Thousands of Australians are today finding out that the CCleaner software that they downloaded to fix and clean up their PC’s has unwittingly downloaded malware.
The downloading of the malware is believed to have been going on for as long as a month, the CCleaner system maintenance application has been distributing malware through its official channels.
It appears to have been an exploit of the CCleaner installer’s download server, meaning that whenever anyone downloaded the software via official means, they also unwittingly downloaded a piece of malware.
What has been revealed is that A version of CCleaner downloaded in August included remote administration tools that tried to connect to several unregistered web pages, presumably to download additional unauthorised programs, security researchers at Cisco’s Talos unit said.
Talos researcher Craig Williams said it was a sophisticated attack because it penetrated an established and trusted supplier in a manner like June’s NotPetya attack on companies that downloaded infected Ukrainian accounting software.
‘There is nothing a user could have noticed,’ Mr Williams said, noting that the optimisation software had a proper digital certificate, which means that other computers automatically trust the program.
In a blog post, Piriform confirmed that two programs released in August were compromised.
It advised users of CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 to download new versions.
Although malware of all types is most commonly spread through phishing attacks like infected attachments and phony links, a tactic which is seeing a lot of success is infecting trusted platforms. Whether it’s hijacking legitimate distribution accounts, or in this case the download servers themselves, it leaves the victims vulnerable to infection even if they observe proper personal security practices.
The payload for this malware attack has several tasks once installed. As Talos describes in its breakdown of the malware attack, it first lays dormant to avoid automated detection systems, before checking to see if it has admin access. If not, it shuts itself down to avoid detection, but if it does, it proceeds to gather information on the system and then sends it to a remote server for later collection.
It then looks to connect to several other domains, leading to the potential download of more malicious software.
Piriform, the software’s developer, has since issued an apology for the exploit affecting so many of its customers.