It was a fine Monday morning, but the office printers were not so fine! Printers started to behave erratically, spewing out pages with garbled text, till the paper ran out of stock. Soon the Internet buzzed with the news of a new printer virus, affecting businesses largely in the US, India, Europe, and South America. Even before analysts set themselves to their tasks, it was clear that this new virus is an innovation of yet another group of cyber criminals.
The creativity of malware writers seems to have touched new heights, with the discovery of 'Print Bomb'. Basically the printer bomb 'Trojan.Milicenso', is a new variant of an old Trojan, but the authors have modified it, just enough in its new avatar, causing it to discharge print outs by sending enormous print jobs to print servers.
The Trojan, once downloaded on the users' PC, drops a copy of executable 'Adware.Eorezo as.spl' file- Windows Printer Spool File- in the Windows printer spool directory. The spool directory includes copies of files that printers are supposed to print. It is to be noted that, even though there is a provision for users, to specify a custom spool directory, most PCs are configured by default to windows spool directory. Thus printers attached to computers, infected by this Trojan automatically print the contents of the .spl file, until the paper runs out.
On a quick analysis, it looks like a case of low risk malware that serves up advertisements by using resources and causing networks to slow down. But did it end there?
Delving a little deeper, it turned out that this Trojan 'Trojan.Milicenso', achieves its end by installing a "dropper executable", which creates a DLL file in the system folder. A DLL or dynamic link library is nothing but a group of programs. These programs could be commanded to perform communication with devices such as printers. In this case, the DLL was leveraged by the Trojan, to communicate with a printer. And the malware authors were careful enough to heavily encrypt the DLL file, making analysis hard; a proof, of increasing levels of professionalism, among cyber criminals.
Talking about, Adware.Eorezo, it redirects users to a French-language website, which is being lightly neglected, as a boon to paper salesmen. While this highly encrypted malware is being seen as red herring, in some quarters, that takes away the investigators attention from its lethality, and tries to fool experts into discarding it as low risk malware. And there are reasons that substantiate this line of thinking towards this 'still-to-be-understood' malware, which put in a nut shell, are:
- It is highly encrypted
- Uses multiple detection/check routines to disable detection and prevent analysis
- It exploits intimate details of OS
- It uses data files as executables
And while the limelight is still not off the printer virus episode, a new variant of the Trojan is already floating, modified further in the design of its executables, to avoid detection. The malware authors never seem to give up their ways. Hence, protection emerges as the only way out.
Talking about security solutions, to such malware and virus attacks, Cyberoam Unified Threat Management appliances offer comprehensive security to small, medium and large enterprises through multiple security features integrated over a single platform. It is the first UTM that embeds user identity in the firewall rule matching criteria, offering instant visibility and proactive controls over security breaches and eliminating dependence on IP Addresses. Its, Layer 8 [Identity-based security] Technology platform makes security simple, yet highly effective. Cyberoam, with its Extensible Security Architecture (ESA) and multi-core technology carries the ability to combat future threats for organizations' security. To read more about Cyberoam and the solutions it offers, visit http://www.cyberoam.com/
Posts
0 comments:
Post a Comment