CCleaner, a popular maintenance and file clean-up software, was found to have been compromised with a backdoor application. Piriform, the developers of CCleaner, announced on September 18 that CCleaner version 5.33.6162 and CCleaner Cloud v1.07.3191 for 32-bit Window users were the infected versions. Through an investigative process, it was noticed that the software was illegally modified before it was released to the public and made available. The modification was made in the binary of the .exe file that allowed for a two-stage backdoor from a remote IP address on the affected systems. Besides the backdoor applications, it was also collecting information on the name of the computer, list of installed softwares and windows updates, running processes, MAC addresses, and information if the processes were running with administrator privileges. Currently, CCleaner Cloud has been automatically updated and that CCleaner should be manually updated as soon as possible.
https://www.forbes.com/sites/thomasbrewster/2017/09/18/ccleaner-cybersecurity-app-infected-with-backdoor/#51b0f0a1316a
http://thehackernews.com/2017/09/ccleaner-hacked-malware.html
http://www.piriform.com/news/blog/2017/9/18/security-notification-for-ccleaner-v5336162-and-ccleaner-cloud-v1073191-for-32-bit-windows-users
Fraser G says
Richard-
Interesting article, and one of concern for me because I used CCleaner in the past. If I read these articles right one of their hosts was compromised… I wonder what sort of vetting process is used to make sure your host is legit, and has good security of their own. Thanks for posting this!
Fraser
Amanda M Rossetti says
I just posted the Time article about this before I saw your post. It caught my eye because I also use CCleaner and will be updating it today. I’m curious to know what broke down in their internal controls to allow the modified version to be the one released to the public. They should have had multiple levels of testing and approval prior to release. I wonder if it was modified in the short time between the final go-live approval and release, or if it happened during that testing/approval process and wasn’t caught then.
Matt Roberts says
Although this wasn’t necessarily the case, my first instinct looking at this is that it was likely the act of an insider, or was done with the assistance of an insider. This is a great example of why detailed logs and documentation are so important. It will likely be a lengthy and meticulous process, but a detailed investigation of the logs may be the only way to determine how this happened and who is responsible for it.
Kevin Blankenship says
Definitely an really interesting and clear example of a Supply Chain attack. Like Matt said, if it wasn’t an insider, there is a serious compromise in Avest’s SDLC. It’s good only one version was affected, so downgrading or upgrading will fix the issue, but with 2.27 Million version downloads since august, this malware is still very widespread.
It is pretty impressive.
Younes Khantouri says
Richard,
I did read an article that is related to your post and talks about CCleaner. According to that article CCleaner comes with two different version, a version you have to purchase and a free one. After this security problem, the company was able to develop an update by exclusively for the pay version. This is a big problem for the people who use the free version which don’t know that their data is under risk. I am just wondering why there is no update for the free version.
Anyway, thank for posting this article that covers a different area of this software (CCleaner) security issue.