Computer code
The malware was hidden in a download file, experts said Markus Spiske/Unsplash

CCleaner, a piece of internet security software with more than two billion downloads, was recently hijacked to distribute backdoor malware to more than 2 million unsuspecting victims.

According to a cybersecurity division of Cisco known as Talos, the impact of an attack could have been severe "given the extremely high number of systems possibly affected."

CCleaner, marketed as the "number-one tool for cleaning your PC" boasted at least 2 billion downloads by November of 2016 with a growth rate of five million additional users per week.

The hidden backdoor was found in software version 5.33 and was released on 15 August, Talos said.

The infected version was used by 2.27 million people.

Researchers from Talos said Monday that until 12 September this year, when a new version was released, it was being packaged alongside a malicious copy.

The company's press team said that, if infected, hackers could use the exploit to steal sensitive data and/or credentials which could be used for internet banking or other online activities.

"Given the potential damage that could be caused by a network of infected computers even a tiny fraction of this size we decided to move quickly," Talos researchers wrote in a blog post, revealing that they urgently informed Avast of its findings on 13 September.

CCleaner is maintained by British company Piriform, which was purchased in July this year by security and technology company Avast.

With malware being incorporated into legitimate downloads, the biggest fear was that an outbreak could be similar to the "NotPetya" ransomware attack.

During the installation, the CCleaner download contained a malicious payload that featured a Domain Generation Algorithm (DGA) and a Command and Control (C2) functionality.

The Talos team wrote in an in-depth research analysis: "In reviewing the version history page on the CCleaner download site, it appears that the affected version (5.33) was released on 15 August 2017. On 12 September 2017 version 5.34 was released."

Hacking hands
CCleaner was being distributed with malware, Cisco Talos said this week iStock

It said the CCleaner with the malware was distributed between these two dates.

The booby-trapped version was signed using a valid security certificate that was issued to Piriform by Symantec, which researchers found was valid through to 10/10/2018. Experts said this should now be revoked.

Talos added: "This is a prime example of the extent that attackers are willing to go through in their attempt to distribute malware to organisations and individuals around the world.

"By exploiting the trust relationship between software vendors and the users of their software, attackers can benefit from users' inherent trust in the files [...] used to distribute updates."

In response to the findings, Paul Yung, vice president of products at Piriform, wrote in a blog post that this company was sorry for the malware incident.

He stated: "Let me say that the threat has now been resolved in the sense that the rogue server is down, other potential servers are out of the control of the attacker. We're moving all existing CCleaner v5.33.6162 users to the latest version.

"At this stage, we don't want to speculate how the unauthorised code appeared in the CCleaner software, where the attack originated from, how long it was being prepared and who stood behind it. The investigation is still ongoing."

Now, affected systems need to be restored to a state before 15 August 2017, or reinstalled.