When news broke yesterday that CCleaner had been hacked and a dangerously modified version had been available to download for a number of weeks, there were understandable concerns from the program's large userbase. And the concern is well-placed -- some 2.27 million machines are thought to have installed the infected software.
Avast now has something of a PR nightmare on its hands as it tries to rebuild the trust of its users. To this end, company CEO Vince Steckler and CTO Ondřej Vlček have written an article clarifying what happened with CCleaner, and give some details about how they plan to protect their customers -- as well as "correct[ing] some misleading information that is currently circulating."
The pair start off by trying to play down the impact of what happened, whilst admitting that in the light of the recent Equifax data breach, people are particularly sensitive about security at the moment. "As soon as we became aware of this issue, we engaged and solved it. Within approximately 72 hours of discovery, the issue was resolved by Avast with no known harm to our Piriform customers."
July 3 -- Evidence suggests hackers breached Piriform's IT systems.
July 18 -- Avast decides to buy Piriform, the company behind CCleaner.
August 15 -- Piriform, now part of Avast, releases CCleaner 5.33. The 32-bit version (CCleaner 5.33.6162) included the Floxif trojan.
August 20 and 21 -- MorphiSec's security product detects first instances of malicious activity (malware was collecting user credentials and sending it to a remote server), but MorphiSec does not notify Avast.
August 24 -- Piriform releases CCleaner Cloud v1.07.3191 that also includes the Floxif trojan.
September 11 -- MorphiSec customers share detection logs detailing CCleaner-related malicious activity with the company's engineers.
September 12 -- MorphiSec notifies Avast and Cisco of the suspicious CCleaner activity. Avast starts its own investigation and also notifies US law enforcement. Cisco also starts its own investigation.
September 14 -- Cisco notifies Avast of its own findings.
September ?? -- Cisco had registered, in the meantime, all the domains that the malware would have used in the future to determine and calculate the C&C server IP address.
September 15 -- Following a collaboration between Avast and law enforcement, the malware's C&C server was taken down.
September 15 -- Avast releases CCleaner 5.34 and CCleaner Cloud 1.07.3214 that removes the Floxif malware.
September 18 -- CCleaner incident becomes public following Cisco and MorphiSec reports.
Steckler and Vlček say the attack was highly sophisticated, hence it going undiscovered for four weeks. "In our view, it was a well-prepared operation and the fact that it didn’t cause harm to users is a very good outcome," they say. The duo then try to play down the number of people who where affected by the infected version of the software, almost managing to play the Fake News card:
Many of the articles implied that 2 billion users were affected with an additional 5 million every week. This comes from the fact that since CCleaner started, it has been downloaded 2 billion times with 5 million a week being currently downloaded, as presented on their website. However, this is several orders of magnitude different from the actual affected users. As only two smaller distribution products (the 32 bit and cloud versions, Windows only) were compromised, the actual number of users affected by this incident was 2.27M. And due to the proactive approach to update as many users as possible, we are now down to 730,000 users still using the affected version (5.33.6162). These users should upgrade even though they are not at risk as the malware has been disabled on the server side.
Working with Piriform, Avast produced a clean version of CCleaner which was pushed to users -- were possible -- as an automatic update. People running the free version of CCleaner do not have an automatic update function available to them, so Avast simply informed them that they would need to manually update.
The blog post goes on to say that media reports about what customers should do in response to the compromised software were exaggerated:
Some media reports suggest that the affected systems needed to be restored to a pre-August 15th state or reinstalled/rebuilt. We do not believe this is necessary. About 30 percent of CCleaner users also run Avast security software, which enables us to analyze behavioral, traffic and file/registry data from those machines. Based on the analysis of this data, we believe that the second stage payload never activated, i.e. the only malicious code present on customer machines was the one embedded in the ccleaner.exe binary. Therefore, we consider restoring the affected machines to the pre-August 15 state unnecessary. By similar logic, security companies are not usually advising customers to reformat their machines after a remote code execution vulnerability is identified on their computer.
Customers are advised to update to the latest version of CCleaner, which will remove the backdoor code from their systems. As of now, CCleaner 5.33 users are receiving a notification advising them to perform the update.
More news is promised by Avast as investigations continue. Promising to do everything possible to prevent the same thing happening again, the blog post adds:
We deeply understand the seriousness of the situation, as we do with all security threats. We regret the inconvenience experienced by Piriform’s customers. To reiterate, we accept responsibility for the breach.
As an extra measure, the entire Piriform staff will be moved onto Avast's internal IT system -- something which has already been done for the Piriform build environment.