Upvote Upvoted 29 Downvote Downvoted
puush infected with malware
posted in Off Topic
1
#1
0 Frags +

While puush itself notifies you with a popup, I figured it'd still be a good idea to link this here in case anyone hasn't heard:

Important Point/s

  • puush was infected with malware; r100 (which is the latest update) will tell you if you were infected
  • Stand-alone cleaner (checks for the malware): https://twitter.com/puushme/status/582359050270076928
  • "The malware may be collecting locally stored passwords, but we are yet to confirm these have been transmitted back to a remote location. [...] Even so, we recommend you change any important passwords which were stored on your PC (unless they were in a secure password manager). This includes chrome/firefox saved passwords."

http://puushstatus.tumblr.com/post/114993283467/we-are-currently-investigating

https://twitter.com/puushme

While puush itself notifies you with a popup, I figured it'd still be a good idea to link this here in case anyone hasn't heard:

Important Point/s
[list]
[*]puush was infected with malware; r100 (which is the latest update) will tell you if you were infected
[*]Stand-alone cleaner (checks for the malware): https://twitter.com/puushme/status/582359050270076928
[*]"The malware may be collecting locally stored passwords, but we are yet to confirm these have been transmitted back to a remote location. [...] Even so, we recommend you change any important passwords which were stored on your PC (unless they were in a secure password manager). This includes chrome/firefox saved passwords."
[/list]

http://puushstatus.tumblr.com/post/114993283467/we-are-currently-investigating

https://twitter.com/puushme
2
#2
8 Frags +

fuck

fuck
3
#3
2 Frags +

weird, i left puush open while playing csgo and i either didnt get automatically updated to the malware or if i did, it immediately updated me to r100. i ran scans on avast and mbam and it looks clean but it sucks that yet another service got compromised. :(

also, since i think this should be at the top of the thread: if you got the malware and use chrome/firefox's password managers, change your important passwords and consider this an opportunity to enable two-factor authentication on your accounts if you havent already. the devs say that there are no indications that the malware attempted to access this data but it's better to be on the safe side.

weird, i left puush open while playing csgo and i either didnt get automatically updated to the malware or if i did, it immediately updated me to r100. i ran scans on avast and mbam and it looks clean but it sucks that yet another service got compromised. :(

also, since i think this should be at the top of the thread: [b]if you got the malware and use chrome/firefox's password managers, [u]change your important passwords[/u] and consider this an opportunity to enable two-factor authentication on your accounts if you havent already.[/b] the devs say that there are no indications that the malware attempted to access this data but it's better to be on the safe side.
4
#4
16 Frags +

https://getsharex.com/
open source
ability to choose output(your imgur account, dropbox, w/e you want)
vastly superior

https://getsharex.com/
open source
ability to choose output(your imgur account, dropbox, w/e you want)
vastly superior
5
#5
2 Frags +

r100 is the one that fixes everything and runs a scan/remover tool automatically when you launch it.

It sucks that it happened, and there's certainly going to be a nice fat investigation into how, but it seems like they've handled it fairly well.

r100 is the one that fixes everything and runs a scan/remover tool automatically when you launch it.

It sucks that it happened, and there's certainly going to be a nice fat investigation into how, but it seems like they've handled it fairly well.
6
#6
1 Frags +

Honestly, puush was great, but I've since switched to ShareX, and am quite impressed by it. It has a lot more options, is equally lightweight, and can still upload to your puush repo if you so wish. Comes with gif taking abilities and quick image editing functionality.

Honestly, puush was great, but I've since switched to ShareX, and am quite impressed by it. It has a lot more options, is equally lightweight, and can still upload to your puush repo if you so wish. Comes with gif taking abilities and quick image editing functionality.
7
#7
0 Frags +

.

