DBSA:2015-0001

From Digibase Knowledge Base
Revision as of 23:47, 29 March 2015 by Kradorex Xeron (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Disclaimer: as technology changes, advisories may become out of date or may no longer be relevant, please refer to the "Date" section of the header to be sure the advisory is recent as pertains to your situation.

Digibase Security Advisory - Puush.me/Puu.sh Windows Client Compromised, Malware Distributed

Keywords: puush.me, puu.sh, Puush, malware, compromise, malware

DBSA ID: 2015-0001

Regarding: Puush.me Windows Client Compromised, Malware Distributed

Writeup: Kradorex Xeron (talk) 23:25, 29 March 2015 (EDT)

Date: 2015 03 30

Last Modified: 20150329234737 by Kradorex Xeron

Who should take note: All Puush Users, especially users of Puush Windows client

Classification

Priority: HIGH

Rationale: Confidential user data on infected systems may be compromised, it is essential to limit the scope of compromised data.

Severity: MODERATE

Rationale: Malware is a trojan horse that may download and install additional malware. User internet traffic may be compromised with malware present.

Spread of Issue: SINGLE-PLATFORM MODERATE

Rationale: Puush.me is a fairly known service.

Description

Puu.sh aka Puush.me aka Puush is a file sharing and distribution service that users may easily upload files from their computers and make them available to others. The service is targetted toward media sharing. There has been recently an incident whereas an update uploaded to the vendor's servers had been contaminated or otherwise compromised that resulted in malware being included in an update issued to users. This malware is known as QVM03.0.Malware and has been identified to contact foreign servers and tamper with proxy server settings, file extensions and install additional malware.

The Puush service itself is not believed to be compromised as a result of this incident, but the front-end webserver has been confirmed to had been compromised.

(Following only listed here for reference, skip to bottom for Mitigation/Solution)

As per the analysis, the malware contacts a Russian server, potentially a botnet Command and Control instance or a receiver for identity theft purposes:

95.213.162.50

% Information related to '95.213.128.0 - 95.213.255.255'

% Abuse contact for '95.213.128.0 - 95.213.255.255' is 'abuse@selectel.ru'

inetnum:        95.213.128.0 - 95.213.255.255
netname:        RU-SELECTEL-20090812
descr:          OOO "Network of data-centers "Selectel"
country:        RU
org:            ORG-SL223-RIPE
admin-c:        AKME
tech-c:         AKME
status:         ALLOCATED PA
mnt-by:         RIPE-NCC-HM-MNT
mnt-lower:      MNT-SELECTEL
mnt-routes:     MNT-SELECTEL
mnt-domains:    MNT-SELECTEL
source:         RIPE # Filtered

organisation:   ORG-SL223-RIPE
org-name:       OOO "Network of data-centers "Selectel"
org-type:       LIR
address:        OOO "Network of data-centers "Selectel"95.213.162.50
address:        Vyacheslav Akhmetov
address:        Tsvetochnaya 21
address:        196006
address:        Saint-Petersburg
address:        RUSSIAN FEDERATION
phone:          +78126778036
fax-no:         +78126778036
admin-c:        AKME
admin-c:        KORS
mnt-ref:        RIPE-NCC-HM-MNT
mnt-ref:        MNT-SELECTEL
mnt-by:         RIPE-NCC-HM-MNT
abuse-mailbox:  support@selectel.ru
tech-c:         KORS
abuse-c:        AR12863-RIPE
source:         RIPE # Filtered

person:         Akhmetov Vyacheslav
address:        191015, Russia, Saint-Petersburg, ul. Tverskaya, d 8 liter B
mnt-by:         MNT-SELECTEL
phone:          +78127188036
nic-hdl:        AKME
source:         RIPE # Filtered

% Information related to '95.213.128.0/17AS49505'

route:          95.213.128.0/17
descr:          SELECTEL-NET
origin:         AS49505
mnt-by:         MNT-SELECTEL
source:         RIPE # Filtered

% This query was served by the RIPE Database Query Service version 1.78 (DB-3)

Mitigation/Solution

The vendor has issued a secondary update that removes the malware, however it is strongly advised to scan with a full antimalware software such as MalwareBytes (https://www.malwarebytes.org/) for any additional malware as the included update fix and traditional antivirus may not detect all malware. The download and use of Adwcleaner (http://www.bleepingcomputer.com/download/adwcleaner/) may also be performed to identify if any additional tampering has been performed. It may also be advised to change passwords stored in password managers and entered while this update was in place.

References