HACKERS HAVE COMPROMISED CCleaner, an application distributed by anti-virus firm Avast that allows users to perform routine maintenance on their system, in order to deliver malware to unsuspecting victims.
Researchers from Cisco Talos said that for a period of time - between 15 August and September 12 of this year - CCleaner version 5.33 had contained a multi-stage malware payload that rode on top of the installation.
As CCleaner is a popular application, with over two billion total downloads by November 2016 and an average of five million download every week, the researchers said that they "decided to move quickly" and notified Avast of its findings on the same day they discovered the issue so that the company could take the appropriate action.
The researchers detected the malware on the app on 13 September while performing beta testing of a new exploit detection technology. They identified suspicious activity from the CCleaner app, and found that the downloaded installation executable was signed using a valid digital signature, issued to Piriform (which was acquired by Avast, and was the initial developer of CCleaner). However, CCleaner wasn't the only application that came with the download.
Instead, it came with a malicious payload that featured a Domain Generation Algorithm (DGA) as well as hardcoded Command and Control (C2) functionality. This malicious version was being hosted directly on CCleaner's download server as recently as 11 September 2017, the researchers claimed.
Cisco Talos suggested that, as there was a valid digital signature on the malicious CCleaner binary, portions of the development or signing process may have been compromised.
"Given the presence of this compilation artefact as well as the fact that the binary was digitally signed using a valid certificate issued to the software developer, it is likely that an external attacker compromised a portion of their development or build environment and leveraged that access to insert malware into the CCleaner build that was released and hosted by the organization," the researchers explained.
"It is also possible that an insider with access to either the development or build environments within the organization intentionally included the malicious code or could have had an account (or similar) compromised which allowed an attacker to include the code," they added.
They determined that this was most likely a supply chain attack, whereby attackers rely on the trust relationship between a manufacturer or supplier and a customer.
The malware would upload the data collected from each host to a command and control server. This server has been taken down by Avast since being notified of the malware.
The Cisco Talos researchers recommended that affected systems - of which there could be thousands - need to be restored to a state before 15 August 2017 or reinstalled.
Avast claims, though, that updating to CCleaner version 5.34 ought to fix the problem.
"There is no indication or evidence that any additional "malware" has been delivered through the backdoor. Therefore, the only malware to remove is the one embedded in the CCleaner binary itself. In the case of CCleaner Cloud, the software was automatically updated," a spokesperson told INQ. µ
Welcome to the dystopia Black Mirror warned us about
Microsoft in 'more helpful' shock
A whole new way to be tied to your ISP
Search giant puts Epyc chips at the heart of its datacentre servers