Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

puu.sh possibly sending malicious updates to clients


  • Please log in to reply
6 replies to this topic

#1 iangcarroll

iangcarroll

  • Malware Study Hall Senior
  • 641 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Birmingham, MI
  • Local time:08:10 PM

Posted 29 March 2015 - 06:49 PM

Puush, a popular screenshot sharing application, is possibly sending malicious updates to clients. How was not disclosed, but it would be a safe bet their update server was compromised to send malicious files.

we've received reports of possible malware being sent in disguise of a puush update. for now we suggest closing the puush app (windows only)


https://twitter.com/puushme/status/582296580532801536

Ian Carroll https://ian.sh • Certly Inc
 
Member of the Bleeping Computer A.I.I. early response team!


BC AdBot (Login to Remove)

 


m

#2 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,193 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Quebec, Canada
  • Local time:08:10 PM

Posted 30 March 2015 - 05:36 AM

There was a thread about this on /g/ yesterday. Apparently the malware isn't hard to remove either. It's located in the %AppData%\puush folder and it creates a process called puush.deamon.exe. Here it is:

https://boards.4chan.org/g/thread/47262696/puush-was-infected-with-malware-in-the-last

Some posters analyzed the sample, and there's a stealer feature in it.

Edit: The old thread was archived I think. New one is here:

https://boards.4chan.org/g/thread/47268913/puushpuush-malware

Edit 2: They also provide a removal tool for the users that want to uninstall puush, otherwise, update to r100 will tell you if you are infected and remove the malware.

puushstatus.tumblr.com

Edited by Aura., 30 March 2015 - 10:00 AM.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#3 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,679 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:02:10 AM

Posted 31 March 2015 - 06:37 PM

A write up was published here: http://puushstatus.tumblr.com/
If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!


Follow BleepingComputer on: Facebook | Twitter | Google+

#4 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,193 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Quebec, Canada
  • Local time:08:10 PM

Posted 31 March 2015 - 06:43 PM

I guess the guy who provided them the analysis of the malicious update was the same guy that analysed it on /g/ since both analysis are quite similar. At least they have a cleaner for it and the stub was mostly broken but still people that got infected with it should change all their passwords immediately.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#5 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,679 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:02:10 AM

Posted 31 March 2015 - 06:58 PM

Only that their write up is easily understandable, whereas /g/ is a lot of rambling and you need to sort through 10.000 unrelated posts to find one with content. :P
If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!


Follow BleepingComputer on: Facebook | Twitter | Google+

#6 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,193 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Quebec, Canada
  • Local time:08:10 PM

Posted 31 March 2015 - 06:59 PM

Yeah at least :P Well that one post on /g/ was actually well written for once! It had all the information in an easy to understand order and all the important parts were highlighted too. Apparently the guy does it for a living, regaining a bit of faith in /g/ now :lol:

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#7 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,193 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Quebec, Canada
  • Local time:08:10 PM

Posted 31 March 2015 - 09:24 PM

Update on the situation to monitor

1427852938952.jpg

I'm in bed but I'll try to see tomorrow if its legitimate or not.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users