In November a year ago the CCleaner app was downloaded more than 2 billion times, according to the company, and is installed by desktop users at a rate of 5 million a week. The malware reportedly tried to connect to unregistered websites in order to remotely download even more harmful programs to users' computers.
Not only were new users downloading the software for the first time affected but also any user who updated their version of CCleaner during that time period could now have malware installed on their system. It claims parent company Avast identified suspicious activity on September 12 when it saw an unknown IP address getting data from software installed in version 5.33.6162 of CCleaner and version 1.07.3191 of CCleaner Cloud on 32-bit Windows systems. "To the best of our knowledge, we were able to disarm the threat before it was able to do any harm", the blog post reads.
"This is very troublesome because it indicates that attackers were able to control a critical piece of the infrastructure used by the vendor". It said this attack is particularly concerning given the wide distribution of CCleaner, which Avast said had 2 billion total downloads as of November 2016. However, there are a few factors that limited the number of infections, one of which is that for users of the free version of CCleaner, updates are not automatic.
While Piriform estimated that 2.27 million people used the infected software, and 5,000 installations of CCleaner Cloud had received the malicious update to that software.
That means some Windows users of CCleaner could have had their machines compromised for more than a month - given the affected versions of the tool were released on August 15 and August 24 respectively. In view of these two factors, they said it was likely that an external attacker had compromised a part of the CCleaner development or build environment and inserted malware into the CCleaner build.
CCleaner, which is available for Mac and PC, deletes unwanted files, browser clutter and other unwanted computer paraphernalia.
Cisco's Talos security group said the affected version of CCleaner was available on Piriform's website from 15 August to 12 September, or almost one month.
This security threat was discovered last week on the 13th of September. Hackers added a backdoor code to be used for additional malware uploads at a later date.
Piriform issued a statement on September 18th, 2017.
"At this stage, we don't want to speculate how the unauthorized code appeared in the CCleaner software, where the attack originated from, how long it was being prepared and who stood behind it", Yung stated. Piriform said it's working with U.S. law enforcement to determine who was responsible for the bug.
The affected software included version 5.33.6162 of CCleaner, and version 1.07.3191 CCleaner Cloud for 32-bit Windows, which were released on 15 August and 25 August, respectively.