Antivirus maker Avast was recently caught off-guard by some attackers that sneaked some malware into (then) the latest version of CCleaner, a popular PC cleanup tool. Avast acquired Piriform, the makers of CCleaner, earlier this July.
Timeline Of Events
Before anything else, Avast wanted to make it clear in its recent post that the attackers may have compromised Piriform’s servers a few weeks before the acquisition happened. However, the malware existed in one of Avast’s products for almost a month, without the company noticing, so this may still end up tainting the company’s reputation a little.
It was also different security company, MorphiSec, which sells endpoint security solutions to enterprise customers, that first learned about the CCleaner malware on August 20 -- not Avast itself. On September 12, MorphiSec notified Avast and Cisco about the malware and both started their own investigations. Avast also contacted law enforcement on the same day.
On September 14, Cisco’s Talos Intelligence division told Avast about its own findings regarding the malware. On September 15, law enforcement was able to shut down the attackers’ command and control servers, and Avast released CCleaner version 5.34, which no longer contained the malware. On September 18, both Piriform and Cisco’s Talos division made the announcement about the incident.
Avast said that although CCleaner has had over 2 billion installs to date, with 5 million new installs each week, a far smaller number of users was affected. The antivirus company said that only 2.27 million users were affected, and this was mainly because only the 32-bit version of the application was infected.
Only 730,000 users are still actively using the infected version of CCleaner, but they are no longer at risk because the command and control servers were shut down by law enforcement and Cisco also bought the domains from which the attackers were able to control the malware. However, Avast still recommends users to update to the latest 5.34 version of CCleaner, which will remove the malware code from their PCs.
To assure CCleaner users that they won’t be compromised like this again, Avast also started moving the Piriform build environment to the Avast infrastructure and will move the Piriform staff to the Avast internal IT System. Avast said it will release more updates about the incident in the future.