the user doesn’t have admin privileges. It also uses a Domain Generation Algorithm (DGA).
The malware was designed to gather various data from the infected systems, including computer name, IP address, list of installed software, list of active software, list of network adapters, and send it to a third-party server in the United States, Piriform reveals. According to the company, this non-sensitive type of data is the only data that was sent to the server.
Piriform also claims to have taken the necessary steps to ensure that its CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 users were safe, all while working with the U.S. law enforcement to shut down the server, which was accomplished on Sept. 15.
The company says it worked with download sites to remove CCleaner v5.33.6162, it pushed a notification to update CCleaner users to v5.34, and also automatically updated CCleaner Cloud users from v1.07.3191 to 1.07.3214, in addition to delivering an automatic update to Avast Antivirus users.
“At this stage, we don’t want to speculate how the unauthorized code appeared in the CCleaner software, where the attack originated from, how long it was being prepared and who stood behind it. The investigation is still ongoing,” Paul Yung, VP, Products, Piriform, notes in a technical post detailing the incident.
The company says that only around 3% of the CCleaner users have been impacted by the incident. In July, the application had over 130 million users worldwide, including 15 million Android users. Responding to an email inquiry from SecurityWeek, an Avast spokesperson said that an estimated 2.27 million users have downloaded the infected CCleaner iterations.
“We estimate that 2.27 million users had the v5.33.6162 software, and 5,010 users had the v1.07.3191 of CCleaner Cloud installed on 32-bit Windows machines. We believe that these users are safe now as our investigation indicates we were able to disarm the threat before it was able to do any harm,” the company’s official said.
While analyzing the domains associated with the infection, Cisco discovered an increase in activity following the August 15 release of the infected CCleaner variant. The company also notes that the antivirus detection for the threat was very low at the time of analysis.
Impacted users are advised to update to CCleaner v5.34 as soon as possible. They should also scan their systems with an anti-virus solution to remove any malicious code that might still be present. According to Cisco, users should consider restoring their machines to a state before August 15, 2017, or even perform a full reinstall.