Malicious code has been discovered in two versions of Piniform’s CCleaner housekeeping utility, the company disclosed on Monday. Piniform is owned by Avast, whose security products are used by more than 400 million people.
The malware infecting CCleaner could give hackers control over the devices of more than 2 million users. CCleaner is designed to rid computers and mobile phones of junk, such as unwanted applications and advertising cookies.
Two versions of the program were modified illegally before they were released to the public, Piniform said.
However, the threat has been neutralized, according to Piniform Vice President Paul Yung, who explained that the rogue server the hackers used to control the code is down, and other servers no longer are in the attackers’ control.
All users who downloaded the infected version of the program for Windows, CCleaner v5.33.6162, have received the latest version of the software. Users of CCleaner Cloud version 1.07.3191 have received an automatic update.
“In other words, to the best of our knowledge, we were able to disarm the threat before it was able to do any harm,” Yung said.
Machine Wipe Recommended
Despite those reassurances from Piniform, more drastic action may be necessary, suggested Craig Williams, the senior technical leader at Cisco Talos.
“Because the malware remains present, even after users update the CCleaner software, Talos advises all users to wipe their entire computer — remove and reinstall everything on the machine — and to restore files and data from a pre-August 15, 2017 backup, before the current version was installed,” he told the E-Commerce Times.
“It is critical to remove this version of the CCleaner software and associated malware, since it’s structure means it has the ability to hide on the user’s system and call out to check for new malware updates for up to a year,” Williams explained.
Beyond the immediate threat, there may be problems with data loss, noted Morey Haber, vice president of technology at BeyondTrust.
“While the upgrade may remove the malware, leaked data has potentially been transmitted and could be used at a future time,” he told the E-Commerce Times.
“Users should consider changing all privileged passwords to mitigate the risks of any leaked credentials,” Haber recommended.
What makes an attack like this particularly pernicious is that there’s very little users can do to protect themselves from it.
“For most threats, there are security practices users can take in order to lower the chances of getting infected,” said Itsik Mantin, director of security research at Imperva.
“In this case, there was really nothing the victims could do,” he told the E-Commerce Times. “The software was properly signed, so they had every reason to trust it.”
The threat faced by CCleaner users is serious, said Nathan Wenzler, chief security strategist at AsTech Consulting.
“The malicious aspect of the software allowed for remote administration of a machine that had the compromised version of CCleaner installed,” he told the E-Commerce Times.
“An attacker would have full access to the system, including anything a user did while logged on, such as inputting credit card information to a shopping site,” Wenzler explained, “or user names and passwords when logging in anywhere.”