Aweek ago we mentioned a print bombmalware specimen doing the rounds, with a gradually improving AVdetection ratio. However, we are receiving reports (Thanks Conor!)with variants of what looks like the same malware, with a very reduced AV detection ratio (0/37), so do not relax your defenses.
Virus Total:https://www.virustotal.com/file/90910a49226f6488de42d27ac1b347c68a0d5a9c1b070bf5dfdaea8ac368cfc9/analysis/1340227448/.
This new sample, called xpsp4ress.dll, is stored on C:\Windows\System32 and creates a scheduled task in Windows with what seems to be a random name (e.g. UUSCPK), running C:\WINDOWS\system32\rundll32.exe 'C:\WINDOWS\system32\xpsp4ress.dll' . Then it seems to propagate looking for share folders and/or printers (sometimes the DLLor EXEends up in the spool queue and as a result reproduces the observed garbage printing behavior).
Some of the domains that has been identified when the malware phones home (CC)are:
hxxp://http://somethingclosely.com
hxxp://ads.alpha00001.com
hxxp://storage1.static.itmages.ru
hxxp://storage5.static.itmages.ru
Look for them in your logs. There is a related write up available from Symantec: http://www.symantec.com/business/support/index?page=contentid=TECH190982.
The beauty of this unexpected malware behavior is that it can easily be detected throughout the organization printers and print servers, although at the expense of wasting precious paper, and trees as a consequence. Let's save the planet! ... and don't forget this is a good opportunity to evaluate the security of your printing architecture (network isolation, access controls, printer management, etc).
----
Raul Siles
Founder and Senior Security Analyst with Taddong
www.taddong.com (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Virus Total:https://www.virustotal.com/file/90910a49226f6488de42d27ac1b347c68a0d5a9c1b070bf5dfdaea8ac368cfc9/analysis/1340227448/.
This new sample, called xpsp4ress.dll, is stored on C:\Windows\System32 and creates a scheduled task in Windows with what seems to be a random name (e.g. UUSCPK), running C:\WINDOWS\system32\rundll32.exe 'C:\WINDOWS\system32\xpsp4ress.dll' . Then it seems to propagate looking for share folders and/or printers (sometimes the DLLor EXEends up in the spool queue and as a result reproduces the observed garbage printing behavior).
Some of the domains that has been identified when the malware phones home (CC)are:
hxxp://http://somethingclosely.com
hxxp://ads.alpha00001.com
hxxp://storage1.static.itmages.ru
hxxp://storage5.static.itmages.ru
Look for them in your logs. There is a related write up available from Symantec: http://www.symantec.com/business/support/index?page=contentid=TECH190982.
The beauty of this unexpected malware behavior is that it can easily be detected throughout the organization printers and print servers, although at the expense of wasting precious paper, and trees as a consequence. Let's save the planet! ... and don't forget this is a good opportunity to evaluate the security of your printing architecture (network isolation, access controls, printer management, etc).
----
Raul Siles
Founder and Senior Security Analyst with Taddong
www.taddong.com (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.