AVAST, the anti-virus firm that owns CCleaner, has played down Cisco Talos' involvement in uncovering the recent compromise of its app as well as the number of users affected.
In a blog post penned by the company's CEO Vince Steckler and CTO Ondrej Vlcek, Avast suggested that before acquiring Piriform, the maker of CCleaner on July 18, 2017, the compromise of the application may have already begun.
"The server was provisioned earlier in 2017 and the SSL certificate for the respective https communication had a timestamp of July 3, 2017. We strongly suspect that Piriform was being targeted while they were operating as a standalone company, prior to the Avast acquisition," it said.
Avast admitted that the compromised version of CCleaner was released on 15 August and went undetected by any security company for four weeks.
On Monday, researchers from Cisco Talos suggested that they "decided to move quickly", notifying Avast of their findings on the same day they discovered an issue (on 13 September) so that the company could take the equally speedy action. However, Avast said that it first learned of the malware from a company called Morphisec on 12 September.
"We believe that Morphisec also notified Cisco. We thank Morphisec and we owe a special debt to their clever people who identified the threat and allowed us to go about the business of mitigating it," the company said.
"Following the receipt of this notification, we launched an investigation immediately, and by the time the Cisco message was received (14 September, 7:25 AM PT), we had already thoroughly analysed the threat, assessed its risk level and in parallel worked with law enforcement in the US to properly investigate the root cause of the issue," it added.
Avast said that following this, the command and control server was taken down as a result of collaborating with law enforcement. At the same time, it claimed that the Cisco Talos team registered the secondary DGA domains "before [Avast] had the chance to".
"With these two actions, the server was taken down and the threat was effectively eliminated as the attacker lost the ability to deliver the payload," Avast said.
The anti-virus firm emphasised that while it does have two billion users, with an additional five million per week downloading the app, the actual number of users affected by the incident was 2.27 million. This was because only two smaller distribution products: the Windows 32 bit and cloud versions, were compromised.
The CEO and CTO said that by updating its users about the situation, only 730,000 users are still using the affected version - and that while these users are not at risk anymore because the malware has been disabled, they should upgrade to the latest version, and will be prompted to do so by Avast via a notification.
In addition, the company said that affected systems do not need to be restored to a pre-15 August state or reinstalled/rebuilt.
"About 30 per cent of CCleaner users also run Avast security software, which enables us to analyze behavioral, traffic and file/registry data from those machines. Based on the analysis of this data, we believe that the second stage payload never activated, i.e. the only malicious code present on customer machines was the one embedded in the ccleaner.exe binary," Avast explained.
"Therefore, we consider restoring the affected machines to the pre-August 15 state unnecessary," it added.
The company said that as a precaution it had migrated the Piriform build environment to the Avast infrastructure, and is in the process of moving the entire Piriform staff onto Avast's internal IT system. µ
A surprisingly busy week in a quiet month
Measures just 15.75mm at its thickest point
Firm expects GPU sales to start drying up