CCleaner is a very popular disk utility that allows a user to securely erase certain content from their hard drives – like deleted files and cookies, among many other things.
Coming in both a free and paid version, CCleaner has been used safely by users for years.
Last month, however, hackers managed to inject malware into the CCleaner download. This malware was not just any garden variety malware, but rather highly targeted to very select tech and telecom companies.
To improve security, CCleaner digitally signs all downloads and this infected one is no exception. That means that the bad guys managed to insert the malware into the development cycle prior to the code being signed and in a way that it was not detected during testing.
The infected code was downloaded over two million times!
Without going into the gory details (you can read the Ars Technica article linked below if you want that information), the malware inside the official release of CCleaner, once installed, downloaded a second stage malware but only to a very select, few individuals.
The software included a list of companies to doubly infect, including Intel, Sony, Samsung and a handful of others. The folks that own CCleaner have detected 40 of these doubly infected PCs, but, of course, there might be others.
It is likely that an attack as sophisticated and targeted as this one is state sponsored. Current guess is China.
It SEEMS like this attack has been contained, but what if the attackers were not focused on stealing intellectual property from specific tech firms. What if the hackers were bent on doing damage. Let’s say the software erased or encrypted the data on those two million computers instead and rather than doing that on only 40; what if it did that to all of them. And, what if, it didn’t provide any way to get the data back. Likely that would have cost, compliance, brand damage, and maybe, even, health and life safety implications.
If YOU develop software, you could be the next CCleaner. You could be distributing very nasty malware.
What if it happened to your PC? Or the software that you distribute? Are you ready to deal with it?
Information for this post came from Ars Technica.