A popular anti-malware tool has been identified as the culprit for why over 2 million users have found themselves infected… with malware.
CCleaner – a popular anti-malware tool recently acquired by security firm Avast – boasts over 2 billion downloads, and is extremely popular with tech-savvy users looking to speed up their machines.
However sometime in late August things went very wrong as users updated their version of CCleaner to v5.33. And that’s because this update contained malware – more specifically, code that could steal certain information about a device and transmit it to a server based in the US. The code also installed a potential backdoor for criminals that would potentially allow them to access an infected device (though there is no evidence that this actually happened.)
The breach was discovered independently by Cisco Talos who immediately altered Avast.
The malware in the update duly installed itself on any device that installed the CCleaner update, which was around 2 million devices.
So how did a legitimate (digitally signed) update from a well-regarded anti-malware vendor end up containing malware?
It’s what is called a supply chain attack. Cyber criminals don’t go after the end user – they go after the software developers. This way it is the end user themselves that will install the malware in the guise of a legitimate update that they will naturally trust.
This means at some point, criminals attacked the development computers belonging to CCleaner and injected malicious code into their software, which was then distributed to their customers via an update.
So if you use CCleaner, ensure you no longer have v.5.33 and have updated to v5.34 as soon as you can. Paid users should have the update applied automatically. Free version users need to install it manually. If you did have v5.33 installed, an antivirus scan may be advised.
A supply chain attack was also responsible for kick-starting the NotPetya ransomware attack earlier in 2017 by infecting an update for a popular Ukrainian accounting software called MeDoc.