Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

‘Printer Bomb’ Malware Spread Via Compromised .htaccess Files, Says Symantec

In late June, Symantec reported on a form of malware that had been launching junk print jobs and wasting paper until the printer runs out. Symantec calls the malware Milicenso, or the “Printer Bomb”, and code examination marks it as a variant of a malware delivery system discovered in 2010.

In late June, Symantec reported on a form of malware that had been launching junk print jobs and wasting paper until the printer runs out. Symantec calls the malware Milicenso, or the “Printer Bomb”, and code examination marks it as a variant of a malware delivery system discovered in 2010. Think of it as a malware system for hire, Symantec explained, noting that the payload most commonly associated with this Milicenso is Adware.Eorezo; an adware targeting French speaking users.

Symantec Today, after conducting additional research on Trojan.Milicenso, Symantec determined that the threat is propagated by a compromised .htaccess file that launches a redirection Web attack. So far, Symantec has been able to count at least 4,000 websites that have been compromised by the cybercriminal(s) behind the attacks.

In simple terms, as Symantec explains, an .htaccess file is configuration file used by Web servers that enable administrators to set certain controls such as restricting access to certain Web pages, redirecting access from mobile devices to special sites, etc.

“In order to monitor network traffic to legitimate websites, attackers (and some exploit kits) break into vulnerable Web servers and modify the .htaccess file,” Symantec explained.

For this .htaccess file redirection attack, Symantec outline the process as follows:

1. When a user clicks the link for the website, the Web browser accesses the compromised website.

2. The Web server then redirects the access to a malicious website based on the .htaccess file.

3. The malicious site may then download more threats onto the compromised computer by exploiting certain vulnerabilities

In an effort to hide modifications made to the .htaccess file, Symantec noticed that the attackers inserted more then 800 empty lines of code both above and below the configuration settings in the file. Additionally, as Symantec reported in early analysis of the malware, it keeps itself encrypted to hinder analysis, and it goes through some internal system checks in order to ensure that the malware isn’t running on a VM or analysis engine such as Threat Expert.

Symantec’s research showed that the attack dated back to at least 2010, and the attacker(s) used different domain names to prevent them from being blocked or blacklisted. “In 2010 and 2011, the gang moved to a new domain every few months. But in 2012, they changed domains almost every day,” Symantec’s Kaoru Hayashi explained in a blog post.

“Within the last three days, we have identified approximately 4,000 unique, compromised websites that redirect users to malicious websites,” Hayashi added. “Most of the compromised websites are personal or SMB segment websites; but government, telecom, and financial service websites have also been compromised.”

A diagram from Symantec illustrating the infection process is below.

Trojan.Milicenso Malware

Written By

For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Malware & Threats

Norway‎-based DNV said a ransomware attack on its ship management software impacted 1,000 vessels.

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...