Endpoint Protection

 View Only
Expand all | Collapse all

Print server gone wild

Migration User

Migration UserJun 12, 2012 08:53 AM

  • 1.  Print server gone wild

    Posted Jun 08, 2012 04:52 PM

    Running Endpoint 12.1. Every printer on our print server started printing a few line of random characters until the printer tray was empty. The event log show all the jobs were sent from a single PC with a nonsense document name such as:

    Document 51, bgyspigwbulxxeg owned by Xuser on xIP was printed on ...

    Document 107, oyvsnxvrhcdxbbq owned by Xuser on xIP  was printed ...

    Document 159, ggjzuojhzcfqjov owned by  Xuser on xIPx  was printed on...

    Document 160, dlyjoygizpmhiff owned by Xuser on xIP was printed on .

    When I Google "printing virus", Mcafee forum has the same issue. Has anyone else seen this issue? Any corrective action?



  • 2.  RE: Print server gone wild

    Posted Jun 08, 2012 05:14 PM

    Run a third party malware remover like Malwarebytes. That has found and remove the problem in the past.



  • 3.  RE: Print server gone wild

    Broadcom Employee
    Posted Jun 08, 2012 05:21 PM

    Hi Michael

    We are seeing this issue globally right now and have been working on it for several days. Its a multi-part attack that we started picking up as Trojan.Milicenso and Adware.Gen. Then Trojan.ADH.2 and for now at least Adware.Eorezo.

    I put together this quick FAQ but it is not a finished work as we are still very much in the middle of this investigation.

    1-What is happening?
    Adware.Eorezo is being written into the printer spooler directory and some printer programs are set to print anything in this directory, including the binary in the form of ASCII characters. This was likely an unintended side effect.

    The Adware is being dropped into this directory by a new varriant of Trojan.Vundo (running as a hidden scheduled task) that uses client specific encryption to evade detection.

    2-What exactly is this, W32.Bugbear@mm?
    We are still working out all the details but we can say this is not W32.Bugbear. The files that are residing in the printer directory are an adware downloader, and the adware itself. The third file is a dll written to be a downloader and ran from a scheduled task. This appears to resemble the Trojan.Vundo family.

    3-How dangerous is it? And why is it different than any other malicious code?
    There is nothing to indicate that this is dangerous. It’s mostly just annoying and wasteful. Very wasteful. That said, the files are heavily encrypted and we may learn that the threat they represent is larger than we can initially see, once the analysis is complete.

    4-What is its purpose? Blow up a reactor?
    NO. Everything we have seen so far says this is buggy adware.

    5- Who created it? And when?
    No information yet

    6-Which countries are affected?
    There is no indication that this is a targeted attack.

    7-Are we detecting it now?
    Some, if not most of it is being detected with current Rapid Release defs and certified later today. We are working at increasing our coverage to take on the heavy encryption, so that we can pick it all up.

     

    Hope this helps.. more to follow.

     

     



  • 4.  RE: Print server gone wild

    Posted Jun 09, 2012 12:36 PM

    hey all, do you know if the rapid release was pushed out yet? We are getting nailed by this.

     

    Thanks!



  • 5.  RE: Print server gone wild

    Posted Jun 09, 2012 04:11 PM

    Same issues here.. it's detecting, but not cleaning it out. We seem to get ahead of it, and then it comes back. The paper companies are loving this one. Running June 8th r33



  • 6.  RE: Print server gone wild

    Posted Jun 09, 2012 10:56 PM

    Jim,


    Same here- we're running the same Jun 8th r33...

     

     



  • 7.  RE: Print server gone wild

    Posted Jun 11, 2012 04:30 AM

    A large number of the variants should be detected with the latest definitions.  In additional to the names listed by Brandon above, Symantec products will detect these as Packed.Generic.371 or  Packed.Generic.372.

