June 23, 2012
Office Printers Succumb To Virus
Enid Burns for redOrbit.com
Office printers across the US, India, Europe and South America are spewing out thousands of pages of nonsense, due to a malicious program called Milicenso. IT departments can't be happy, and neither can office managers who will have to place orders to restock paper supplies.
Security firm Symantec wrote in a blog post that an outbreak of the Trojan.Milicenso has spread over the past two weeks, triggering massive print jobs typing up company resources. The hardest hit were businesses in the US and India, however certain regions in Europe and South America were also affected.
Trojan.Milicenso was first noticed in 2010, and has been adapted many times to cause different outcomes; the most recent outcome being office printers. As Trojan.Milicenso is somewhat of a malware-for-hire, it's been used most recently to distribute adware to French speaking users and was reported as Adware.Eorezo.
Delivery of the malicious program comes in many forms. In many cases computers will become infected - and then transmit to printers - through email attachments, though visiting websites hosting malicious scripts also spreads the infectious program. "The latter often unintentionally occurs when a user clicks on a link in an unsolicited email," Symantec posted on its blog.
The internet security company also said it has encountered a large number of samples that appear to be packaged as a fake codec, or program delivery. These are distributed as files with random file names, and a ".exe" or ".dll" extension. The encrypted name makes it difficult to identify. What makes it more difficult to identify and eliminate? "The decryption key itself is encrypted using a value that is unique to the compromised computer," says the Symantec blog post. The post explains that the unique value is 16 bytes in length, and is generated using the time when the System and System Volume Information folders were created. The unique value is used to encrypt the main DLL decryption key, to add to the subterfuge, and make removal more difficult.
The Trojan.Milicenso is somewhat difficult to identify and remove because it uses adware as a decoy, which detracts attention from the infection itself. In many cases, according to Symantec, the malware is able to evade detection and in many cases be categorized as a low risk, and actually be dismissed by many virus protection programs. In the case of the this particular flavor of Trojan.Milicenso that makes office printers go through reams of paper and cartridges of printer ink, the malware has a devastating effect on business.
Office printers are affected by this case of Trojan.Milicenso, because of a new script written into the malicious code, according to Symantec. During the infection phase, a .spl file is created that looks something like [DRIVE_LETTER]\system32/Spool/PRINTERS\[RANDOM].spl. The .spl file is actually an executable file, which is detected as Adware.Eorezo. At this point, any files in that folder will trigger print jobs.
Symantec says it believes the garbled printouts appear to be a side effect of the infection vector.
ICS Diary, the Internet Storm Center website that's part of the SANS Technology Institute, also has reports on the virus, with details about top-level files names and some of the sites running drive-by downloads of the malware.
"The beauty of this unexpected malware behavior is that it can easily be detected throughout the organization printers and servers, although at the expense of wasting precious paper, and trees as a consequence. Let's save the planet! “¦ and don't forget this is a good opportunity to evaluate the security of your printing architecture," the ICS Diary says in a blog post. The post identifies printing architecture security as network isolation, access controls and printer management.