3 min read

Puush accidentally infects Windows users with password-stealing malware

Graham CLULEY

March 30, 2015

Puush accidentally infects Windows users with password-stealing malware

Puush describes itself as a “quick and simple way to share screenshots”.

Unfortunately, it also seems to be a quick and simple way to infect your Windows computer with malware, that might steal your passwords.

puush-600

That’s not, of course, by design – but the result of what appears to be the accidental distribution of a malware-infected update pushed out to Windows users.

Bitdefender user Graham Barker was one of those who alerted Puush that something seemed to have gone badly wrong with its latest update.

puush-bd

A series of tweets from the Australia-based developers of Puush announced the bad news to the rest of its users:

puush-tweet-1

we’ve received reports of possible malware being sent in disguise of a puush update. for now we suggest closing the puush app (windows only).

we are still looking into the cause and will provide more details as soon as we know more.

we do suggest you run a virus scan on your PC if you were running the windows puush client, and uninstall the client for now.

Separately, Puush said that only build r94 of Puush (available for download between March 29 18:51-21:41 UTC) was infected by malware, and that users who had their Windows computers turned on during that period could be at risk because the software could have been automatically downloaded to their systems.

As the malware appears to steal passwords, it would make sense to ensure that you consider any passwords you store on your PC as compromised.

A post on the Puush blog provides more details, and confirmed that non-Windows users of the Puush software (it is also available for Mac OS X and iOS) do not appear to be affected:

puush-blog

The main puush web server was compromised (database and puushed files should be untouched, to the best of our knowledge)

The Windows puush client was replaced with a version (r94) that downloads malware (versions other than r94 should be clean). OS X and mobile clients were NOT affected.

Malware uses filename Ëœpuush.daemon.exe` and is placed in “%AppData%\Roaming\puush” or “Program Files\puush” and set to autorun via registry key “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\puush daemon”

The malware may be collecting locally stored passwords, but we are yet to confirm these have been transmitted back to a remote location. We have been running the malware in sandboxed environments and have not been able to reproduce any such behaviour. Even so, we recommend you change any important passwords which were stored on your PC (unless they were in a secure password manager). This includes chrome/firefox saved passwords.

Puush says its latest version (r100) automatically detects and cleans-up the infection, and has also released a standalone clean-up tool called (with something of a red-face) puush_is_sorry.exe.

Rather disappointingly, that standalone clean-up tool is downloadable via an HTTP link rather than a more secure HTTPS link, and you may – by this stage – be reluctant to run software produced by the company anyway.

Puush says it has now restored its systems, and patched its servers with the latest security patches.

Hopefully they will do a thorough review of what went wrong over the coming days as a matter of urgency, and put systems in place to ensure that unauthorised and compromised versions of its software can never be shipped to customers again.

Make sure to reduce the chances of having one of your software suppliers infect your computers with malware, by keeping your anti-virus software updated and always applying the latest security patches.

tags


Author



Right now

Top posts

Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US

Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US

July 16, 2021

3 min read
How to protect yourself against cyberstalking

How to protect yourself against cyberstalking

July 06, 2021

2 min read
The Top Five Security Risks Smartphone Users Face Today

The Top Five Security Risks Smartphone Users Face Today

July 02, 2021

4 min read
Phishing Alert: Scammers Use Fake SharePoint and DocuSign Messages to Steal Users’ Login Credentials

Phishing Alert: Scammers Use Fake SharePoint and DocuSign Messages to Steal Users’ Login Credentials

July 02, 2021

3 min read
Your Doxxing Dossier Will Keep Growing Thicker Until You See the Danger

Your Doxxing Dossier Will Keep Growing Thicker Until You See the Danger

June 30, 2021

2 min read
Mobile security threats: reality or myth?

Mobile security threats: reality or myth?

June 13, 2021

3 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Fraud Family cybercrime ring under the spotlight as arrests made in the Netherlands Fraud Family cybercrime ring under the spotlight as arrests made in the Netherlands
Graham CLULEY

July 23, 2021

3 min read
Homoglyph domains used in BEC scams shut down by Microsoft Homoglyph domains used in BEC scams shut down by Microsoft
Graham CLULEY

July 22, 2021

3 min read
China Sets Up New Worrying Vulnerability Disclosure Rules China Sets Up New Worrying Vulnerability Disclosure Rules
Silviu STAHIE

July 20, 2021

1 min read