.
8
#8
1 Frags +

The day i start using puush :c

The day i start using puush :c
9
#9
4 Frags +

Let me give a brief on what has occurred

-Nerd from Lizard Squad set up a host
-He then got into the puush server and uploaded a fake update
-That fake update logged every single browser cookie/saved password you have.
-He then took down the site after a bit, but someone was able to who.is it before, which led to who the person was. Seeing as it's one of them, there are high chances of everything being pastebin'd and sent out to the public tomorrow/soon/eventually.
-The malware was also a keylogger. anything you typed from the time you got the update to the time he took down the server was logged.

both daemon process files were located in \AppData\Roaming\puush\

from start to end:
\program files (x86)\puush\puush-old.exe created process \program files (x86)\puush\puush.exe
\program files (x86)\puush\puush.exe modified file \program files (x86)\puush\puush.daemon.exe
\program files (x86)\puush\puush.exe modified registry key \HKUS\S-[...]-1000\Software\Microsoft\Windows\CurrentVersion\Run\puush
\program files (x86)\puush\puush.exe created process \AppData\Roaming\puush\puush.daemon.exe
\AppData\Roaming\puush\puush.daemon.exe created process \AppData\Roaming\puush\puush.daemon.exe
\AppData\Roaming\puush\puush.daemon.exe accessed memory of \AppData\Roaming\puush\puush.daemon.exe
\AppData\Roaming\puush\puush.daemon.exe modified registry key \HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters

four seconds later:
puush.daemon.exe wanted to connect through port 61127 to 95.213.162.50:42069
Ive confirmed that the EXE stole passwords.

The inital exe dropped was a vb6 executable that was a crypter to conceal it from anti-viruses. I extracted the encrypted file an decrypted it.

Analysis file can be found here: https://malwr.com/analysis/Zjg1MDc0MjNiNzZmNGQxMGE1MjRjMTg4MWEzOGI0NmE/
If you click static and go to strings you can see a couple fun strings
>herd.suid.at:42069
Hostname and port at which the malware operated

>mozcrt19.dll
>sqlite3.dll
>nspr4.dll
>mozutils.dll
>mozglue.dll
>mozsqlite3.dll
All of these are DLL's that are part of the firefox password management system

>%s\Opera\Opera\wand.dat
>%s\Opera\Opera\profile\wand.dat
These are opera password management files

>%s\.purple\accounts.xml
This is where pidgin stores passwords

><protocol>
><name>
><password>
This is the format for filezillas logs

>WindowsLive:name=*
Windows live messenger profile stealing

>POP3 User
>POP3 Server
>POP3 Password
>IMAP User
>IMAP Server
>IMAP Password
>HTTP User
>HTTP Server
>HTTP Password
>SMTP User
>SMTP Server
>SMTP Password
Formatting for solen files

>%s\Google\Chrome\User Data\Default\Login Data
>%s\Chromium\User Data\Default\Login Data
Chrome and Chromium passwords

>Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook
Outlook passwords

>Software\Microsoft\Internet Explorer\IntelliForms\Storage2
Internet explorer passwords

>[Enter]
>[Arrow Left]
>[Arrow Up]
>[Arrow Right]
>[Arrow Down]
>[Home]
>[Page Up]
>[Page Down]
>[Break]
>[Delete]
Common strings that are part of keylogger data

Cred to some nerds on /g/ for the quotes.

Anyways, he was doing a hit and run, but if you updated to r94 (reminder that puush automatically updates), and had puush.daemon.exe running, you more than likely got logged.

Make sure you clean out your reg's, make sure puush.daemon.exe is gone (delete the puush folder in roaming, too), and change any password you had saved in every browser you use. Also use a program like KeePass for passwords, shit's great.

Spent 14 hours today on this shit, thanks puush.

Let me give a brief on what has occurred

-Nerd from Lizard Squad set up a host
-He then got into the puush server and uploaded a fake update
-That fake update logged every single browser cookie/saved password you have.
-He then took down the site after a bit, but someone was able to who.is it before, which led to who the person was. Seeing as it's one of them, there are high chances of everything being pastebin'd and sent out to the public tomorrow/soon/eventually.
-The malware was also a keylogger. anything you typed from the time you got the update to the time he took down the server was logged.
[quote]both daemon process files were located in \AppData\Roaming\puush\

