![]() The process will also attempt to exit, but crash, if the CPU does not support MMX instructions (users running puush on a 486 or original Pentium are safe from the malware). If a debugger is detected, or the Avast hook DLL ( shnxhk.dll) is loaded into the process, it attempts to exit (but, due to a bug, will actually crash). The VB6 code calls further obfuscated code that deobfuscates the rest of itself in-place and then performs debugger checks. This is unrelated to the malware functionality and can be safely ignored. As part of standard VB6 app startup functionality, it creates one temporary file in %TEMP%. The loader is an obfuscated VB6 application. When installed, a one-byte modification is made to the EXE, yielding the following hashes: The malware loader is delivered as an EXE file (241664) with the following hashes: His detailed findings for those so inclined: Without input from its command and control server, the malware is effectively harmless and does nothing. Its distinctive feature seems to be the ability to steal passwords, though it can also perform other typical remote control operations on demand. The malware was determined to be a variant of the popular NetWire RAT (a Remote Access Trojan), that is, software that gives the attacker control over your computer. Simultaneously, in the interest of ensuring the safety of our users, we reached out to for assistance in analyzing the malware’s payload. This meant that the earliest infected clients (potentially at 18:51 UTC) would have been replaced by the r100 cleanup build at 22:21 UTC. Due to how puush updates worked (as described above), the newly updated puush client would have been more frequently checking for updates. We determined that this was sufficient to remove the malware and prevent it from reappearing.Īt 01:13 UTC, we released an updated puush client with a built-in cleaner and also a stand-alone version of the cleaner. We investigated the malware in a sandboxed environment and wrote a cleaner to remove the malware, targeting the loader ( ). Therefore, if your pc was on and running puush for a long period of time, you were the least likely to be affected. Because of this, not all online users at the time were affected - only those that were unlucky enough to check within the ~3 hour window above. After this, the longer it’s open, the less frequently it checks (after 30 minutes, 1 hour, 2 hours, 4 hours, and then finally every 6 hours). As a side-effect, users in Japan were not affected.Īt 21:41 UTC the breach was noticed and the affected web server was immediately shut down to cease distribution of the malicious update. This was most likely in effort to hide the malware from us (as we are currently in Japan). The malicious update was then distributed via puush’s auto-update system.Īt the same time, a GeoIP-based redirect was put in place to forward users from Japan to the original, unmodified files. ![]() This modified client was only altered to retrieve and execute malware, it otherwise behaved the same as puush. On March 29 at 18:51 UTC, a puush web server was compromised and a malicious update to the Windows puush client (r94) was planted. An option to disable automatic updates will also be added. In a coming update, we will add a feature to verify the downloaded updates. Secondly, the puush update system on Windows doesn’t verify the authenticity of the downloaded updates, which allowed a malicious version to be distributed. However, we have since firewalled the affected servers and are building fresh replacements. As the investigation of the breach is still ongoing, we don’t wish to release further details until this is complete. How did this happen and what are you doing to prevent this from happening again? Note that if you had a master password set or used an external/plugin-based password manager, it is probable that your passwords are still safe. This includes passwords saved in Mozilla Firefox, Mozilla SeaMonkey, Internet Explorer (including IE10/Windows 7 vault), Opera, Google Chrome, Windows Live Messenger, GAIM/Pidgin, Outlook and Mozilla Thunderbird. ![]() ![]() If your PC was affected, treat any saved passwords on your system as compromised and change them immediately. If you wish to know whether you were affected, or have already uninstalled puush, you can use our stand-alone cleaner/checker to check whether you need to take further action. The latest version of puush cleans the malware (r100). ![]() The Mac and iOS clients were not affected. If you were online and using the puush client for Windows on March 29 between 18:51-21:41 UTC, there is a chance that malware disguised as a puush update made its way to your computer. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |