Office printers across the US, India, Europe and South America are spewing out thousands of
pages of nonsense, due to a malicious program called Milicenso. IT departments can’t be
happy, and neither can office managers who will have to place orders to restock paper
supplies.
Security firm Symantec wrote in a blog post that an outbreak of the Trojan.Milicenso has
spread over the past two weeks, triggering massive print jobs typing up company resources.
The hardest hit were businesses in the US and India, however certain regions in Europe and
South America were also affected.
Trojan.Milicenso was first noticed in 2010, and has been adapted many times to cause
different outcomes; the most recent outcome being office printers. As Trojan.Milicenso is
somewhat of a malware-for-hire, it’s been used most recently to distribute adware to
French speaking users and was reported as Adware.Eorezo.
Delivery of the malicious program comes in many forms. In many cases computers will become
infected – and then transmit to printers – through email attachments, though visiting
websites hosting malicious scripts also spreads the infectious program. “The latter often
unintentionally occurs when a user clicks on a link in an unsolicited email,” Symantec
posted on its blog.
The internet security company also said it has encountered a large number of samples that
appear to be packaged as a fake codec, or program delivery. These are distributed as files
with random file names, and a “.exe” or “.dll” extension. The encrypted name makes it
difficult to identify. What makes it more difficult to identify and eliminate? “The
decryption key itself is encrypted using a value that is unique to the compromised
computer,” says the Symantec blog post. The post explains that the unique value is 16
bytes in length, and is generated using the time when the System and System Volume
Information folders were created. The unique value is used to encrypt the main DLL
decryption key, to add to the subterfuge, and make removal more difficult.
The Trojan.Milicenso is somewhat difficult to identify and remove because it uses adware as
a decoy, which detracts attention from the infection itself. In many cases, according to
Symantec, the malware is able to evade detection and in many cases be categorized as a low
risk, and actually be dismissed by many virus protection programs. In the case of the this
particular flavor of Trojan.Milicenso that makes office printers go through reams of paper
and cartridges of printer ink, the malware has a devastating effect on business.
Office printers are affected by this case of Trojan.Milicenso, because of a new script
written into the malicious code, according to Symantec. During the infection phase, a .spl
file is created that looks something like [DRIVE_LETTER]
\system32/Spool/PRINTERS\[RANDOM].spl. The .spl file is actually an executable file, which
is detected as Adware.Eorezo. At this point, any files in that folder will trigger print
jobs.
Symantec says it believes the garbled printouts appear to be a side effect of the infection
vector.
ICS Diary, the Internet Storm Center website that’s part of the SANS Technology Institute,
also has reports on the virus, with details about top-level files names and some of the
sites running drive-by downloads of the malware.
“The beauty of this unexpected malware behavior is that it can easily be detected
throughout the organization printers and servers, although at the expense of wasting
precious paper, and trees as a consequence. Let’s save the planet! … and don’t forget
this is a good opportunity to evaluate the security of your printing architecture,” the
ICS Diary says in a blog post. The post identifies printing architecture security as
network isolation, access controls and printer management.
No comments:
Post a Comment