Print bomb?
There have been several reports now of PCs on the network printing what looks like an executable to a large number of printers. Several scanning tools will cause this kind of behaviour, but in the instances I know of these tools were not being used on the network at the time. The various AV products aren't great at picking this up, yet.
If you have this happen in your network use your logs to determine the sending machine (will be in the print logs) and take it offline for investigation and re-imaging. If you happen to have the actual malware upload it via the contact form and make our malware guys and gals happy.
Mark
Some updates:
Other than the excellent comments made to the dairy (thanks), we received a file that is the file reportedly being sent to the printers - e864689c6897dab7daa727f2ab70ef5a. this file is some adware that currently has 21/41 detect rate which is slowly improving. The dropper is BA9D4EFB6622D4DE95C162D95CB171A4 and has a detect rate of 17/41 ATM.
Comments
ct1600
Jun 8th 2012
1 decade ago
You could check suspicious hosts for certain registry keys / values:
C:\>reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings" | find "REG_BINARY"
(under the user account that showed the suspicious behaviour)
C:\>reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings" | find "REG_BINARY"
and look for single digit value names (especially "6" and "9") with fairly large binary values.
If you find such infections I'd be happy to hear about it (you'll find my email in references or Twitter: @c_APT_ure )
References:
http://ioc.forensicartifacts.com/2012/04/ponmocup-2/
http://c-apt-ure.blogspot.ch/search/label/ponmocup
TomU
Jun 8th 2012
1 decade ago
We have a copy of the offending DLL that Malwarebytes identified as well as MANY print queue samples.
Currently hardening printers and searching for more info.
KLand
Jun 8th 2012
1 decade ago
---
Jun 8, 2012 8:02 AM (in response to Raj909)
Re: Printer Virus?
To follow on from Raj909's post regarding it being mentioned on SANS, I can confirm that the affected machine on our network did indeed have single digit name REG_BINARY entries in HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings.
It also drops an entry with what looks like random characters for a name in to HKCU\Software\Microsoft\Windows\CurrentVersion\Run which runs the .dll file which is dropped in the users' Application Data folder. eg-
vjdg REG_SZ rundll32 "C:\Documents and settings\<user>\Application Data\netui0p.dll", QJNDKZXSB
---
This looks like Ponmocup infections, too!
Also check for random subkeys under HKLM\Software and HKCU\Software:
http://security-research.dyndns.org/pub/botnet/ponmocup/ponmocup-analysis_2012-02-18.html
A year ago this botnet was several million bots big (http://www.abuse.ch/?p=3294).
TomU @c_APT_ure
Jun 8th 2012
1 decade ago