    Please do use your printer logs to deteermine whaich computers are sending the print jobs to teh printers.  Run a full system scan on those computers after updatign with the latest Rapid Release definitions.  If those computers atill send these odd print jobs, they should then be examined for any suspicious files which may be present. 

    And if you do discover those files, please do submit them to Symantec Secuity Response!  We can add coverage against threats, but need submissions to do this. 



  • 8.  RE: Print server gone wild

    Posted Jun 11, 2012 09:03 AM

    Thanks for the update. I have updated the definition and a full scan is in progress on the problem PC. I'll let you know the results.



  • 9.  RE: Print server gone wild

    Posted Jun 11, 2012 11:32 AM

    How is this actually being detected?  What other indicators are there of infection?

    We are getting several alerts indicating a print spool file infected with Adware.Eorezo, is there any method you suggest to confirm this indicator?

    From the looks of the ThreatExpert report, it looks like i should find this software installed on each of these...
    http://www.threatexpert.com/report.aspx?md5=8e7f696549b9f4d409a3fcd51f8e3e30

     

    Is this correct? I mean, before I start to remediate the 30+ machines (both workstations and servers), I'd better be sure these aren't false positives. Anything Symantec can do to provide some further indictators of infection would be great.
     



  • 10.  RE: Print server gone wild

    Broadcom Employee
    Posted Jun 11, 2012 12:39 PM

    Thanks for all the great information over the weekend and for your patience as we improve detection and analysis. We are still recieving samples of this threat and updates are still comming out fairly regularly.

    Monday morning update - work continues

    1. What is this threat?
    Adware.Eorezo and Trojan.Milicenso along with threats that shows traits of each. As well as Packed.Generic.372  and Packed.Generic.371.
    The ability to detect these files is based on the traits of the packer being used. But the threat classification or naming of the files is based on the dropper (the file that gets the threat there), and we will need to complete a full analysis of that before we can fully understand all the parts of this threat.

    2. What is it doing?
    Its downloading two types of files:
    Payload - Adware.Eorezo and Trojan.Milicenso
    Jpegs - used steganographically to provide commands to the payload

    3. Where is it downloading from?
    Jpegs are downloaded from
    hxxp://storage1.static.itmages.ru
    hxxp://storage5.static.itmages.ru

    4. Why is it taking so long to create "complete" detection?
    Each component of this threat is highly encrypted. The key for that encryption is different for each computer because it is based on
    -    VolumeSerialNumber of the system volume.
    -    Creation time of "c:\windows\system32" and "c:\System Volume Information"
    This means that each individual machine will have a series of files that are unique at the byte level.

    5.What is the latest detection available in certified definitions for this?
    Certified definitions: 6/10/2012 rev. 17 seq 135100 (these have updated, but not the most up to date detection)

    6. How do I get the most up to date definitions?
    Detections are being added to Rapid release defs every 5 or 6 hours as we fine tune are coverage.

    7. Suggested actions

    • Update with current RR defs
    • Find undetected infected machines
      • Use printer logs to determine infected machines
      • Use firewall logs to determine machines that  are connecting to:
        • hxxp://storage1.static.itmages.ru
        • hxxp://storage5.static.itmages.ru
    • Submit undetected files. - The more samples we have the more we can be sure we are picking it all up.

    More info to come as we continue to work this issue



  • 11.  RE: Print server gone wild

    Posted Jun 12, 2012 08:52 AM

    great information, thank you.  So here is a question. Let's say that I"m getting alerts for print spool files, but i don't have printers spewing out pages of jibberish, nor did they go to the websites indicated above.   What does this indicate? Is it possible these are false positves?



  • 12.  RE: Print server gone wild

    Posted Jun 12, 2012 08:53 AM

    Brandon,

       Any update?  We are killing many trees.



