Trojan infection triggers massive printing jobs
Posted on 22.06.2012
Bookmark and Share
If your printers start printing garbage characters until they run out of paper, it's a sure sign your network has been hit by the Milicenso Trojan.

According to Symantec researchers, the garbled printouts are just a side effect of the infection and not its goal. But, as side effects go, this one is very welcome, as it will surely make security staff at enterprises suspicious and set them looking for the trigger.

It is even more welcome as the malware's last variants have an extremely low detection rate - only 4 of the 42 solutions used by Virus Total detect them at the moment.

The Milicenso Trojan is actually a backdoor that is used to deliver other malware on the affected machines. The infection vectors are links and malicious attachments in unsolicited emails, as well as websites hosting malicious scripts that trigger the download of the Trojan.

"The Trojan creates and executes a dropper executable, which in turn creates a DLL file in the %System% folder", shared the researchers.

The heavily encrypted DLL file creates a number of EXE and DLL files, and uses a number of routines to discover whether the the execution environment is a virtual machine, public malware sandbox or a black-boxing site.

The Trojan also drops a piece of adware, whose aim is to serve as a decoy for AV solutions present on the machines. This Adware.Eorezo has only one goal: to point Internet Explorer to an ad-relater URL.

So why does the Trojan trigger the massive printing?

"During the infection phase, a .spl file is created in [DRIVE_LETTER]\system32\Spool\PRINTERS\[RANDOM].spl. Note the Windows’ default print spooler directory is %System%\spool\printers," the researchers explained.

"The .spl file, while appearing to be a common printer spool file, is actually an executable file and is detected as Adware.Eorezo. Depending on the configuration, any files, including binary files, created in that folder will trigger print jobs."






Spotlight

Attackers use reflection techniques for larger DDoS attacks

Posted on 17 April 2014.  |  Instead of using a network of zombie computers, newer DDoS toolkits abuse Internet protocols that are available on open or vulnerable servers and devices. This approach can lead to the Internet becoming a ready-to-use botnet for malicious actors.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Fri, Apr 18th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //