Puush accidentally infects Windows users with password-stealing malware

Puush describes itself as a “quick and simple way to share screenshots”.

Unfortunately, it also seems to be a quick and simple way to infect your Windows computer with malware, that might steal your passwords.

That’s not, of course, by design – but the result of what appears to be the accidental distribution of a malware-infected update pushed out to Windows users.

Bitdefender user Graham Barker was one of those who alerted Puush that something seemed to have gone badly wrong with its latest update.

A series of tweets from the Australia-based developers of Puush announced the bad news to the rest of its users:

we’ve received reports of possible malware being sent in disguise of a puush update. for now we suggest closing the puush app (windows only).

we are still looking into the cause and will provide more details as soon as we know more.

we do suggest you run a virus scan on your PC if you were running the windows puush client, and uninstall the client for now.

Separately, Puush said that only build r94 of Puush (available for download between March 29 18:51-21:41 UTC) was infected by malware, and that users who had their Windows computers turned on during that period could be at risk because the software could have been automatically downloaded to their systems.

As the malware appears to steal passwords, it would make sense to ensure that you consider any passwords you store on your PC as compromised.

A post on the Puush blog provides more details, and confirmed that non-Windows users of the Puush software (it is also available for Mac OS X and iOS) do not appear to be affected:

The main puush web server was compromised (database and puushed files should be untouched, to the best of our knowledge)

The Windows puush client was replaced with a version (r94) that downloads malware (versions other than r94 should be clean). OS X and mobile clients were NOT affected.

Malware uses filename Ëœpuush.daemon.exe` and is placed in “%AppData%\Roaming\puush” or “Program Files\puush” and set to autorun via registry key “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\puush daemon”

The malware may be collecting locally stored passwords, but we are yet to confirm these have been transmitted back to a remote location. We have been running the malware in sandboxed environments and have not been able to reproduce any such behaviour. Even so, we recommend you change any important passwords which were stored on your PC (unless they were in a secure password manager). This includes chrome/firefox saved passwords.

Puush says its latest version (r100) automatically detects and cleans-up the infection, and has also released a standalone clean-up tool called (with something of a red-face) puush_is_sorry.exe.

Rather disappointingly, that standalone clean-up tool is downloadable via an HTTP link rather than a more secure HTTPS link, and you may – by this stage – be reluctant to run software produced by the company anyway.

Puush says it has now restored its systems, and patched its servers with the latest security patches.

Hopefully they will do a thorough review of what went wrong over the coming days as a matter of urgency, and put systems in place to ensure that unauthorised and compromised versions of its software can never be shipped to customers again.

Make sure to reduce the chances of having one of your software suppliers infect your computers with malware, by keeping your anti-virus software updated and always applying the latest security patches.