Avast Reveals More Details About CCleaner Malware Incident

By Lucian Armasu
published

Antivirus maker Avast was recently caught off-guard by some attackers that sneaked some malware into (then) the latest version of CCleaner, a popular PC cleanup tool. Avast acquired Piriform, the makers of CCleaner, earlier this July.

Timeline Of Events

Before anything else, Avast wanted to make it clear in its recent post that the attackers may have compromised Piriform’s servers a few weeks before the acquisition happened. However, the malware existed in one of Avast’s products for almost a month, without the company noticing, so this may still end up tainting the company’s reputation a little.

It was also different security company, MorphiSec, which sells endpoint security solutions to enterprise customers, that first learned about the CCleaner malware on August 20 -- not Avast itself. On September 12, MorphiSec notified Avast and Cisco about the malware and both started their own investigations. Avast also contacted law enforcement on the same day.

On September 14, Cisco’s Talos Intelligence division told Avast about its own findings regarding the malware. On September 15, law enforcement was able to shut down the attackers’ command and control servers, and Avast released CCleaner version 5.34, which no longer contained the malware. On September 18, both Piriform and Cisco’s Talos division made the announcement about the incident.

Affected Users

Avast said that although CCleaner has had over 2 billion installs to date, with 5 million new installs each week, a far smaller number of users was affected. The antivirus company said that only 2.27 million users were affected, and this was mainly because only the 32-bit version of the application was infected.

Only 730,000 users are still actively using the infected version of CCleaner, but they are no longer at risk because the command and control servers were shut down by law enforcement and Cisco also bought the domains from which the attackers were able to control the malware. However, Avast still recommends users to update to the latest 5.34 version of CCleaner, which will remove the malware code from their PCs.

To assure CCleaner users that they won’t be compromised like this again, Avast also started moving the Piriform build environment to the Avast infrastructure and will move the Piriform staff to the Avast internal IT System. Avast said it will release more updates about the incident in the future.

Lucian Armasu
Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
Topics
Security
3 Comments Comment from the forums
  • Kelavarus
    "On September 12, MorphiSec notified Avast and Cisco about the malware and both started their own investigations. Avast also contacted law enforcement on the same day."

    Considering the circumstances surrounding many other security breaches lately, I at least respect them for making this decision. However... I am curious about:

    "On September 18, both Piriform and Cisco’s Talos division made the announcement about the incident."

    While yes, they had released the updated version without the malware 3 days earlier, why wait for 6 days to notify the public about the development? I assume that there are probably (still) file repository sites that have older versions available and there might be people who don't get the latest version every time. If law enforcement told them not to release it, I can understand, but beyond that it seems like they should have made an announcement at the very least on the 15th when the command and control servers were shut down.
    Reply
  • AnimeMania
    Did Avast release a program that can tell you if you have the malware on your computer?
    Reply
  • dastiegen
    See the Talos post for signs of infection (existence of a reg key named 'Agromo').

    What Avast isn't discussing is the potential damage to those hundred of thousands of users who did have the malware on their machine for a few weeks... Did you not ask about this, Lucian?
    Reply