Symantec researchers have noticed that a Trojan dubbed Milicenso is causing havoc worldwide by commanding printers to print “garbage characters” until they run out of paper. The curious thing is that this may not be its actual purpose, but a side effect.
The countries most affected by the malware are US, India, and a handful of countries from Europe and South America.
Milicenso, first identified in 2010, uses a number of methods to spread, including email attachments and scripts hosted on websites. The Trojan’s payload is often associated with Adware.Eorezo, a piece of adware that’s designed to target French users.
So, how does it work?
First, the Trojan creates a dropper executable which strategically places a number of .exe and .dll files in various locations, including the System, Program Files, and Temp folders.
Then, the threat checks to make sure that it’s not being executed in a virtual machine or a sandbox.
“What is really interesting here is that most sandbox detection/check routines are used as a protection mechanism to enable a threat to hide itself or thwart analysis. However, in this case despite detecting the presence of a sandbox the threat, instead of ceasing all activity, actually performs certain specific activities, such as contacting sites,” researchers explained.
By performing certain activities specific to the Eorezo adware, the malicious element distracts attention from itself, this being a technique employed to avoid analysis.
An interesting aspect is that one of the files downloaded by the malware is actually signed by a digital certificate issued for Agence Exclusive, a company that may have never existed.
And here’s the really interesting part. The Trojan has been designed to steal information just like other similar threats, but because at one point during the infection phase it creates a .spl file in Windows’ print spooler directory, the content of the malicious file is automatically printed.
“Depending on the configuration, any files, including binary files, created in that folder will trigger print jobs. This explains the reports of unwanted printouts observed in some compromised environments,” experts said.
Which would explain why instead of something like “You have been hacked!” random characters are printed.
SANS has discovered a new variant of the malware that’s cleverly designed to avoid being detected by antivirus software.
Until security solutions providers manage to contain the infection, make sure to keep your antivirus up-to-date and avoid suspicious-looking emails.
Source
