On March 29, 2015 between 2:51 and 5:41 PM EST, a counterfeit update for the application Puush was used as a medium for installing malware. Puush, a small-scale service for sharing screenshots, quickly reacted to the issue by shutting down their servers and urging users to halt the program. Within a few hours they had restored service, along with a patch to detect and remove malware from affected machines. They also published a stand-alone cleaner for those who did not wish to reinstall the application.
The investigation is ongoing, but so far it appears that Puush’s main web server was compromised, allowing the attacker to supply the corrupted version to the application’s auto-update service. To the best of their knowledge, the attacker did not disturb any databases or files used by the application. Passwords on the Puush server were stored salted and hashed and should be secure. Analysis of the malware itself shows that it may be able to collect passwords from the local machine, but sandbox testing had not shown any attempts to write to an outside destination. Nonetheless, Puush urges all users to update vital passwords immediately, and are posting more information as it becomes available.
– Jacob Ryder