{"id":18529,"date":"2012-08-02T21:24:10","date_gmt":"2012-08-03T01:24:10","guid":{"rendered":"http:\/\/rbachnet.wwwmi3-ss40.a2hosted.com\/index.php\/"},"modified":"2022-09-02T15:07:00","modified_gmt":"2022-09-02T19:07:00","slug":"trojan-launches-massive-print-jobs","status":"publish","type":"post","link":"https:\/\/rbach.net\/index.php\/trojan-launches-massive-print-jobs\/","title":{"rendered":"Malware Launches Massive Print Jobs"},"content":{"rendered":"

\"Malware<\/a>If your printers<\/a> start printing garbage characters until they run out of paper, it’s a sure sign your network has been hit by the Milicenso Trojan malware. Help Net Security<\/em> reports<\/a> that\u00a0Symantec<\/a> (SYMC<\/a>) researchers have found<\/a> that the garbled printouts are just a side effect of the infection and not its goal. The malware’s last variants have an extremely low detection rate<\/a> – only 4 of the 42 solutions used by Virus Total<\/a> detect them at the moment.<\/p>\n

\"Trojan<\/a>The article says the Milicenso Trojan<\/a> is actually a backdoor<\/a> used to deliver other malware on the affected machines. The infection vectors are links and malicious attachments in unsolicited emails, as well as websites hosting malicious scripts that trigger the download of the Trojan<\/a>. “The Trojan creates and executes a dropper executable, which in turn creates a DLL file<\/a> in the %System% folder”, shared the Symantec researchers.<\/p>\n

The heavily encrypted DLL file creates a number of EXE and DLL files and uses a number of routines to discover whether the execution environment is a virtual machine, public malware sandbox or a black-boxing site. The Trojan also drops a piece of adware, whose aim is to serve as a decoy for AV solutions present on the machines. The blog says the\u00a0 Adware.Eorezo<\/a> has only one goal: to point Internet Explorer<\/a> to an ad-relater URL.<\/p>\n

\"SandboxHelp Net Security<\/em> explains the malware triggers the massive printing by exploiting the Windows default print spooler directory. “During the infection phase, a .spl file is created in [DRIVE_LETTER]system32Spool PRINTERS[RANDOM].spl. Note the Windows\u2019 default print spooler directory is %System%spoolprinters.”<\/p>\n

The researchers explained “The .spl file, while appearing to be a common printer spool file, is actually an executable file and is detected as Adware.Eorezo. Depending on the configuration, any files, including binary files, created in that folder will trigger print jobs.”<\/p>\n

rb-<\/em><\/strong><\/p>\n

I have written about the risks of copiers and printers here<\/a> and<\/a> here<\/a>. I’m sure someone will figure out how to use this malware as a direct DOS on printers, and not as a side effect.<\/em><\/p>\n

 <\/p>\n

Ralph Bach<\/a>\u00a0has been in IT long enough to know better and has blogged from his\u00a0Bach Seat<\/a> about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedIn<\/a>,\u00a0Facebook<\/a>,\u00a0and\u00a0Twitter<\/a>. Email the Bach Seat\u00a0here<\/a>.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"

Symantec says a mountain of garbled printouts are the side effect of the of Milicenso Trojan a backdoor used to deliver other malware on the affected PC’s<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[2197,23,82,421,75,4,165,445],"class_list":["post-18529","post","type-post","status-publish","format-standard","hentry","category-security","tag-2197","tag-malware","tag-microsoft","tag-msft","tag-printer","tag-security","tag-symantec","tag-windows"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/posts\/18529","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/comments?post=18529"}],"version-history":[{"count":14,"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/posts\/18529\/revisions"}],"predecessor-version":[{"id":129669,"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/posts\/18529\/revisions\/129669"}],"wp:attachment":[{"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/media?parent=18529"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/categories?post=18529"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/tags?post=18529"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}