Researchers at Symantec have reported about a Trojan, called the Milicenso, which is causing havoc across the globe. It is doing so by commanding printers to print ‘garbage characters’, until they run out of paper, reports the Symantec blog. Symantec suggests that this may not be its actual purpose, but a side effect. Milicenso was first identified in 2010. It uses a number of methods to spread like e-mail attachments and scripts hosted on websites. The Trojan’s payload is often associated with Adware.Eorezo, a piece of adware that’s designed to target French users. The countries affected by the malware are the U.S., India and also a few countries in Europe and South America.
Areas affected by malware
“Trojan.Milicenso may arrive on a compromised computer by various means, such as malicious email attachments or visiting websites hosting malicious scripts. The latter often unintentionally occurs when a user clicks a link in an unsolicited email. We have also encountered quite a large number of samples that appear to be packaged as a fake codec. The Trojan creates and executes a dropper executable, which in turn creates a DLL file in the %System% folder. The dropper executable then deletes itself,” reveals the Symantec blog.
Trojan strategically places a number of .exe and .dll files in various locations, such as System, Program Files, and Temp folders. The threat also checks to be sure that it’s not being executed in a virtual machine or a sandbox. “What is really interesting here is that most sandbox detection/check routines are used as a protection mechanism to enable a threat to hide itself or thwart analysis. However, in this case despite detecting the presence of a sandbox the threat, instead of ceasing all activity, actually performs certain specific activities, such as contacting sites,” explain the researchers. The file is digitally signed using a certificate that belongs to Agence Exclusive. However, researchers are unsure about the Agence Exclusive’s existence as either this organization no longer exists, or it never existed.
It also performs activities specific to the Eorezo adware, to distract attention from itself and avoid analysis. This Trojan has been designed to steal information. “Depending on the configuration, any files, including binary files, created in that folder will trigger print jobs. This explains the reports of unwanted printouts observed in some compromised environments,” experts said.
The report further states, “We continue to analyze new samples related to this threat and will update our protection coverage as needed. Even as we go to press with this report, we have just learned that SANS have posted further information about a new variant of Trojan.Milcenso. This variant has been modified with garbage padding in the executable designed to help it avoid detection. This goes to show the malware authors are still hard at work trying to spread their warez. Rest assured we are just as determined to stop them. As always, be sure to follow best security practices, and keep your security product updated with the latest definitions.”
Publish date: June 23, 2012 2:07 pm| Modified date: December 18, 2013 10:35 pm