from start to end:
\program files (x86)\puush\puush-old.exe created process \program files (x86)\puush\puush.exe
\program files (x86)\puush\puush.exe modified file \program files (x86)\puush\puush.daemon.exe
\program files (x86)\puush\puush.exe modified registry key \HKUS\S-[...]-1000\Software\Microsoft\Windows\CurrentVersion\Run\puush
\program files (x86)\puush\puush.exe created process \AppData\Roaming\puush\puush.daemon.exe
\AppData\Roaming\puush\puush.daemon.exe created process \AppData\Roaming\puush\puush.daemon.exe
\AppData\Roaming\puush\puush.daemon.exe accessed memory of \AppData\Roaming\puush\puush.daemon.exe
\AppData\Roaming\puush\puush.daemon.exe modified registry key \HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters

four seconds later:
puush.daemon.exe wanted to connect through port 61127 to 95.213.162.50:42069
[/quote]

[quote]Ive confirmed that the EXE stole passwords.

The inital exe dropped was a vb6 executable that was a crypter to conceal it from anti-viruses. I extracted the encrypted file an decrypted it.

Analysis file can be found here: https://malwr.com/analysis/Zjg1MDc0MjNiNzZmNGQxMGE1MjRjMTg4MWEzOGI0NmE/
If you click static and go to strings you can see a couple fun strings
>herd.suid.at:42069
Hostname and port at which the malware operated

>mozcrt19.dll
>sqlite3.dll
>nspr4.dll
>mozutils.dll
>mozglue.dll
>mozsqlite3.dll
All of these are DLL's that are part of the firefox password management system

>%s\Opera\Opera\wand.dat
>%s\Opera\Opera\profile\wand.dat
These are opera password management files

>%s\.purple\accounts.xml
This is where pidgin stores passwords

><protocol>
><name>
><password>
This is the format for filezillas logs

>WindowsLive:name=*
Windows live messenger profile stealing

>POP3 User
>POP3 Server
>POP3 Password
>IMAP User
>IMAP Server
>IMAP Password
>HTTP User
>HTTP Server
>HTTP Password
>SMTP User
>SMTP Server
>SMTP Password
Formatting for solen files

>%s\Google\Chrome\User Data\Default\Login Data
>%s\Chromium\User Data\Default\Login Data
Chrome and Chromium passwords

>Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook
Outlook passwords

>Software\Microsoft\Internet Explorer\IntelliForms\Storage2
Internet explorer passwords

>[Enter]
>[Arrow Left]
>[Arrow Up]
>[Arrow Right]
>[Arrow Down]
>[Home]
>[Page Up]
>[Page Down]
>[Break]
>[Delete]
Common strings that are part of keylogger data[/quote]
Cred to some nerds on /g/ for the quotes.

Anyways, he was doing a hit and run, but if you updated to r94 (reminder that [b]puush automatically updates[/b]), and had puush.daemon.exe running, you more than likely got logged.

Make sure you clean out your reg's, make sure puush.daemon.exe is gone (delete the puush folder in roaming, too), and change any password you had saved in every browser you use. Also use a program like KeePass for passwords, shit's great.

Spent 14 hours today on this shit, thanks puush.
10
#10
0 Frags +

The Stand-alone cleaner said nothing was found on my system, should I change passwords anyways?

The Stand-alone cleaner said nothing was found on my system, should I change passwords anyways?
11
#11
2 Frags +
swagmachineThe Stand-alone cleaner said nothing was found on my system, should I change passwords anyways?

do u care about people possibly knowing ur personal info?

i was at work the entire time, and i still changed shit because YOLO dude and id rather some dummy not ruin my life by knowing my bank pw

[quote=swagmachine]The Stand-alone cleaner said nothing was found on my system, should I change passwords anyways?[/quote]
do u care about people [i]possibly[/i] knowing ur personal info?

i was at work the entire time, and i still changed shit because YOLO dude and id rather some dummy not ruin my life by knowing my bank pw
12
#12
0 Frags +

I had puush running at that time and specifically remember seeing puush.daemon.exe is not responding as I was shutting my pc down.
I've got 2way auth on all my passwords, although I think my old opera browser has some saved that aren't protected, but I'm terrified of that keylogger, I used both my credit cards yesterday evening.
Stuck at work with no idea what passwords my old browser had saved.
fuck
me

