Printer Madness: W32.Printlove Video
Recently we have received several customer issues about garbage being printed on their network printers. During our investigation, we came across a new worm that causes the garbage print jobs. Symantec detects this worm as W32.Printlove. W32.Printlove uses the Microsoft Windows Print Spooler Service Remote Code Execution Vulnerability (CVE 2010-2729) discovered in 2010 to spread across networks. We have created a video that demonstrates how it accidently prints garbage.
In the preceding video we demonstrate two scenarios where the threat will act differently based on whether a computer on the network is patched against CVE 2010-2729 or not. We tested the threat on a simple network consisting of two computers and a shared network-printer that was connected by a switch.
Computer A configuration: Windows XP Professional. The computer is patched against CVE 2010-2729 and is compromised by W32.Printlove. It does not have a local or shared printer added to it.
Computer B configuration: Windows XP Professional. In the first scenario the computer is un-patched and in the second scenario it is patched. It has a shared network printer.
Computer A must have permission to submit print jobs on Computer B. Guest access to shared print services is enabled by default on Windows XP; for subsequent operating systems Computer A should be authenticated by Computer B.
The two scenarios in which this threat may work are as follows:
- W32.Printlove running on Computer A will search for a printer resource on the network. Once found, it transfers itself to Computer B using a StartDocPrinter request (Figure 3). The Print Spooler vulnerability allows any file transferred through the print spooler to be copied to any directory. The threat successfully launches itself on Computer B after exploiting this vulnerability. Figure 1 below shows the first scenario.
Figure 1. First scenario, remote code execution
- W32.Printlove running on Computer A will act in a similar manner and transfer itself to Computer B. As Computer B is patched, the worm will be unsuccessful in exploiting the vulnerability. The manner in which the vulnerability is patched does not allow a printer request to print to a file in any directory. Due to this, the worm is unable to copy itself to the system directory and run itself using the exploit. Instead it is saved in Computer B’s print spooler directory as an .spl file (%System%\Spool\PRINTERS\[RANDOM FILE NAME].spl). Computer B starts printing the file on its shared printer. Figure 2 below shows scenario 2.
Figure 2. Second scenario, print jobs
Figure 3 below shows the threat transferring itself over the network using StartDocprinter Request.
Figure 3. Exe file being sent to a shared printer resource
W32.Printlove keeps connecting to the remote computer and periodically tries to infect it through the print spooler vulnerability. Computers may be re-infected or multiple garbage printouts may occur until the worm is completely removed from the network. Tracking down the source of these junk print jobs can be more complicated when there are multiple infections on the network. Network administrators can identify the compromised computer on the network by viewing the .shd files located in the print spooler directory of the computer sharing the printer, normally located here:
%System%\Spool\PRINTERS\[RANDOM FILE NAME].shd
SHD files are created by the OS and contain the printer job details. The file can be viewed using a tool called SPLViewer. Since the files are locked by the Print Spooler Service, the service has to be stopped in order to access the .shd file. Administrators can spot the compromised computer on the network by looking at the Computername field (Figure 4), which indicates the origin of the printer job.
Figure 4. SPLViewer shows the job file origin
Garbage printing is a side effect experienced by hosts who are patched against CVE 2010-2729 but are attacked by W32.Printlove. Symantec customers are protected against the threat with the latest antivirus definitions.
Note: It is a possibility that there is a link between Trojan.Milicenso and W32.Printlove, but we have not confirmed this yet. We intend to continue our investigation to confirm any relationship between the two threats.
If you are curious about what the garbage printout looks like, here is a picture of one of them. The printer is effectively trying to print the binary code of the executable file that is dropped. For a Windows executable file, this starts with the text "MZ" indicating the start of the so called "MZ" header.