Mobile and OS X users were not affected by the incident

Mar 30, 2015 12:24 GMT  ·  By

The security of the main server for Puush, a screenshot taking and sharing application, has been bypassed and a malicious update has been planted, causing Windows clients to get infected with a password-stealing piece of malware.

Reports about the threat emerged on Sunday, when a user updated Puush to version r94 and the antivirus solution installed on the computer alerted of malicious files being downloaded.

Only Windows users were affected

Following this information, the company’s Twitter feed became active again, after having been silent since October 2, 2014, in order to keep users updated on the matter and offer mitigation advice until developers got to the root of the problem and came up with a permanent fix.

After running an investigation, it was determined that only update r94 was causing trouble and it affected all Windows clients that received it via the automatic update mechanism.

“Only build r94 of the Windows client was affected, which was distributed via the auto-update system during the period: March 29 UTC 18:51 - 21:41,” explains a blog post from Puush, adding that the versions for mobile and OS X remained unaffected.

New update removes malware from the computer

The developer found that the malware used the file “puush.daemon.exe” and stored it in “%AppData%\Roaming\puush” or “Program Files\puush,” at the same time creating an entry in Windows Registry that allowed it to start with the system.

Apart from delivering this information to its users, Puush created an automatic tool that would eliminate the malware from the computer (both from disk and memory). The cleaner is also included in the latest update of the application, r100.

An analysis of the threat in a sandboxed environment showed that it did not establish a connection with a remote server for exfiltrating locally stored password data or any other sort of information.

However, to be on the safe side, the company advises all users who had their computers running during the aforementioned time to change the passwords saved in the browser or on the PC.