I had puush running at that time and specifically remember seeing puush.daemon.exe is not responding as I was shutting my pc down.
I've got 2way auth on all my passwords, although I think my old opera browser has some saved that aren't protected, but I'm terrified of that keylogger, I used both my credit cards yesterday evening.
Stuck at work with no idea what passwords my old browser had saved.
fuck
me
13
#13
0 Frags +

imagine the sheer volume of how many people it could affect

imagine the sheer volume of how many people it could affect
14
#14
7 Frags +

my friends kept making fun of me when i had to manually upload things to imgur, look who's laughing now! nah but that sucks tho

my friends kept making fun of me when i had to manually upload things to imgur, look who's laughing now! nah but that sucks tho
15
#15
0 Frags +
AndKennethr100 is the one that fixes everything and runs a scan/remover tool automatically when you launch it.

It sucks that it happened, and there's certainly going to be a nice fat investigation into how, but it seems like they've handled it fairly well.

But let's say you were infected, then puush automatically updated to r100 and ran this tool. Would it tell you you were infected so that you can take appropriate precautions?

[quote=AndKenneth]r100 is the one that fixes everything and runs a scan/remover tool automatically when you launch it.

It sucks that it happened, and there's certainly going to be a nice fat investigation into how, but it seems like they've handled it fairly well.[/quote]

But let's say you were infected, then puush automatically updated to r100 and ran this tool. Would it tell you you were infected so that you can take appropriate precautions?
16
#16
0 Frags +
TwiggyAndKennethr100 is the one that fixes everything and runs a scan/remover tool automatically when you launch it.

It sucks that it happened, and there's certainly going to be a nice fat investigation into how, but it seems like they've handled it fairly well.

But let's say you were infected, then puush automatically updated to r100 and ran this tool. Would it tell you you were infected so that you can take appropriate precautions?

don't quote me on this but it should have linked you to the blog post through means of a notification if you were infected. that's just what i've read on forums though.

[quote=Twiggy][quote=AndKenneth]r100 is the one that fixes everything and runs a scan/remover tool automatically when you launch it.

It sucks that it happened, and there's certainly going to be a nice fat investigation into how, but it seems like they've handled it fairly well.[/quote]

But let's say you were infected, then puush automatically updated to r100 and ran this tool. Would it tell you you were infected so that you can take appropriate precautions?[/quote]
don't quote me on this but it should have linked you to the blog post through means of a notification if you were infected. that's just what i've read on forums though.
17
#17
2 Frags +

.

.
18
#18
0 Frags +
mathsadTwiggyAndKennethr100 is the one that fixes everything and runs a scan/remover tool automatically when you launch it.

It sucks that it happened, and there's certainly going to be a nice fat investigation into how, but it seems like they've handled it fairly well.

But let's say you were infected, then puush automatically updated to r100 and ran this tool. Would it tell you you were infected so that you can take appropriate precautions?
don't quote me on this but it should have linked you to the blog post through means of a notification if you were infected. that's just what i've read on forums though.

Alright thanks!

[quote=mathsad][quote=Twiggy][quote=AndKenneth]r100 is the one that fixes everything and runs a scan/remover tool automatically when you launch it.

It sucks that it happened, and there's certainly going to be a nice fat investigation into how, but it seems like they've handled it fairly well.[/quote]

But let's say you were infected, then puush automatically updated to r100 and ran this tool. Would it tell you you were infected so that you can take appropriate precautions?[/quote]
don't quote me on this but it should have linked you to the blog post through means of a notification if you were infected. that's just what i've read on forums though.[/quote]
Alright thanks!
19
#19
2 Frags +

goddamn a day after i change all my passwords because of twitch this happens

goddamn a day after i change all my passwords because of twitch this happens
20
#20
0 Frags +

update from the puush twitter: reboot after running antivirus/antimalware cleaners; apparently the malware has spawned fake browser processes in sandboxed testing. https://twitter.com/puushme/status/582621832072704000

edit: disregard https://twitter.com/puushme/status/582639744238010368

update from the puush twitter: [u]reboot[/u] after running antivirus/antimalware cleaners; apparently the malware has spawned fake browser processes in sandboxed testing. https://twitter.com/puushme/status/582621832072704000

edit: disregard https://twitter.com/puushme/status/582639744238010368
21
#21
2 Frags +
mathsadupdate from the puush twitter: reboot after running antivirus/antimalware cleaners; apparently the malware has spawned fake browser processes in sandboxed testing. https://twitter.com/puushme/status/582621832072704000

Someone on /g/ and facepunch is refuting this, both have disassembled it, and no proof has been found outside of this tweet. Still safe to be cautious, but I think they are being extremely cautious do to their position.

