DailyTech - A Paper Salesman's Fantasy: Malware Prints Piles of Junk

Submit News

Internet A Paper Salesman's Fantasy: Malware Prints Piles of Junk
Jason Mick (Blog) - June 25, 2012 2:51 PM

6 comment(s) - last by Trisped.. on Jun 27 at 9:51 AM

(Source: NBC Universal)

Printing appears to be an inadvertent side effect, not an intended end goal

Trojan.Milicenso, first discovered in 2010, has grown into a wondrous piece of malware with a set of defense mechanisms that reminds one of state-created malware like Stuxnet. However, this piece of malware is clearly the work of freeland black hats, which look to use the clever package to deliver popular malware payloads, like Adware.Eorezo, an adware targeting French-speaking users.

The malware's methodology of hiding itself starts with its update procedure. The program only sends encrypted requests to attack servers, obfuscating the stolen details it has logged. Returned files are also encrypted to preserve secrecy.

The malware DLL also uses heavy-duty 16-byte RC4 encryption to prevent its code from being reverse engineered. It also contains clever -- and rather unique -- code to detect whether it's on a virtual machine, known public malware sandbox, or black-boxing site such as ThreatExpert.

_{The trojan supresses itself when on blackboxes/VMs. [Image Source: Symantec]}

These precautions might have helped the Trojan escape detection or analysis by security professionals, were it not for an inadvertent error, much like Stuxnet's, which caused the malware to inadvertently list its presence.

In Stuxnet's case the red flag was failed code to confine the virus geographically to Iranian IPs. In the Trojan.Milicenso's case it's an executable .spl (spool) file named [DRIVE_LETTER]\system32\Spool\PRINTERS\[RANDOM].spl, which leads the infected machine to inadvertently print pages of garbage -- a paper salesman's dream.

Despite the profit potential for the paper industry (at the expense of the trees, of course), it does not appear that outcome was intentional. The malware authors went to great lengths to hide their program, but the mystery auto-printing allowed Symantec Corp. (SYMC) researchers to identify and quantify this latest variant.

Symantec and other antivirus providers have updated their software to detect and remove some variants of this Trojan. However, new version with garbage padding to escape detection have been popping up, so we may be hearing more about this merry printing virus for a while now.

Sources: Symantec, SANS

Comments

Threshold

Username
Password
remember me

This article is over a month old, voting and posting comments is disabled

Just profit

By wifiwolf on 6/25/2012 5:59:33 PM , Rating: 2

Gone is the time when virus crafting was for fame. Now just profit.

RE: Just profit

By mindless1 on 6/25/2012 7:40:39 PM , Rating: 3

Yeah, I'm sure the author(s) own all the paper companies. Or not.

Parent

RE: Just profit

By Ammohunt on 6/26/2012 2:39:11 PM , Rating: 2

Famous for going to jail? as OJ how that worked out for him.

Parent

I'm not worried

By jemix on 6/25/2012 10:53:49 PM , Rating: 2

The article mentions that this trojan lays dormant when it determines that it is running on a virtual machine in order to avoid detection.

That's fine. But how does it cope with the fact that every time I power down the vm, it reverts to the last snap shot.

Sure, I may never know that the vm was infected, but who cares?

RE: I'm not worried

By Solandri on 6/26/2012 3:16:12 PM , Rating: 2

quote:
The article mentions that this trojan lays dormant when it determines that it is running on a virtual machine in order to avoid detection.

Another possible work-around (one that I'm moving more towards, though not for anti-virus reasons) is to just run all your productivity apps inside virtual machines. Your main OS is just a hypervisor which manages the VMs. All your real work is done within the VMs.

Parent

Heavy-Duty?

By Trisped on 6/27/2012 9:51:58 AM , Rating: 2

quote:
The malware DLL also uses heavy-duty 16-byte RC4 encryption

A 128 bit RC4 cipher with all the documentation about how bad its key generator is and known exploits is heavy-duty? I guess I need to kick up my security because I have been using normal-duty encryption for things I would not even consider RC4 for.

"It's okay. The scenarios aren't that clear. But it's good looking. [Steve Jobs] does good design, and [the iPad] is absolutely a good example of that." -- Bill Gates on the Apple iPad

NYT: President Obama Authorized Stuxnet Attack on Iran
June 1, 2012, 1:54 PM

Latest Headlines

FTC Targets Google Again for Advertising Practices
May 24, 2013, 1:17 PM

Google Engineer Finds Microsoft Security Flaw, Says Company is Hostile About It
May 23, 2013, 10:51 AM

Survey: 94 Percent of Teens Use Facebook
May 22, 2013, 2:53 PM

Congress Looks to Force Extra Protection on Utilities to Combat Cyberattacks
May 22, 2013, 2:24 PM

U.S. Military Cuts Guantanamo Bay Wi-Fi After Alleged Threat by Anonymous
May 21, 2013, 11:00 AM

Yahoo Acquires Tumblr for $1.1 Billion
May 20, 2013, 11:12 AM

More Headlines

Most Popular ArticlesHigh School Student Creates Storage Device that Can Charge in 20 Seconds
May 20, 2013, 6:51 AM
Apples Tries to Use Decade-Old Patents to Ban Samsung Galaxy S IV
May 22, 2013, 3:00 PM
NASA Awards $125,000 Grant for 3D Printed Food on Long-Term Space Travels
May 21, 2013, 1:32 PM
Microsoft Announces Voice-Controlled "Xbox One"
May 21, 2013, 12:55 AM
Cure For Baldness Could Be on Store Shelves within Two Years
May 22, 2013, 8:29 AM

Latest Blog Posts

Lumosity: Does it Work?
Tiffany Kaiser - May 22, 2013, 8:20 PM

Quick Note: Sony "Teases" PS4 Ahead of Xbox Reveal in New Video
Brandon Hill - May 20, 2013, 12:33 PM

Nokia Introduces Instagram-Like App of Its Own to Help Lumia Sales
Tiffany Kaiser - May 20, 2013, 7:10 AM

Parents of Pre-Teen Drivers Commonly Practice Distracted Driving Says Study
Shane McGlaun - May 9, 2013, 7:16 AM

Apple's iOS 7 Running Into Internal Delays Due to Massive Overhaul
Tiffany Kaiser - May 1, 2013, 4:26 PM