CCleaner News: Hacker Spreads Malware Over 2 Million Computers Ironically Through Exploiting Security Software
It was recently discovered that a hacker was able to spread malware to more than 2 million computers, ironically by using the popular security software called CCleaner.
London-based developer Piriform confirmed in a blog post that up to 2.27 million people have downloaded the compromised CCleaner tools.
The security issue was discovered last week by the firm Cisco Talos during a customer beta testing activity they launched on Sept. 13 for their "new exploit detection technology."
Get Our Latest News for FREE
"Cisco Talos identified a specific executable which was triggering our advanced malware protection systems," the firm revealed in an official statement.
When they took a closer look on what was alerting their malware detection service, Cisco Talos discovered that the issue was linked to Piriform's CCleaner version 5.33 installer. Making it worse was the fact that the security firm was able to confirm that the infected installer was an authentic copy from "legitimate CCleaner download servers."
CCleaner is a tool used for optimizing computers as it gets rid of digital junk that normally would not be removed by simply clicking "Delete." With this, the software promised that a computer will be able to perform faster and will be more secure.
As Talos dug deeper on why CCleaner – a legitimate software with Piriform's genuine digital signature – was triggering their malware detection program, they discovered that when users downloaded it, an unathorized application came along with it.
"During the installation of CCleaner 5.33, the 32-bit CCleaner binary that was included also contained a malicious payload that featured a Domain Generation Algorithm (DGA) as well as hardcoded Command and Control (C2) functionality. We confirmed that this malicious version of CCleaner was being hosted directly on CCleaner's download server as recently as September 11, 2017," Talos stated.
Piriform executive Paul Yung posted a statement on their blog page to address the issue and apologized to users who have been affected by the breach.
In their own investigation, Yung revealed they had spotted "suspicious activity" on Sept. 12 – earlier than Talos' detection – where they found "an unknown IP address receiving data from software found in version 5.33.6162 of CCleaner, and CCleaner Cloud version 1.07.3191, on 32-bit Windows systems."
Piriform then admitted that the said CCleaner versions were "illegally modified before it was released to the public." The company has also contacted the authorities to help them crack the case.
Meanwhile, Piriform reiterated that the issue has been "resolved in the sense that the rogue server is down, other potential servers are out of the control of the attacker, and we're moving all existing CCleaner v5.33.6162 users to the latest version."
Piriform maintained that updates were automatically issued for users who have installed the infected CCleaner tools.
