Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Print bomb? - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Print bomb?

There have been several reports now of PCs on the network printing what looks like an executable to a large number of printers.  Several scanning tools will cause this kind of behaviour, but in the instances I know of these tools were not being used on the network at the time.  The various AV products aren't great at picking this up, yet. 

If you have this happen in your network use your logs to determine the sending machine (will be in the print logs) and take it offline for investigation and re-imaging. If you happen to have the actual malware upload it via the contact form and make our malware guys and gals happy.

Mark

Some updates:

Other than the excellent comments made to the dairy (thanks), we received a file that is the file reportedly being sent to the printers - e864689c6897dab7daa727f2ab70ef5a. this file is some adware that currently has 21/41 detect rate which is slowly improving. The dropper is BA9D4EFB6622D4DE95C162D95CB171A4  and has a detect rate of 17/41 ATM.

 

 

Mark

391 Posts
ISC Handler
Years ago, I experienced this at a site. It was a virus spreading by network shares, and not knowing the difference between storage and printer shares. Is it possible this is a new version of the same thing?
Anonymous
I've heard some reports that this could be in connection to ponmocup malware infections.
You could check suspicious hosts for certain registry keys / values:

C:\>reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings" | find "REG_BINARY"
(under the user account that showed the suspicious behaviour)

C:\>reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings" | find "REG_BINARY"

and look for single digit value names (especially "6" and "9") with fairly large binary values.

If you find such infections I'd be happy to hear about it (you'll find my email in references or Twitter: @c_APT_ure )

References:
http://ioc.forensicartifacts.com/2012/04/ponmocup-2/
http://c-apt-ure.blogspot.ch/search/label/ponmocup
TomU

8 Posts
We've recently been hit with this, and have engaged Trend in the process. The whole thing is very Bugbear, with the DLL printing (not EXE here) and inclusion of 'This Program Cannot Be Run In DOS Mode' on the first sheet.

We have a copy of the offending DLL that Malwarebytes identified as well as MANY print queue samples.

Currently hardening printers and searching for more info.
TomU
1 Posts
https://community.mcafee.com/thread/45989?start=10&tstart=0
---
Jun 8, 2012 8:02 AM (in response to Raj909)
Re: Printer Virus?

To follow on from Raj909's post regarding it being mentioned on SANS, I can confirm that the affected machine on our network did indeed have single digit name REG_BINARY entries in HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings.
It also drops an entry with what looks like random characters for a name in to HKCU\Software\Microsoft\Windows\CurrentVersion\Run which runs the .dll file which is dropped in the users' Application Data folder. eg-
vjdg REG_SZ rundll32 "C:\Documents and settings\<user>\Application Data\netui0p.dll", QJNDKZXSB
---

This looks like Ponmocup infections, too!

Also check for random subkeys under HKLM\Software and HKCU\Software:
http://security-research.dyndns.org/pub/botnet/ponmocup/ponmocup-analysis_2012-02-18.html

A year ago this botnet was several million bots big (http://www.abuse.ch/?p=3294).
TomU

8 Posts

Sign Up for Free or Log In to start participating in the conversation!