  • 13.  RE: Print server gone wild

    Posted Jun 12, 2012 09:49 AM

    We are seeing no activity to either of these sites from affected PCs. We just pulled the firewall logs for the last 30 days, as well as out web-filter appliance and find no PCs acessing either site. Nor any site @ *.*.itmages.ru

    We have gone ahead and blocked the base domain, but based on non-existent traffic I don't see this having any impact



  • 14.  RE: Print server gone wild

    Posted Jun 12, 2012 09:50 AM

    You will have to read your logs carefully. We are catching a few from misconfigured printers (permissions issues). The ones that are an issue are fairly obvious. They come in large bursts.



  • 15.  RE: Print server gone wild

    Broadcom Employee
    Posted Jun 12, 2012 10:13 AM

    By all reports, the Packed.Generic detections are working well and are successful at cleaning up the dropper for this threat. Once you have updated to Certified definitions from June 11 and run a scan this should resolve nearly all the issues out there.

    If, after updating and scanning, you are continuing to see Adware.Eorezo and Trojan.Milicenso detections or are still seeing your printer spewing ASCII symbols, then we need to talk. Please open a Support case

    At this point our focus is collecting and adding any undetected samples and getting the dropper decomposed to provide a thorough technical analysis.

    @annoyed_user  
    We haven’t seen any FPs on this. Likely you do not have a print spooler that is configured or capable of printing out any ‘ol file that gets dumped in the right folder. This only seems to be the case with a few printer drivers out there.

    @mnorman
    If your still having this issue after updating and scanning then we may have a different issue or you might be one of the lucky few with an unusual variant. Please open a Support case and let’s take a look. Please ask the agent assisting you to contact me for direction. Thanks!



  • 16.  RE: Print server gone wild

    Posted Jun 12, 2012 12:52 PM

    Hi, Since Thursday I am problems with this virus. I have the antivirus suite and only detected the virus in the server printer. The virus is Trojan.Milicenso , is a very old virus. The virus in the infected machine who sent the print jobs never was detected. The infected machine don't have any hidden task jobs. I opened an incidente in a local support and dont have any information about this problem. I am checking the contection to the RU domanins. Is incredible receive this tipe of virus problem in enviroments with a lot of fiwarewall , antivirus and antispam solutions.
     



  • 17.  RE: Print server gone wild

    Broadcom Employee
    Posted Jun 12, 2012 01:25 PM

    @annoyed_user

    Your not alone in suspecting an FP. I nitially though so too and started researching this issue as the same. But its not. I wouldnt expect you to see any of the indicators mentions on our Threat Expert page because the Adware Eorezo is not actually executing that I have seen.

    The infection mechanism is what we are working on and detecting with the "Packed.generic" detections, in most cases. We dont know much more than that since we have been unable to open one of the files or been able to make it run in the lab. No evidence to support that its a worm and not a downloader or a dropper, but again we just dont know yet. Do you have a Support case openend with us?

    @Chompi

    Trojan.Milicenso detection has been updated 4 times in the last week. Its not an old threat that was missed.. but a new variant of an old threat family. Same with the Eorizo varriants.

     



  • 18.  RE: Print server gone wild

    Posted Jun 12, 2012 01:27 PM

    Interesting.  I'm working on getting the quarantine directories from the machines now.  If you want them, I'll get them over to you.   As of right now, all of our alerts are for Adware.Eorezo located at C:\Windows\System32\spool\PRINTERS\FP00000.SPL...no generic.packed detections at all. 

    Without other confirmations of infection, such as the traffic to the image websites or pop-ups from Adware.Eorezo, I'm not too sure I believe these alerts.

    START EDIT::

    I have been able to confirm, the files in the print spool directory have an md5 of e864689c6897dab7daa727f2ab70ef5a

    So it would appear these are not FP...i'm starting to believe you more :-)

    Is there any indication on how this is spreading, or what the inital downloader is?

    END EDIT::


    You've said that the payload is Adware.Eorezo and jpegs from specific sites, but I see no additional indications of "Adware.Eorezo"  on the machines that generated alerts, when I search for indictors from http://www.threatexpert.com/report.aspx?md5=8e7f696549b9f4d409a3fcd51f8e3e30

    It's almost like the detection for "Adware.Eorezo" is based on a string of characters in the spool file, or something that is kinda "loose"...

    thoughts?

