Some of the newest printers have scan-to-email ability, a feature that allows users to email scanned documents to a specified email address on demand. Symantec Intelligence has identified malware authors using social engineering tactics that take advantage of this, sending executables in a compressed “.zip” archive via email. The attachment contains an executable disguised as a scanned document from a printer, as shown in the example in figure 1, below.
Figure 1: Example of malicious email masquerading as a scanned document sent from an office printer
In each case the sender domain was spoofed to match the recipient domain, sometimes appearing as though forwarded to the recipient by a colleague at the same organization, implying that this email originated internally.
To be clear, office printers and scanners will not send malware-laden files, and many are unlikely to be able to send scanned documents as “.zip” file attachments. No printer or scanner hardware was involved in the distribution process, and in general, users should always be careful when opening email attachments, especially from an unknown sender.
Some examples are shown in figure 2, below.
Figure 2: Examples of malicious emails spoofing smart office printer/scanners
In figure 3, Symantec Intelligence gathered some interesting statistics from observing these emails during a 24-hour period beginning 13 September 2011.
| Subjects |
Frequency |
Unique Attachments |
| Scan from a [printer name A] #{6-8 random digits} |
742 |
1,393 |
| Scan from a [printer name B] #{6-8 random digits} |
41 |
779 |
Figure 3: Table showing the frequency and number of different attachments spoofing a printer
In these examples, the attacker has also changed the file extension of the archived file in such a way as to display a “.doc” extension when viewed using certain archiving tools, as shown in figure 4, below.
Figure 4: Example of “.zip” archive incorrectly displaying contents with “.doc” extension
The actual file name stored in the “.zip” archive is comprised of a “cod.exe” extension, but this is incorrectly displayed by some archiving tools because of a special hidden character (hex code 0xAB, highlighted below), which precedes the “cod.exe” part of the file name. This will result in the file being incorrectly displayed with “exe.doc” appended in the archive viewer.
In addition to the above examples, we have also seen the following example, which was the same strain of malware distributed using a number of different subjects and two different filenames; in one case a supposed document and another as a photograph, shown in figure 5, below.
| File Name |
Frequency |
| Document_NR727875272_Coll=d4=c7=abcod.exe |
410 |
| photo_W71765413082011_Coll=d4=c7=abgpj.exe |
149 |
Figure 5: Table showing the frequency of another example
As before, the file name ending with “cod.exe” will be incorrectly displayed using some “.zip” archive viewing tools as “exe.doc” and similarly, “gpj.exe” will display as “exe.jpg.”
In figure 6, below are some examples of other interesting subject lines that were also used to distribute this particular malware run during the same 24-hour period, beginning 13 September.
Figure 6: Examples of other social engineering subjects used to spread the same malware
| Some Other Interesting Subjects |
Frequency |
| Pornographic mail |
85 |
| Company Contract doc |
40 |
| Tax debt notification |
34 |
| Revenue ( IRS ) Department |
25 |
| Printer Scanned doc |
21 |
| domain suspension mail |
9 |
| pornographic picture |
3 |
Figure 7: 24-hour snapshot showing variety of subject frequencies in use to distribute malware
It is evident from the variety shown in these examples that the attackers are trying a wide number of different possible social engineering strategies in order to trick the recipient into opening the malicious attachment.