Clarifying what happened and outlining our next steps in protecting CCleaner customers

There has been quite a bit of press coverage today about our announcement that the Piriform CCleaner product was illegally modified during the build process to include a backdoor component. Our first priority is our commitment to the safety and security of our millions of users, and supporting our new partner Piriform as they manage this situation. We understand that given the late disclosure of the massive Equifax data breach 10 days ago, consumers and media are very sensitive, as they should be. As such, as soon as we became aware of this issue, we engaged and solved it. Within approximately 72 hours of discovery, the issue was resolved by Avast with no known harm to our Piriform customers. The purpose of this article is to clarify what actually happened, correct some misleading information that is currently circulating, recap what actions Avast took, and outline next steps.

Avast acquired Piriform, the maker of CCleaner, on July 18, 2017 because Piriform has a great product, and wonderful supporters and users. And we stand by that today. What we didn’t know was that before we completed the acquisition, the bad actors were likely already in the process of hacking into the Piriform systems. The compromise may have started on July 3rd. The server was provisioned earlier in 2017 and the SSL certificate for the respective https communication had a timestamp of July 3, 2017. We strongly suspect that Piriform was being targeted while they were operating as a standalone company, prior to the Avast acquisition.

The compromised version of CCleaner was released on August 15 and went undetected by any security company for four weeks, underscoring the sophistication of the attack. In our view, it was a well-prepared operation and the fact that it didn’t cause harm to users is a very good outcome, made possible by the original notification we received from our friends at security company Morphisec (more on this below) followed by a prompt reaction of the Piriform and Avast teams working together. We continue to be actively cooperating with law enforcement units, working together to identify the source of the attack.

Shortly after the original announcement, a series of press stories were released but many of the details about what happened and the impact on users were surmised. We would like to take this opportunity to correct as much as we can in this article.

Many of the articles implied that 2 billion users were affected with an additional 5 million every week. This comes from the fact that since CCleaner started, it has been downloaded 2 billion times with 5 million a week being currently downloaded, as presented on their website. However, this is several orders of magnitude different from the actual affected users. As only two smaller distribution products (the 32 bit and cloud versions, Windows only) were compromised, the actual number of users affected by this incident was 2.27M. And due to the proactive approach to update as many users as possible, we are now down to 730,000 users still using the affected version (5.33.6162). These users should upgrade even though they are not at risk as the malware has been disabled on the server side.

Avast first learned about the possible malware on September 12, 8:35 AM PT from a company called Morphisec which notified us about their initial findings. We believe that Morphisec also notified Cisco. We thank Morphisec and we owe a special debt to their clever people who identified the threat and allowed us to go about the business of mitigating it. Following the receipt of this notification, we launched an investigation immediately, and by the time the Cisco message was received (September 14, 7:25AM PT), we had already thoroughly analyzed the threat, assessed its risk level and in parallel worked with law enforcement in the US to properly investigate the root cause of the issue.

Following that, the offending CnC server was taken down on September 15, 9:50 AM PT, following Avast collaboration with law enforcement. During that time, the Cisco Talos team, who has been working on this issue in parallel, registered the secondary DGA domains before we had the chance to. With these two actions, the server was taken down and the threat was effectively eliminated as the attacker lost the ability to deliver the payload.

Meanwhile, the Piriform and Avast teams were also busy providing a quick fix for CCleaner users. First, we made sure the currently shipping version (5.34) and previous versions didn’t contain the threat – they did not. Next, we released a fixed version 5.33.6163, identical to 5.33.6162 but with the backdoor removed, and pushed this version as a lightweight automatic update to CCleaner users where it was possible, further reducing the number of impacted customers. We notified the remaining users to upgrade to the latest version of the product as soon as possible (unfortunately, we weren’t able to update the free CCleaner users automatically as the free version doesn’t contain the auto-update functionality).

Some media reports suggest that the affected systems needed to be restored to a pre-August 15th state or reinstalled/rebuilt. We do not believe this is necessary. About 30% of CCleaner users also run Avast security software, which enables us to analyze behavioral, traffic and file/registry data from those machines. Based on the analysis of this data, we believe that the second stage payload never activated, i.e. the only malicious code present on customer machines was the one embedded in the ccleaner.exe binary. Therefore, we consider restoring the affected machines to the pre-August 15 state unnecessary. By similar logic, security companies are not usually advising customers to reformat their machines after a remote code execution vulnerability is identified on their computer.

Customers are advised to update to the latest version of CCleaner, which will remove the backdoor code from their systems. As of now, CCleaner 5.33 users are receiving a notification advising them to perform the update.

We deeply understand the seriousness of the situation, as we do with all security threats. We regret the inconvenience experienced by Piriform’s customers. To reiterate, we accept responsibility for the breach and have implemented the following actions and precautions:

  • The server was taken down before any harm was done to customers
  • We worked immediately with law enforcement to identify the source of the attack
  • We took multiple steps to update our customers who had the affected software version
  • We disclosed everything that happened in a blog when we were cleared to do so
  • We migrated the Piriform build environment to the Avast infrastructure, and are in the process of moving the entire Piriform staff onto Avast internal IT system.

We plan to be issuing more updates on this as we go. We have made it our highest priority to properly investigate this unfortunate incident and to take all possible measures to ensure that it never happens again.