PSA: Puush update contained malware

[nohman]

I know at least a handful of people in the community use puush for taking screenshots, so I thought it would be good to give you guys a heads up in case you don't already know: 

 

https://twitter.com/puushme

 

If your puush was updated to r94, you got infected. They recommend changing any password that are important to you because it seemed to access your locally stored passwords. They don't seem to think it was transmitted anywhere.

[solidbatman]

It was transmitted. The malware seemed to have taken the passwords, and then the location where they were uploaded was disconnected before puush got on top of it from what I understand

[Yuuko]

RIP ME. I downloaded puush yesterday D: I don't even know if I was infected but better change all passwords

[Ceris]

AVAST killed it before the update happened, but I still uninstalled it after AVAST gave me a warning. A shame, because I like the convenience of puush.

[LinovaA]

Well... shit. xD

 

I had been wondering why puush didn't want to work today.

Welp, time to go through the long process of changing every single password I have.

[GetterEmperor]

Damn it sucks to have this happen. Well I guess it's time to change some passwords.

[Zenophilious]

By the way, everyone should launch an additional virus scan, if you didn't already.  There was apparently more malware than what puush removed on my computer, and I don't have a habit of downloading obscure files or anything.

 

According to puush, their "sandboxed investigations show no sign of data (passwords) being transmitted", but yeah, you should change any passwords you have saved on your browsers, just in case.

[Schnarf]

whew, thank god i don't use puush

[Darklord Rooke]

whew, thank god i don't use puush

 

Ditto. All this password hacking is a little scary, I'm going to regret my lax security measures one day...

[CryingWestern]

Ditto. All this password hacking is a little scary, I'm going to regret my lax security measures one day...

 

If anything, someone on their side was the one who put the malware into the program before they uploaded the update, or someone else has access to their site and uploaded a modified version of their program that contained a virus.

[Zenophilious]

If anything, someone on their side was the one who put the malware into the program before they uploaded the update, or someone else has access to their site and uploaded a modified version of their program that contained a virus.

The latter sounds the most likely to me, since it's a lot less risky for the fucker who put the malware in the update.  I mean, that's what I'd do if I wanted to spread malware as much as possible as safely as possible.  That said, some people do stupid things.  Hope whoever did it gets caught, but I know just how unlikely that is.  *sigh*

[Down]

Storing passwords on your browser or computer sounds like a terrible idea anyway.

[Zenophilious]

Storing passwords on your browser or computer sounds like a terrible idea anyway.

[Down]

If you're worried about memory issues, use cryptic hints stored in a txt file or a physical paper haha.

[Yuuko]

AVAST killed it before the update happened, but I still uninstalled it after AVAST gave me a warning. A shame, because I like the convenience of puush.

[CryingWestern]

If you download the newest update they have, it'll tell you if you've been infected, it also eliminates the malware as well... or so they say.

[solidbatman]

If you download the newest update they have, it'll tell you if you've been infected, it also eliminates the malware as well... or so they say.

[CryingWestern]

that's just it, i have no idea either, mine never came up with anything... i guess it was only if you uploaded something in that time period, would it do that.

[solidbatman]

Someone decompiling the malware informed puush on twitter that their remover does nothing but remove the dropper for the virus. Apparently the virus drops into the RAM and writes itself a rootkit. So it is likely that any computers that got the fake update are still infected.

Puush says they have completed analysis of the virus and will post more details tomorrow. You know, because a malicious programs hijacking their software is enough reason to make users wait another day for details.

[CryingWestern]

I believe i was only on r93 so i should be fine.

[Snowtsuku]

Glad I stopped using it.

[Lewycool]

I'm still on 93. DC-ed from internet when I got home to check and to uninstall it

[Zenophilious]

puush: "further investigation shows the malware spawns another process disguised as your web browser- please reboot after updating/running cleaner"

 

My computer crashed after I tried launching avast!, and after I launched a full scan from the boot menu(?), it said it found an infected file in C:\Users\*username*\AppData\Local\Google\Chrome\User Data\Default\File System\001\t\00\.  The file was called "00000000" and had a virus description of "Win32:Somoto-R [PUP]".  Really, guys, if you haven't already done a full scan, do it now.

[solidbatman]

They went back and deleted that tweet, along with a tweet correcting themselves saying the virus was capable of doing so, but they had no evidence that it had done so. 

[Zenophilious]

Well, that's irritating.  Still, though, I regularly scan my computer for malware, and I got it right after the puush malware was supposedly removed, so...dunno what to say.  Better to be safe than sorry.