A popular PC-cleaning software CCleaner used by over 130 million people put users at risk after hackers were able to insert malware into legitimate downloads. Security researchers at Cisco Talos have discovered a malicious bit of code injected by hackers that could have affected more than 2 million users who downloaded the most recent update.
According to Avast, around 2.27 million people ran the affected software, which was delivered via a hacked server. The impact is damaging, but considering that the application has amassed over 2 billion downloads and adds around 5 million new users each month, it could have been significantly worse. The company said it has already forced updates of the affected version and in its own words was “able to disarm the threat before it was able to do any harm”.
This is an unusual attack as software similar to CCleaner is trusted by consumers and meant to remove crapware from a system. By exploiting the trust relationship between software vendors and the users of their software, attackers can benefit from users. The malware itself appears to have been designed to use infected PCs as part of a botnet ( a group of computers connected in a coordinated fashion for malicious purposes).
The malware doesn’t seem to have affected any machines in the wild. In a blog post by vice president of products Paul Yung, he states that the company identified the attack on Sept. 12 and had taken the appropriate action even before Cisco Talos notified them of their discovery. Yung says the attack was limited to CCleaner and CCleaner Cloud on 32-bit Windows systems—fortunately, most modern PCs will likely be running the 64-bit version.
In the past, attackers would create fake alternatives of popular applications and trick people into downloading them. The trend now, however, is to attack the download source directly and gain access to legitimate servers. Once they are in, it’s a case of loading the trusted software with a nefarious payload, with the end-user being none the wiser. This is a prime example of the extent that attackers are willing to go through in their attempt to distribute malware to organizations and individuals around the world.
The intent of the attack is unclear at this time, though Avast says the code was able to collect information about the local system.