DBSA:2015-0001
Disclaimer: as technology changes, advisories may become out of date or may no longer be relevant, please refer to the "Date" section of the header to be sure the advisory is recent as pertains to your situation.
Contents
Digibase Security Advisory - Puush.me/Puu.sh Windows Client Compromised, Malware Distributed
Keywords: puush.me, puu.sh, Puush, malware, compromise, malware
DBSA ID: 2015-0001
Regarding: Puush.me Windows Client Compromised, Malware Distributed
Writeup: Kradorex Xeron (talk) 23:25, 29 March 2015 (EDT)
Date: 2015 03 30
Last Modified: 20150329224218 by Kradorex Xeron
Who should take note: All Puush Users, especially users of Puush Windows client
Classification
Priority: HIGH
Rationale: Confidential user data on infected systems may be compromised, it is essential to limit the scope of compromised data.
Severity: MODERATE
Rationale: Malware is a trojan horse that may download and install additional malware. User internet traffic may be compromised with malware present.
Spread of Issue: SINGLE-PLATFORM MODERATE
Rationale: Puush.me is a fairly known service.
Description
Puu.sh aka Puush.me aka Puush is a file sharing and distribution service that users may easily upload files from their computers and make them available to others. The service is targetted toward media sharing. There has been recently an incident whereas an update uploaded to the vendor's servers had been contaminated or otherwise compromised that resulted in malware being included in an update issued to users. This malware is known as QVM03.0.Malware and has been identified to contact foreign servers and tamper with proxy server settings, file extensions and install additional malware.
The Puush service itself is not believed to be compromised as a result of this incident.
(Following only listed here for reference, skip to bottom for Mitigation/Solution)
As per the analysis, the malware contacts a Russian server, potentially a botnet Command and Control instance:
95.213.162.50
% Information related to '95.213.128.0 - 95.213.255.255' % Abuse contact for '95.213.128.0 - 95.213.255.255' is 'abuse@selectel.ru' inetnum: 95.213.128.0 - 95.213.255.255 netname: RU-SELECTEL-20090812 descr: OOO "Network of data-centers "Selectel" country: RU org: ORG-SL223-RIPE admin-c: AKME tech-c: AKME status: ALLOCATED PA mnt-by: RIPE-NCC-HM-MNT mnt-lower: MNT-SELECTEL mnt-routes: MNT-SELECTEL mnt-domains: MNT-SELECTEL source: RIPE # Filtered organisation: ORG-SL223-RIPE org-name: OOO "Network of data-centers "Selectel" org-type: LIR address: OOO "Network of data-centers "Selectel"95.213.162.50 address: Vyacheslav Akhmetov address: Tsvetochnaya 21 address: 196006 address: Saint-Petersburg address: RUSSIAN FEDERATION phone: +78126778036 fax-no: +78126778036 admin-c: AKME admin-c: KORS mnt-ref: RIPE-NCC-HM-MNT mnt-ref: MNT-SELECTEL mnt-by: RIPE-NCC-HM-MNT abuse-mailbox: support@selectel.ru tech-c: KORS abuse-c: AR12863-RIPE source: RIPE # Filtered person: Akhmetov Vyacheslav address: 191015, Russia, Saint-Petersburg, ul. Tverskaya, d 8 liter B mnt-by: MNT-SELECTEL phone: +78127188036 nic-hdl: AKME source: RIPE # Filtered % Information related to '95.213.128.0/17AS49505' route: 95.213.128.0/17 descr: SELECTEL-NET origin: AS49505 mnt-by: MNT-SELECTEL source: RIPE # Filtered % This query was served by the RIPE Database Query Service version 1.78 (DB-3)
Mitigation/Solution
The vendor has issued a secondary update that removes the malware, however it is strongly advised to scan with a full antimalware software such as MalwareBytes (https://www.malwarebytes.org/) for any additional malware as the included update fix and traditional antivirus may not detect this specific malware. The download and use of Adwcleaner (http://www.bleepingcomputer.com/download/adwcleaner/) may also be performed to identify if any additional tampering has been performed.
