Compromised Copies of CCleaner Found to Be Installing Backdoors

It may seem counter-intuitive, but users need to exercise caution when installing various third party anti-malware tools, because they are also prime targets for exploits. A great example of this is the recent fiasco over Antivirus company Avast’s CCleaner tool. The tool is designed to optimize people’s systems by cleaning unused registry entries, but researchers at security firm Cisco Talos have discovered that the hackers have managed to inject a malicious code into the program, one that allows the hackers to open a hidden backdoor to users’ computers.

This comes as a shock to the community because CCleaner’s developer, Avast, is an established name and their antivirus suite is used by millions of users all over the globe, no doubt helped by the fact that they offer a free version of their antivirus. The key detail here is that Avast did not originally develop CCleaner – it was originally developed by Piriform and only recently acquired by Avast. For their part, Piriform is not a lightweight in the industry either. Their CCleaner program has been downloaded more than 2 billion times worldwide, and is said to be downloaded 5 million times per week.

To its credit, CCleaner did a good job pruning a Windows-based system of unwanted files such as temp files, orphan DLLs, and abandoned temporary internet files that can be used by malicious programs. The end result is a reduced risk of being infected by malicious code, and a snappier system unbogged by extraneous files or registry entries. The problem is that somewhere along the line, the program was hijacked and a multi-stage malware was injected onto the code, with activation being set for the period between August 15 and September 12. The affected builds were the 32 bit version of the v5.33.6162 of CCleaner and the v1.07.3191 of CCleaner Cloud.

Why It Was Dangerous, But No Longer the Case

Two things made this problem particularly dangerous – one is that CCleaner is a trusted and credible program among many circles, so it was not under suspicion, especially since the hijacked software was not downloaded from third party sites – instead, the infected code was hosted directly on CCleaner’s servers. Second is that the malware lay dormant in the code, and did not launch until the preset activation time. This meant that there was a lot of time for the compromised programs to spread among users before it was caught and recognized.

Piriform has already acknowledged the attack and issued a public apology, explaining that they finally detected a timeframe in which suspicious activity happened with regard to CCleaner, and when it was illegally modified before being released in the wild. They have also confirmed that Mac and Android versions of the software were not affected, and that they have resolved the matter with urgency so as to minimize the amount of users that were affected.

Piriform has also allayed fears by stating that the rogue server involved in the attacks has been taken down, and other potential servers are already locked down and kept safe from future attacks.