Alert over booby-trapped security software

  • Published
LaptopImage source, Getty Images
Image caption,

Users of CCleaner are being urged to upgrade to the latest version

A security company has issued a warning, external after its software was compromised by malicious hackers.

Piriform told users a booby-trapped version of its CCleaner software had been made available in August and September.

Millions of people use the CCleaner program to remove unwanted junk from Android phones and Windows PCs.

Piriform's owner, Avast, said it had managed to remove the compromised version before any harm had been done.

It appears that it was only the Windows version of CCleaner that was compromised.

Cleaning up

If the malicious hackers who had managed to subvert the software had not been spotted, they could have remotely taken over the devices of the 2.27 million people who had downloaded version 5.33 of the program, said Paul Yung, from Piriform.

Mr Yung said the company had spotted some "suspicious activity" on 12 September that led it to discover version 5.33 had been "illegally modified" before it had been made available to the public.

The modified version was available for about a month.

The modifications made infected machines contact some recently registered web domains - a tactic often used by cyber-thieves who then use this route to install more damaging software on compromised devices.

The impact of the infection had been limited, said Mr Yung, because relatively few people automatically updated the CCleaner software.

Anyone who had downloaded the compromised version of CCleaner was now being moved to the latest uninfected version, he said.

"To the best of our knowledge, we were able to disarm the threat before it was able to do any harm," said Mr Yung.

He apologised for any inconvenience that had been caused and said the company's investigation into the attack was "ongoing".

Separate analysis by Cisco's Talos security group, external suggests whoever was behind the attack on CCleaner had managed to get access to the server Piriform used to host new versions of the software.

Talos researcher Craig Williams told the Reuters news agency the attack had been "sophisticated" because it had targeted a trusted server and sought to make the booby-trapped version look legitimate.

"There is nothing a user could have noticed," he said.