Avast's CCleaner software used to spread malware

Floxif modus operandi

Avast's CCleaner software used to spread malware

Ccleaner, made by the British software firm Piriform, is downloaded about five million times every week.

In the Department of police of National police of Ukraine warns about infected by malicious software one of the updates of the popular program "CCleaner" created to assist users in the implementation of planned maintenance of their systems.

"For a period of time, the legitimate signed version of CCleaner 5.33 being distributed by Avast also contained a multi-stage malware payload that rode on top of the installation of CCleaner", the report by the Talos team said.

In a security notice posted earlier today, Piriform vice president of products Paul Yung apologized to users for the security issue and added, "to the best of our knowledge, we were able to disarm the threat before it was able to do any harm". We have no indications that any other data has been sent to the server. It said this attack is particularly concerning given the wide distribution of CCleaner, which Avast said had 2 billion total downloads as of November 2016.

The company said it notified CCleaner v5.33.6162 to update to v5.34 and automatically updated CCleaner Cloud users to v1.07.3214.

According to its parent company Avast, more than 130 million people use the performance optimisation software CCleaner.

Talos researcher Craig Williams said it was a sophisticated attack because it penetrated an established and trusted supplier in a manner similar to June's "NotPetya" attack on companies that downloaded infected Ukrainian accounting software. Piriform was the previous owner of CCleaner, but the company has recently been acquired by antivirus maker Avast, which makes the whole situation quite ironic.

The Talos team further analyzed the CCleaner file, and although the file was correctly signed by the vendor, CCleaner was not the only application being downloaded on users' systems.

Cisco Talos suspects the attack was possible thanks either to CCleaner's build environment being compromised or someone with inside access.

A bug in the malware code prevented the software from using the IP address created by the domain-generation algorithm-the code never accessed the address it created and may have simply been an incomplete feature meant to be updated later.

Many believe that Avast is downplaying the severity of the issue with its security notification post.

If you are the regular user of CCleaner and downloaded the recent update on your computer, you are at a risk.

"At this stage, we don't want to speculate how the unauthorized code appeared in the CCleaner software, where the attack originated from, how long it was being prepared and who stood behind it", Yung stated.

Anyone who had downloaded the compromised version of CCleaner was now being moved to the latest uninfected version, he said.

Latest News