Threat Level: green Handler on Duty: Daniel Wesemann

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Print bomb?

Published: 2012-06-08
Last Updated: 2012-06-09 13:49:47 UTC
by Mark Hofman (Version: 1)
4 comment(s)

There have been several reports now of PCs on the network printing what looks like an executable to a large number of printers.  Several scanning tools will cause this kind of behaviour, but in the instances I know of these tools were not being used on the network at the time.  The various AV products aren't great at picking this up, yet. 

If you have this happen in your network use your logs to determine the sending machine (will be in the print logs) and take it offline for investigation and re-imaging. If you happen to have the actual malware upload it via the contact form and make our malware guys and gals happy.

Mark

Some updates:

Other than the excellent comments made to the dairy (thanks), we received a file that is the file reportedly being sent to the printers - e864689c6897dab7daa727f2ab70ef5a. this file is some adware that currently has 21/41 detect rate which is slowly improving. The dropper is BA9D4EFB6622D4DE95C162D95CB171A4  and has a detect rate of 17/41 ATM.

 

 

Keywords:
4 comment(s)
Diary Archives