The Milicenso trojan responsible for triggering garbled print jobs across the US, Europe and India is spreading through at least 4,000 compromised websites, according to Symantec.
Symantec identified the trojan in late June after numerous reports to the SANS Institute that enterprise printers were inexplicably printing garbled text until the paper tray had expired.
The unwanted print jobs were an unintended consequence of the Trojan, during which it creates a .spl print spooler file during the infection phase. The file is actually an adware program Symentec labels “Eorezo”.
Symantec describes the trojan as a bot-for-hire, designed to download additional files to the victim’s computer.
The 4,000 compromised websites are mostly sites for SMBs sites, but also some government, telecom and financial services, according to Symantec.
The attackers are spreading the trojan by misusing the configuration file “.htaccess” on web servers, which can, for example, legitimately redirect mobile device visitors to a mobile site, but are redirecting visitors via an emailed link or search engine result, to a malicious site.
“The malicious site may then download more threats onto the compromised computer by exploiting certain vulnerabilities,” says Symantec security response member, Kaoru Hayashi.
Hayashi advised web administrators to delete the .htaccess file and replace it with a clean back up.
Symantec has also added a new Intrusion Prevention System signature to counter the redirect.
Contact Stilgherrian at Stil@stilgherrian.com or follow him on Twitter at @stilgherrian