    Also, is there any idea on what the infection mechinism is? Is there evidence to support usb devices spread it or network shares, etc?

     

     



  • 19.  RE: Print server gone wild

    Posted Jun 12, 2012 03:04 PM

    Confirm that I found the  dll infected file in two desktops who was  infected. The dll file name is perfflltp.dll  and was allocated in the personal user profile in in c:\..... \data programs. The infected file was detected after to upgrade client's  library  antivirus. The name of the found virus is packed.generic.371 . We are in the way to the safety !!

    The incident was opened in Argentina.



  • 20.  RE: Print server gone wild

    Posted Jun 12, 2012 05:21 PM

    Hi,

    to say that it is a very old virus, have you checked the MD5 of the malicious file against any library of threats? Just a check on when the (family) threat name has been created is not technically correct.

    In modern threat landscape, having a multi-level security solution made by several components (firewall, AV, etc.) is crucial to automate most of the protection; unfortunately user's education is still the weakest point of the IT security and threats are leveraging on it much more than anything else, it is much easier to have a user clicking on a link than breaking thru your firewalls to enter in your network.



  • 21.  RE: Print server gone wild

    Posted Jun 13, 2012 05:28 AM

    hmm interesting, never had this kind of issue below.

     

    might come from drive-by download/bad ads ?

     



  • 22.  RE: Print server gone wild

    Broadcom Employee
    Posted Jun 13, 2012 05:18 PM

    Wednesday Update

    Cleanup seems to be proceeding well and we haven’t heard of any customers that are still seeing this issue on a large scale. Most customers are reporting a few machines infected by the dropper (Packed.Generic detections) component. It's these few machines that are causing the printer spool issues. So it definately looks like we are on the downhill side of this thing.

    There are still some droppers out  there with a different packers and we will need to add detection on these as we get them.  If we aren’t detecting the dropper you will want to log in as the user who created the print jobs and check the following reg key:
    HKLM/Software/Microsoft/Windows/Current Version/Run

    Your looking for entries that look like this:
    rundll32 "C:\WINNT\system32\thutsdg.dll",Pbzxhvpe

    OR

    rundll32 “C:\Users\u412263\AppData\Roaming\WOFFxb.dll,RTYIGnyt

    Please submit these to Symantec Security Response and we will continue to expand detection

    We were able to get through the encryption last night and confirm that it was a Trojan responsible for downloading the adware with some interesting encryption but really not anything special in its actual actions. Security Response plans to have a more in-depth blog out on this later. Security Response Blog

    I would personally like to thank the folks that have helped supply the hard data it took to crack this one. Both the ones on this post and the ones calling into Support.

    Thanks!



  • 23.  RE: Print server gone wild

    Broadcom Employee
    Posted Jun 14, 2012 11:45 AM

    Good morning,

    This should be my last post on this issue, unless we see a re-emergence.
    Symantec has posted a KB doc for this issue, here: http://www.symantec.com/docs/TECH190982

    We will continuing to monitor the issue and will provide additional analysis as we have it.
    Please be sure to open a Support case if you have any continuing issues or questions, and tell them I sent you!

    Thanks again



  • 24.  RE: Print server gone wild

    Posted Jun 16, 2012 08:21 AM

    Malware is causing network printers to print random ASCII characters
    Article: TECH190982   |  Created: 2012-06-14   |  Updated: 2012-06-14   | 
    Article URL http://www.symantec.com/docs/TECH190982 
     



  • 25.  RE: Print server gone wild

    Posted Jun 21, 2012 12:00 PM


  • 26.  RE: Print server gone wild

    Posted Jul 04, 2012 05:22 AM


  • 27.  RE: Print server gone wild

    Posted Jul 05, 2012 07:19 AM