CCleaner has been a trusted registry and file cleaner since 2003, and is installed on millions of machines worldwide. It is even considered a security tool, because it allows users to modify executables and clean temporary files that could pose risks.
Now, however, CCleaner version 5.33 and CCleaner Cloud version 1.07.3191 for Windows 32-bit systems (both released in the middle of August) are not only performing their usual tasks, but are also working as vehicles for malicious malware. This backdoor can provide an entryway for information stealing, code execution, and even opening remote connections to the infected hosts. It is estimated that approximately 2.3 million systems are infected.
Piriform, the developer of CCleaner under Avast, has stated that 2.27 million machines are running the infected installations of CCleaner. An update is available that removes the backdoor as well as the malware risks included. At this time, it is not believed that any users in the wild have been affected by malware, and the situation is considered under control and under investigation.
However, it’s unclear whether this is really the case. It’s still possible that users running malware-infected versions of CCleaner for up to a month could’ve had their data stolen or their systems compromised in other ways.
How Companies Should Respond to This Incident
What should a company do when software you trust suddenly becomes the source of an attack? It can be difficult to respond to an incident like this, particularly with so much uncertainty as to the exact scale, effect, and even the original cause of the issue.
The best course of action for a company to take if an infected version of CCleaner was present anywhere on the host network is to respond as though a malware incident has occurred:
- Identify: Check machines and file systems for the presence of CCleaner malware (and other malware). This includes identifying any unknown processes, ensuring that all network connections are trusted, pinpointing any suspicious files or recent downloads, and applying any additional patches to virus and malware detection software. Identifying possible persisting threats is the first step to cutting off an attacker.
- Isolate: If suspicious activity, data, programs, or connections are found, isolate them as quickly as possible. Isolation can make it easier to trace possible at-risk files and data, as well as ensure anything that could spread between networks or any outside connections no longer thrives.
- Eradicate: After proper recon and documentation, remove offending materials. This can be more complex than it sounds, depending on the type of malware present. The most likely payloads associated with the CCleaner incident, for example, include remote access capabilities and file risks that may require additional scrubbing. Utilizing a malware or virus removal tool is a good option.
It’s also critical for companies to keep tabs on their software to ensure that, upon discovery of these risks, action is taken as soon as possible. What has happened with CCleaner is unfortunate, but it is not the first nor will it be the last time that an incident like this will occur. Businesses should remain vigilant and selective about the software they use and have applied to their systems.
For help dealing with malware, including identifying it, removing it and defending against it, contact Pivot Point Security.