Security Researchers: Recent Rogue Printing Incidents Linked to Second Malware Program

By Lucian Constantin, 4-Jul-2012

The propagation routine of the W32.Printlove worm can cause the printing of useless data, Symantec researchers say.

A computer worm that propagates by exploiting a 2010 Windows vulnerability is responsible for some of the recent incidents involving network printers suddenly printing useless data, according to security researchers from Symantec.

Many companies have reported unauthorized printing incidents in recent weeks, prompting antivirus firms to investigate the possible causes.

On June 21, Symantec reported that the rogue printouts were the result of computers being infected with a Trojan program called Trojan.Milicenso.

However, the company's researchers have since determined that the propagation routine of a separate piece of malware, a worm called W32.Printlove, can cause similar problems, Symantec researcher Jeet Morparia said Monday in a blog post.

W32.Printlove infects other computers on the local network by exploiting a remote code execution vulnerability in the Microsoft Windows Print Spooler service that was patched in September 2010. Identified as CVE-2010-2729, this vulnerability was also exploited by the Stuxnet industrial sabotage worm to spread.

W32.Printlove infects other computers on the local network by exploiting a remote code execution vulnerability in the Microsoft Windows Print Spooler service that was patched in September 2010.

The rogue printing behavior can occur when W32.Printlove unsuccessfully attempts to infect a Windows XP computer connected to a shared network printer.

The worm starts by sending a print request to a targeted computer that is specifically crafted to exploit the CVE-2010-2729 vulnerability. If the exploitation attempt is successful, a copy of the malware is dropped in the Windows system directory and then executed.

However, if the system is patched against CVE-2010-2729, a copy of the worm is created in the computer's printer spool directory -- %SystemRoot%\system32\spool\printers -- as a randomly named .spl (Windows Printer Spool) file.

The computer interprets the creation of this file as a new print job and instructs the network printer to print the file's contents, therefore wasting paper and toner.

Because the worm periodically retries to infect a system, the rogue printing behavior will be repeated until all network computers are cleaned, Morparia said. "Tracking down the source of these junk print jobs can be more complicated when there are multiple infections on the network."

Fortunately, the failed infection attempts leave behind .shd files in the printer spool directory that contain details about printing jobs, including the names of computers that initiated them. Administrators can inspect SHD files with a free tool called SPLViewer after shutting down the Print Spooler service, Morparia said.

The W32.Printlove worm might be linked to the previously reported Trojan.Milicenso, Morparia said. "We intend to continue our investigation to confirm any relationship between the two threats."

Source: IDG News Service

LATEST NEWS

  • AMD may Build ExactTrak Data-zapping into its Chips, to Compete with Intel vPro

    AMD said Thursday that it signed a deal with ExactTrak to embed the security company's technology inside its microprocessors. While no new products accompanied the announcement, the deal leaves open the possibility that AMD-based PCs could be remotely zapped--yes, literally--by users or network administrators.

  • Intel to Close $15 bn (about Rs 90,000 crore) Deal to buy Altera

    California based global tech giant, Intel, is set to close a deal to buy fellow chip maker Altera Corp. for about $54 (about Rs 3,480) per share, 15 percent more than Altera’s closing share price on Thursday, $47 (about Rs 2,620).

  • Server Sales Bolstered by Cloud Expansions

    Server vendors recorded the strongest shipment growth in over four years for the first quarter, mainly driven by continued investments in the hyperscale server infrastructures that power public and private clouds.

  • Salesforce Doubles Down on Big Data with New Analytics Tool

    All the data "lakes" in the world won't amount to much if you can't figure out what they mean for your business. With that in mind, Salesforce on Thursday unveiled Salesforce Wave for Big Data, a new tool designed to help business users make sense of their information stores using the Salesforce Analytics Cloud.

More news »