CCleaner recently infected millions of PC's with a backdoor trojan after hackers injected malicious code into the most recent software update on Piriform's server.
The attack appears to be two staged - although in excess of 2 million users had installed the latest version, the trojan then scanned the PC to see if it was on a list of certain domains at which time it would launch its 2nd payload. Whilst the hackers were specifically attempting to target computers belonging to a list of high-profile technology companies and managed to launch stage 2 on at least 20 targeted machines.
This attack is very well thought out and it is quite worrying though for several reasons:
- There are (or were) at least 2 million PCs out there with an infected copy of CCleaner installed with the backdoor trojan
- It shows that hackers are always looking for new ways to infect PCs by targeting genuine software servers. It is believed this is an unprecedented number of downloads for a supply chain type attack.
- Stage One of the trojan has remained dormant on a few million computers and sat there undetected for several weeks.
- The attack could easily been much larger - imagine if they had targeted users on specific ISPs (such as BT) rather than a handful of high profile IT firms.
- Despite this being known about since Sept 12th, there has been very little mention of it.
- It's only within the past few days that AV programs have started to detect and identify the Virus signature.
Numbers of infected copies installed does seem to vary ranging from in "excess of 2 million" to "many millions" based on the fact that the modified version was available between Aug 15 - Sept 12, where downloads are 5 million per week.
More info - Arstechnica