Avast: Cisco Talos didn't discover CCleaner compromise first

Avast claims Morphisec uncovered malware before Cisco and that the compromise began before its acquisition of Piriform

Avast, the anti-virus firm that owns CCleaner, has sought to clarify details about the malware that had found its way onto version 5.33 of the popular PC maintenance tool, playing down Cisco Talos' involvement in finding the breach, as well as the number of users affected.

In a blog post attributed to the company's CEO Vince Steckler and chief technology officer Ondrej Vlcek, Avast suggested that before acquiring Piriform, the London-based maker of CCleaner on 18 July 2017, the compromise of the application may have already begun.

"The server was provisioned earlier in 2017 and the SSL certificate for the respective 'https' communication had a timestamp of 3 July 2017. We strongly suspect that Piriform was being targeted while they were operating as a standalone company, prior to the Avast acquisition," it said.

Avast admitted that the compromised version of CCleaner was released on August 15 and went undetected by any security company for four weeks.

Yesterday, researchers from Cisco Talos suggested that they "decided to move quickly", notifying Avast of their findings on the same day they discovered an issue (on 13 September) so that the company could take the equally speedy action. However, Avast said that it first learned of the malware from a company called Morphisec on 12 September.

"We believe that Morphisec also notified Cisco. We thank Morphisec and we owe a special debt to their clever people who identified the threat and allowed us to go about the business of mitigating it," the company said.

"Following the receipt of this notification, we launched an investigation immediately, and by the time the Cisco message was received (14 September at 7:25am, PT), we had already thoroughly analysed the threat, assessed its risk level and in parallel worked with law enforcement in the US to properly investigate the root cause of the issue," it added.

Avast said that following this, the command and control server was taken down as a result of its collaboration with law enforcement. At the same time, it claimed that the Cisco Talos team registered the secondary DGA domains "before [Avast] had the chance to".

"With these two actions, the server was taken down and the threat was effectively eliminated as the attacker lost the ability to deliver the payload," Avast said.

The antivirus software maker emphasised that while itCCleaner does have two billion users, with an additional five million per week downloading the app, the actual number of users affected by the incident was 2.27 million. This was because only two smaller distribution products: the Windows 32 bit and cloud versions, were compromised.

The CEO and CTO said that by updating users about the situation, only 730,000 are still using the affected version - and that while these users are not at risk anymore because the malware has been disabled, they should upgrade to the latest version, and will be prompted to do so by Avast via a notification.

In addition, the company said that affected systems do not need to be restored to a pre-15 August state or reinstalled/rebuilt.

"About 30 per cent of CCleaner users also run Avast security software, which enables us to analyse behavioural, traffic and file/registry data from those machines.

"Based on the analysis of this data, we believe that the second stage payload never activated, ie: the only malicious code present on customer machines was the one embedded in the ccleaner.exe binary," Avast claimed.

"Therefore, we consider restoring the affected machines to the pre-August 15 state unnecessary," it added.

The company said that as a precaution it had migrated the Piriform build environment to the Avast infrastructure, and is in the process of moving the entire Piriform staff onto Avast's internal IT system.