Avast executives today attempted clarify and mitigate the public relations damage done when its CCleaner computer maintenance app was discovered to have exposed 2 million users by saying the malware was likely injected prior to Avast's purchase of CCleaner and that to their knowledge no harm came to anyone.
In a blog posted today Avast's Vince Steckler, CEO, and Ondřej Vlček, CTO and executive vice president of consumer business, said the company's investigation points to the backdoor being installed around July 3, or about two weeks prior to Avast's acquisition of Piriform, which created and originally distributed CCleaner.
“The server was provisioned earlier in 2017 and the SSL certificate for the respective https communication had a timestamp of July 3, 2017. We strongly suspect that Piriform was being targeted while they were operating as a standalone company, prior to the Avast acquisition,” they wrote.
The compromised version of CCleaner was released on August 15 and was not detected by Avast until the cybersecurity firm Morphisec informed it of the problem on September 12. Steckler said one reason it took so long to detect was the malware's sophistication.
“We thank Morphisec and we owe a special debt to their clever people who identified the threat and allowed us to go about the business of mitigating it,” the blog said.
Steckler also stated for the record how many people were initially impacted, saying 2.27 million users had downloaded the effected CCleaner version and were thus exposed to the backdoor. However, with the release of patched version 5.33.6162 the number of people still exposed has dropped to 730,000 as the rest have updated their software.
With Morphisec's information in hand Avast launched an investigation and three days later, working with law enforcement, the command and control server working with the malware was taken down.
"Taking down a server, even if it is proven to be used for malicious activity, can only be done through law enforcement units, and usually only after issuing a court order. Doing all of this and taking a server down in 72 hours is actually a very good result. The public disclosure happened the next working day, i.e. Monday September 18, after getting clearance from the law enforcement authorities,” Vlček told SC Media.
Simultaneously, Avast and Piriform checked and found the latest CCleaner build, version 5.34, did not contain the backdoor and pushed the clean version out as an automatic update to those using the cloud version. Other users have to update the software manually, which the company recommends be done immediately.
Steckler also admitted that the company dodged a bullet noting the malware's full payload never executed.
“Based on the analysis of this data, we believe that the second stage payload never activated, i.e. the only malicious code present on customer machines was the one embedded in the ccleaner.exe binary,” he said.
In addition to fixing the issue the company has moved CCleaner's build environment to Avast's infrastructure and is in the process of shifting Piriform's staff onto its new parent's network.