Anyone who has used a computer running the Windows operating system knows that performance seems to deteriorate over time, and it can be helpful to clean things up and optimize the system every once in a while. CCleaner is a popular free software product developed for just that purpose. Unfortunately, it seems CCleaner itself was compromised—exposing an estimated 2.27 million users to malicious activity.
A blog post from Piriform, the makers of CCleaner, explains, “An unauthorized modification of the CCleaner.exe binary resulted in an insertion of a two-stage backdoor capable of running code received from a remote IP address on affected systems.”
The malicious code collects a variety of details about the compromised system, reconnaissance type information that may be put to use for future attacks. According to Piriform’s analysis of the code, it collects:
- Name of the computer
- List of installed software, including Windows updates
- List of running processes
- MAC addresses of first three network adapters
- Additional information whether the process is running with administrator privileges, whether it is a 64-bit system, etc.
There aren’t many other details at this point. Piriform states, “At this stage, we don’t want to speculate how the unauthorized code appeared in the CCleaner software, where the attack originated from, how long it was being prepared and who stood behind it. The investigation is still ongoing.”
A spokesperson for Avast, which acquired Piriform in July, told TechCrunch, “We believe that these users are safe now as our investigation indicates we were able to disarm the threat before it was able to do any harm.”
Avast also claims that no customers running CCleaner on Android mobile devices were affected by this compromise.
Michael Patterson, CEO of Plixer, stresses that questionable or suspicious behavior by otherwise legitimate software makes it more difficult to determine what is malicious and what is not. “Any and all software developed for internet use can be hacked and compromised. Due to the behavior of approved software, it has made the detection of unwanted software and malware difficult to track down.”
There are certain things that are obviously and always malicious attacks, such as ransomware that encrypts all of your data and holds it hostage. However, there are many actions that fall into a huge gray area that could be deemed benign or malicious depending on the context and how the activity is put to use. Unfortunately, there are many programs that perform actions from this gray area and do things that might be normal or fine, but could also be malicious, and that makes it challenging, as Patterson points out, to separate the good from the bad and identify malicious activity.
Patterson claims, “The industry is in dire need of laws which specify how data can be collected from customers and where it can go and how it must behave (e.g. interacting with the DNS). Without these laws, it becomes nearly impossible to uncover traffic anomalies and network traffic analytics is the only fall back for investigating odd communication patterns.”