Disclaimer: as technology changes, advisories may become out of date or may no longer be relevant, please refer to the "Date" section of the header to be sure the advisory is recent as pertains to your situation.
Digibase Security Advisory - Puush.me/Puu.sh Windows Client Compromised, Malware Distributed
Keywords: puush.me, puu.sh, Puush, malware, compromise, malware
DBSA ID: 2015-0001
Regarding: Puush.me Windows Client Compromised, Malware Distributed
Date: 2015 03 30
Last Modified: 20150329234737 by Kradorex Xeron
Who should take note: All Puush Users, especially users of Puush Windows client
Rationale: Confidential user data on infected systems may be compromised, it is essential to limit the scope of compromised data.
Rationale: Malware is a trojan horse that may download and install additional malware. User internet traffic may be compromised with malware present.
Spread of Issue: SINGLE-PLATFORM MODERATE
Rationale: Puush.me is a fairly known service.
Puu.sh aka Puush.me aka Puush is a file sharing and distribution service that users may easily upload files from their computers and make them available to others. The service is targetted toward media sharing. There has been recently an incident whereas an update uploaded to the vendor's servers had been contaminated or otherwise compromised that resulted in malware being included in an update issued to users. This malware is known as QVM03.0.Malware and has been identified to contact foreign servers and tamper with proxy server settings, file extensions and install additional malware.
The Puush service itself is not believed to be compromised as a result of this incident, but the front-end webserver has been confirmed to had been compromised.
(Following only listed here for reference, skip to bottom for Mitigation/Solution)
As per the analysis, the malware contacts a Russian server, potentially a botnet Command and Control instance or a receiver for identity theft purposes:
% Information related to '220.127.116.11 - 18.104.22.168' % Abuse contact for '22.214.171.124 - 126.96.36.199' is 'firstname.lastname@example.org' inetnum: 188.8.131.52 - 184.108.40.206 netname: RU-SELECTEL-20090812 descr: OOO "Network of data-centers "Selectel" country: RU org: ORG-SL223-RIPE admin-c: AKME tech-c: AKME status: ALLOCATED PA mnt-by: RIPE-NCC-HM-MNT mnt-lower: MNT-SELECTEL mnt-routes: MNT-SELECTEL mnt-domains: MNT-SELECTEL source: RIPE # Filtered organisation: ORG-SL223-RIPE org-name: OOO "Network of data-centers "Selectel" org-type: LIR address: OOO "Network of data-centers "Selectel"220.127.116.11 address: Vyacheslav Akhmetov address: Tsvetochnaya 21 address: 196006 address: Saint-Petersburg address: RUSSIAN FEDERATION phone: +78126778036 fax-no: +78126778036 admin-c: AKME admin-c: KORS mnt-ref: RIPE-NCC-HM-MNT mnt-ref: MNT-SELECTEL mnt-by: RIPE-NCC-HM-MNT abuse-mailbox: email@example.com tech-c: KORS abuse-c: AR12863-RIPE source: RIPE # Filtered person: Akhmetov Vyacheslav address: 191015, Russia, Saint-Petersburg, ul. Tverskaya, d 8 liter B mnt-by: MNT-SELECTEL phone: +78127188036 nic-hdl: AKME source: RIPE # Filtered % Information related to '18.104.22.168/17AS49505' route: 22.214.171.124/17 descr: SELECTEL-NET origin: AS49505 mnt-by: MNT-SELECTEL source: RIPE # Filtered % This query was served by the RIPE Database Query Service version 1.78 (DB-3)
The vendor has issued a secondary update that removes the malware, however it is strongly advised to scan with a full antimalware software such as MalwareBytes (https://www.malwarebytes.org/) for any additional malware as the included update fix and traditional antivirus may not detect all malware. The download and use of Adwcleaner (http://www.bleepingcomputer.com/download/adwcleaner/) may also be performed to identify if any additional tampering has been performed. It may also be advised to change passwords stored in password managers and entered while this update was in place.