Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Puush Malware


  • Please log in to reply
7 replies to this topic

#1 ehhthing

ehhthing

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:27 PM

Posted 30 March 2015 - 05:08 PM

For those who dont know, puush was infected with malware that takes (unencrypted) locally stored passwords. The malware disguised as a update (r94).

-

My antivirus (360 Protect) detected it and quarantined it at 3:24pm EDT. Is there any way to know if my system was affected without un-quarantining the file? The malware takes time to run right? So if my antivirus detected it before it finished running 

-

my tweet to puush:

https://twitter.com/Ehhthing/status/582663042145517568

-

EDIT:

Puush said that the virus was stored in appdata, however my antivirus did not quarantine anything there, my puush was updated when i opened the computer so its not there anymore.


Edited by ehhthing, 30 March 2015 - 05:12 PM.


BC AdBot (Login to Remove)

 


#2 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,597 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:27 PM

Posted 30 March 2015 - 05:21 PM

Hi ehhthing :)

This is indeed the malicious file pushed in the puush update r94. Ian already created a thread in the General Security section, and I linked various articles that help you remove that malware (puush created a removal tool for it).

http://www.bleepingcomputer.com/forums/t/571697/puush-possibly-sending-malicious-updates-to-clients/

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#3 ehhthing

ehhthing
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:27 PM

Posted 30 March 2015 - 05:32 PM

i have it all removed.

however i want to know if my password for (something) on firefox was breached.

i doubt that this is possible, however technology always surprises me and i thought i might give this a try/



#4 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,597 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:27 PM

Posted 30 March 2015 - 05:33 PM

The malware pushed via the puush update was defined as a stealer (which means that it steals passwords from Firefox, Chrome, Internet Explorer, FTP, etc.) and also a keylogger. For now, I would consider all your passwords as compromised and I would change all of them right now.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#5 ehhthing

ehhthing
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:27 PM

Posted 30 March 2015 - 05:36 PM

so all of the passwords i have ever entered into firefox chrome ie etc or the ones i saved.



#6 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,597 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:27 PM

Posted 30 March 2015 - 05:40 PM

All the ones you have saved on your web browsers and also FTP servers and such. There's an analysis on a thread on /g/, here:

Ive confirmed that the EXE stole passwords.

The inital exe dropped was a vb6 executable that was a crypter to conceal it from anti-viruses. I extracted the encrypted file an decrypted it.

Analysis file can be found here: https://malwr.com/analysis/Zjg1MDc0MjNiNzZmNGQxMGE1MjRjMTg4MWEzOGI0NmE/
If you click static and go to strings you can see a couple fun strings
>herd.suid.at:42069
Hostname and port at which the malware operated

>mozcrt19.dll
>sqlite3.dll
>nspr4.dll
>mozutils.dll
>mozglue.dll
>mozsqlite3.dll
All of these are DLL's that are part of the firefox password management system

>%s\Opera\Opera\wand.dat
>%s\Opera\Opera\profile\wand.dat
These are opera password management files

>%s\.purple\accounts.xml
This is where pidgin stores passwords

><protocol>
><name>
><password>
This is the format for filezillas logs

>WindowsLive:name=*
Windows live messenger profile stealing

>POP3 User
>POP3 Server
>POP3 Password
>IMAP User
>IMAP Server
>IMAP Password
>HTTP User
>HTTP Server
>HTTP Password
>SMTP User
>SMTP Server
>SMTP Password
Formatting for solen files

>%s\Google\Chrome\User Data\Default\Login Data
>%s\Chromium\User Data\Default\Login Data
Chrome and Chromium passwords

>Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook
Outlook passwords

>Software\Microsoft\Internet Explorer\IntelliForms\Storage2
Internet explorer passwords

>[Enter]
>[Arrow Left]
>[Arrow Up]
>[Arrow Right]
>[Arrow Down]
>[Home]
>[Page Up]
>[Page Down]
>[Break]
>[Delete]
Common strings that are part of keylogger data


Looks like there was a malware analysis on /g/ that analyzed the malware and got information out of it.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#7 ehhthing

ehhthing
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:27 PM

Posted 30 March 2015 - 05:43 PM

good, i only saved one.



#8 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,597 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:27 PM

Posted 30 March 2015 - 05:45 PM

Well I would change all your passwords just in case. Even more if you use the same password on multiple accounts.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users