Malware infection forces printers to print garbled data, researchers say

New Trojan.Milicenso variants can cause printers to print an executable file

Printers connected to Windows computers infected with new variants of a malware program called Trojan.Milicenso, will automatically print out pages full of garbled data, according to security researchers from antivirus firm Symantec.

On June 9, the SANS Internet Storm Center (ISC) reported about recently observed print bomb attacks that involved printers automatically printing what seemed to be the contents of an executable file.

The SANS ISC's experts obtained a copy of the printed file and determined that it was a part of an adware program -- a program designed to display ads without authorization -- detected by some antivirus products as Adware.Eorezo.

Security researchers from Symantec also investigated reports of unauthorized printouts and found that the Adware.Eorezo file was being dropped on affected computers by new variants of Trojan.Milicenso.

Trojan.Milicenso first appeared in 2010, but a new outbreak has been recorded during the past two weeks, Symantec's security response team said in a blog post on Thursday. "Our telemetry data has shown the worst hit regions were the US and India followed by regions in Europe and South America."

The Symantec researchers believe that Adware.Eorezo, which redirects users to French-language website, is being used by Trojan.Milicenso as a decoy to distract attention from itself.

Trojan.Milicenso is distributed in several ways: as a malicious email attachment, as a drive-by download launched from compromised websites or as a fake codec advertised by social engineering scams, the Symantec researchers said.

After it infects a computer, the malware drops a copy of Aware.Eorezo as a randomly named .spl file (Windows Printer Spool File) in the default Windows printer spool directory -- %SystemRoot%\system32\spool\printers. Despite the .spl extension, the rogue file is actually an executable one.

The spool directory temporarily holds copies of files that printers are scheduled to print. Even though some printers allow users to specify a custom spool directory, many configurations use the default Windows one.

This causes printers attached to computers infected with new Trojan.Milicenso variants to automatically print the contents of the rogue .spl file, sometimes until their paper runs out.

"Based on what we have discovered so far, the garbled printouts appear to be a side effect of the infection vector rather an intentional goal of the author," the Symantec researchers said.

On Thursday, researchers from SANS ISC discovered a new variant of this Trojan program with a very reduced antivirus detection rate, suggesting that the

Users who observe this type of unauthorized printer behavior are advised to scan their computers with an antivirus program capable of detecting and removing Trojan.Milicenso and Aware.Eorezo.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place