It turns out you can’t even trust your own antivirus provider not to infect your computer with malware.
Hackers managed to hijack a popular PC cleanup tool, CCleaner, meaning that anyone who downloaded or updated it between mid-August to mid-September also downloaded malware without realising it.
CCleaner is a popular piece of software used to clean up your PC by junking unnecessary files.
According to security firm Cisco Talos, hijackers effectively “bundled” malware in with a recent version of CCleaner. The malware allows hackers to potentially get access to the user’s computer, and other connected systems, to steal personal data or credentials.
“We confirmed that this malicious version of CCleaner was being hosted directly on CCleaner’s download server as recently as September 11, 2017,” the researchers wrote.
The trojan potentially affects up to 4 million users — and that number could rise, according to Talos.
CCleaner was created by Piriform, which was acquired by Avast only in July. Avast is the biggest antivirus company outside China and, at the time of the acquisition, said CCleaner was used by 130 million people. In an update about the bug, Piriform estimated that up to 3% of its userbase was affected. That adds up to 3.9 million people.
One reason the attack is so devastating is because it takes advantage of consumer trust in the downloads from their antivirus provider. It’s the one place you’d expect to be safe from malware.
Talos’ researchers wrote: “By exploiting the trust relationship between software vendors and the users of their software, attackers can benefit from users’ inherent trust in the files and web servers used to distribute updates.”
Talos also speculated that the hijacking may have been an inside job, partly because the malicious code was code signed by Piriform. That essentially means the firm was guaranteeing its software was safe to download. That could mean an external hacker infiltrated the build process itself, or an insider “intentionally included” the malicious code.
Piriform said: “At this stage, we don’t want to speculate how the unauthorised code appeared in the CCleaner software, where the attack originated from, how long it was being prepared and who stood behind it.”
The firm added: “We apologise and are taking extra measures to ensure this does not happen again.” Piriform said it’s working with US law enforcement to determine who was responsible for the bug.
The bug affects anyone who downloaded CCleaner version 5.33 or updated their version between August 15 and September 12. Talos is advising anyone who’s worried to roll back their systems to a time before August 15, or reinstall them. They will also need to update to the latest version of CCleaner 5.34.