Worth a read for the curious/cautious: http://pastebin.com/tLGKfmgc

Edit: Confirmed to be wrong about the browser thing, he deleted the tweet about it after saying so.

[quote=mathsad]update from the puush twitter: [u]reboot[/u] after running antivirus/antimalware cleaners; apparently the malware has spawned fake browser processes in sandboxed testing. https://twitter.com/puushme/status/582621832072704000[/quote]

Someone on /g/ and facepunch is refuting this, both have disassembled it, and no proof has been found outside of this tweet. Still safe to be cautious, but I think they are being extremely cautious do to their position.

Worth a read for the curious/cautious: http://pastebin.com/tLGKfmgc

Edit: Confirmed to be wrong about the browser thing, he deleted the tweet about it after saying so.
22
#22
1 Frags +

.

.
23
#23
1 Frags +

my pc's been off the whole time, i'm good right?

my pc's been off the whole time, i'm good right?
24
#24
0 Frags +

http://i.imgur.com/uoVIdES.png

wow this is great. thanks hooli!

[img]http://i.imgur.com/uoVIdES.png[/img]
wow this is great. thanks hooli!
25
#25
0 Frags +

they released another tool that says for certain whether or not you were infected: https://puush.me/dl/puush_is_still_sorry.exe so at this point if you're not sure if you got r94, you can use this to check.

people are reporting false positives when using this though so checking the registry key at HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ for puush daemon is the 100% sure way to say whether or not you were infected.

they released another tool that says for certain whether or not you were infected: https://puush.me/dl/puush_is_still_sorry.exe so at this point if you're not sure if you got r94, you can use this to check.

people are reporting false positives when using this though so checking the registry key at HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ for puush daemon is the 100% sure way to say whether or not you were infected.
26
#26
0 Frags +

The main reason I use puush is the easy API. I don't have the desktop client installed at all. If you have curl, you can just do

curl "https://puush.me/api/up" -# -F "k=$PUUSH_API_KEY" -F "z=poop" -F "f=@$filename"

to upload arbitrary files. I use it on Windows and Linux.

It looks like ShareX is just a desktop client wrapper for a bunch of APIs, and I'd rather just use them on their own.

The main reason I use puush is the easy API. I don't have the desktop client installed at all. If you have curl, you can just do
[code]curl "https://puush.me/api/up" -# -F "k=$PUUSH_API_KEY" -F "z=poop" -F "f=@$filename"[/code]to upload arbitrary files. I use it on Windows and Linux.

It looks like ShareX is just a desktop client wrapper for a bunch of APIs, and I'd rather just use them on their own.
27
#27
0 Frags +

ded

ded
28
#28
-1 Frags +
FanofAngelsmathsadthey released another tool that says for certain whether or not you were infected: https://puush.me/dl/puush_is_still_sorry.exe so at this point if you're not sure if you got r94, you can use this to check.

people are reporting false positives when using this though so checking the registry key at HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ for puush daemon is the 100% sure way to say whether or not you were infected.
fuuuuuuuuuuuuuck i have so many passwords to change....

https://lastpass.com/ this will make your life easier

[quote=FanofAngels][quote=mathsad]they released another tool that says for certain whether or not you were infected: https://puush.me/dl/puush_is_still_sorry.exe so at this point if you're not sure if you got r94, you can use this to check.

people are reporting false positives when using this though so checking the registry key at HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ for puush daemon is the 100% sure way to say whether or not you were infected.[/quote]
fuuuuuuuuuuuuuck i have so many passwords to change....[/quote]
https://lastpass.com/ this will make your life easier
29
#29
-1 Frags +

ded

ded
Please sign in through STEAM to post a comment.