Draughty Backdoor in popular application.

BackdoorIt was revealed a couple of days ago that a widely used application had a backdoor in it. A specific version of CCleaner, a well known utility for doing housekeeping on computers, had been compromised by evil doers. What makes this somewhat more concerning, at first glance, is that CCleaner is a product that is owned by Avast, a well known Security Software vendor. How could they possibly have been hacked?

Actually Avast was not the company that had been breached. It was a company called Piriform, who were the original creators of CCleaner. Avast bought Piriform in July 2017, but Piriform were already compromised at that time. I’ll take you through the timeline, explain what a backdoor is and what you should do if you were affected.

Update – 21st September 2017:

Cisco have been continuing to analyse what went on and have discovered that this backdoor may have been used to target specifically named Corporations, namely Intel, Microsoft, Samsung, Sony, HTC, VMWare, Linksys, Cisco, Vodafone and more. They analysed the controlling server which law enforcement shut down and found that at least 20 machines had some malicious software downloaded to them (what they refer to as “Stage 2 Payloads”). This number could possibly rise, as this is an active investigation.

While this appears to be a targeted attack, I would still urge extreme caution. If you used the compromised version of CCleaner, please do follow the suggestions below, which will mitigate any risk of compromise.

The remainder of this article below remains as originally posted.

Timeline of events:

  • First week in July: It would seem this was when hackers compromised Piriform’s development systems.
  • July 18: Avast buys Piriform, the company that created CCleaner.
  • August 15: CCleaner version 5.33 is released. The CCleaner 5.33.6162 installer includes the backdoor, but this only works on 32-bit systems.
  • August 24: CCleaner Cloud version 1.07.3191 is released and this also includes the backdoor.
  • September 12: A company called Morphisec had detected some unusual activity around CCleaner 5.33 and so they notified Avast and also Cisco. Avast starts its own investigation and also notifies US law enforcement. Cisco also starts its own investigation.
  • September 14: Cisco tells Avast what it has found and also around the same time they had taken some steps to prevent the backdoor from being effective.
  • September 15: Following a collaboration between Avast and law enforcement, the evil doers server that controlled the backdoor was shut down. Avast releases a clean version of CCleaner 5.34 and CCleaner Cloud 1.07.3214 that remove the backdoor.
  • September 18: The incident comes to public attention, following Avast, Cisco and Morphisec reports.

A backdoor might not sound dangerous, but it is:

What happened in this case was the bad guys managed to gain access to Piriform’s software development systems and they implanted computer code that created a backdoor in CCleaner. This went undetected and so the compromised version of CCleaner, version 5.33 was released. People would have downloaded this, or updated to it, as paid versions of CCleaner have an automatic update feature.

So the backdoor in this case, effectively meant that version of CCleaner would have occasionally made contact with servers on the internet controlled by the bad guys and look for for new instructions. The hackers could have put any malicious code they want on these servers, and this would have almost certainly affected the victims machine, regardless of the protections that were in place (Antivirus, Firewalls, etc.). They could have loaded Ransomware onto the victim or something that would have stolen banking credentials.

What you should do if you were affected:

Avast recommend simply installing version 5.34 will remove the nasty backdoor. Cisco’s detailed write-up doesn’t offer much in the way of guidance, but their work on this pretty much hobbled the malicious software.

However, looking at the timeline, the infected software was available from 15th August and nothing was detected until 12th September. So that’s 27 days where this thing could have been doing something evil. There’s no evidence to say that anything had happened, but there’s no evidence that nothing happened. It’s possible that other malicious software has been deployed on affected machines.

I would therefore be of the view that any machine that had this software installed, is potentially still compromised. The safest course of action is to wipe the machine and reset to factory settings. I would also change any passwords for e-mail, banking, social media and other online services. Maybe even bite the bullet and give your online accounts the best protection possible. I know this is a pain in the ass, but because there is uncertainty, I wouldn’t take the risk,

I had the free version 5.32 of CCleaner installed on my personal desktop, so I don’t need to worry. I might wait for the dust to settle before I upgrade it though.