Print Bomb? (Take 2) - SANS Internet Storm Center

Print Bomb? (Take 2)
A week ago we mentioned a "print bomb" malware specimen doing the rounds, with a gradually improving AV detection ratio. However, we are receiving reports (Thanks Conor!) with variants of what looks like the same malware, with a very reduced AV detection ratio (0/37), so do not relax your defenses. Virus Total: https://www.virustotal.com/file/90910a49226f6488de42d27ac1b347c68a0d5a9c1b070bf5dfdaea8ac368cfc9/analysis/1340227448/. This new sample, called "xpsp4ress.dll", is stored on C:\Windows\System32 and creates a scheduled task in Windows with what seems to be a random name (e.g. "UUSCPK"), running "C:\WINDOWS\system32\rundll32.exe 'C:\WINDOWS\system32\xpsp4ress.dll' ". Then it seems to propagate looking for share folders and/or printers (sometimes the DLL or EXE ends up in the spool queue and as a result reproduces the observed garbage printing behavior). Some of the domains that has been identified when the malware phones home (C&C) are: hxxp://http://somethingclosely.com hxxp://ads.alpha00001.com hxxp://storage1.static.itmages.ru hxxp://storage5.static.itmages.ru Look for them in your logs. There is a related write up available from Symantec: http://www.symantec.com/docs/TECH19098. The beauty of this unexpected malware behavior is that it can easily be detected throughout the organization printers and print servers, although at the expense of wasting precious paper, and trees as a consequence. Let's save the planet! ... and don't forget this is a good opportunity to evaluate the security of your printing architecture (network isolation, access controls, printer management, etc). ---- Raul Siles Founder and Senior Security Analyst with Taddong www.taddong.com	Raul Siles 152 Posts Jun 21st 2012
Thread locked Subscribe	Jun 21st 2012 1 decade ago
Hey There, that link looks wrong, did you mean http://www.symantec.com/business/support/index?page=content&id=TECH190982 instead.	Anonymous
Quote	Jun 21st 2012 1 decade ago
Thanks, it has been fixed.	Raul Siles 152 Posts
Quote	Jun 21st 2012 1 decade ago
Just posted http://www.symantec.com/connect/blogs/trojanmilicenso-paper-salesman-s-dream-come-true	Raul Siles 1 Posts
Quote	Jun 21st 2012 1 decade ago
One thing that they are not mentioning is that in the /printers folder you will have two files for the malicious job. The SPL file which is the malware, and there is a SDH file that will actually contain the userID of the infected user. So if you are seeing a lot of machines firing off the alerts look at the SDH file to find the infected user.	Raul Siles 2 Posts
Quote	Jun 21st 2012 1 decade ago
- http://www.symantec.com/connect/blogs/printer-madness-w32printlove-video July 2, 2012 - "... we came across a new -worm- that causes the garbage print jobs. Symantec detects this worm as W32.Printlove. W32.Printlove uses the Microsoft Windows Print Spooler Service Remote Code Execution Vulnerability (CVE 2010-2729)* discovered in 2010 to spread across networks. We have created a video..." * https://technet.microsoft.com/en-us/security/bulletin/MS10-061 MS10-061 - Critical - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2729 - 9.3 (HIGH) Last revised: 07/19/2011 - "... as exploited in the wild in September 2010, aka 'Print Spooler Service Impersonation Vulnerability'." .	Jack 160 Posts
Quote	Jul 3rd 2012 9 years ago