Possible malware infection: Network printers are spewing gibberish
December 3, 2015 11:59 AM Subscribe
I need advice on how to deal with an apparent malware infection that's causing most (or maybe all) of the network printers to print gibberish pages.
I'm the sole IT administrator for a small-to-medium-sized organization with about 100 employees. We have about 80 workstations running Windows 7. The antivirus product is ESET Endpoint Antivirus ver. 6.2
For the past couple of days, a few people mentioned to me that when they arrive in the morning, they find their output trays filled with print-outs that look like this.
At first, I thought it was only two printers were affected, but now it seems like most of the network printers are doing this. The USB printers are not affected. The main Xerox WorkCentre multifunction device is not affected. Most of the affected printers are HPs, but one is a Muratec. In some printers, it's just a couple of pages. On other printers, it's a whole big stack of output. Most pages have just a single line of random characters at the top of the page. The problem doesn't seem to happen during the workday.
A Google search turns up information about a trojan called Milicenso. It seems like there was an "epidemic" of outbreaks back in 2012. I searched Twitter but didn't find anything recent.
I checked the server logs for our antivirus product, but there was nothing remarkable there. I'm currently running a full scan of our file server/domain controller, but nothing has come up yet. I also ran a MalWareBytes scan on the file server, and it came up clean. When everyone goes home, I'll start a full scan on all the client PCs.
I submitted a ticket to ESET but haven't heard back yet. I also contacted the vendor that handles our managed print services, but they were clueless -- said that we're on our own for this one.
This is obviously worrisome. Anybody have experience with something like this?
I'm the sole IT administrator for a small-to-medium-sized organization with about 100 employees. We have about 80 workstations running Windows 7. The antivirus product is ESET Endpoint Antivirus ver. 6.2
For the past couple of days, a few people mentioned to me that when they arrive in the morning, they find their output trays filled with print-outs that look like this.
At first, I thought it was only two printers were affected, but now it seems like most of the network printers are doing this. The USB printers are not affected. The main Xerox WorkCentre multifunction device is not affected. Most of the affected printers are HPs, but one is a Muratec. In some printers, it's just a couple of pages. On other printers, it's a whole big stack of output. Most pages have just a single line of random characters at the top of the page. The problem doesn't seem to happen during the workday.
A Google search turns up information about a trojan called Milicenso. It seems like there was an "epidemic" of outbreaks back in 2012. I searched Twitter but didn't find anything recent.
I checked the server logs for our antivirus product, but there was nothing remarkable there. I'm currently running a full scan of our file server/domain controller, but nothing has come up yet. I also ran a MalWareBytes scan on the file server, and it came up clean. When everyone goes home, I'll start a full scan on all the client PCs.
I submitted a ticket to ESET but haven't heard back yet. I also contacted the vendor that handles our managed print services, but they were clueless -- said that we're on our own for this one.
This is obviously worrisome. Anybody have experience with something like this?
Is your network behind a firewall? If not, do the printers have for-real IP addresses? If they do, it's possible that someone's just running crap through it via the Internet. It is (or, at least, it used to be) pretty trivially easy to find network printers that were hooked to networks that were wide-open to the Internet, which you could then add as printers to your computer and then pump whatever through them. (This seems to be less common now, as most people have figured out that allowing direct access to your network via the Internet is a not-great thing usually.)
Outside of that, nthing that the output really does look like something got jammed in the queue that's PCL where it should be PostScript. Sometimes printers choke on processing jobs like that so if it got queued up late in the day it might have just started processing and didn't get done with it until after hours.
posted by mrg at 12:29 PM on December 3, 2015 [1 favorite]
Outside of that, nthing that the output really does look like something got jammed in the queue that's PCL where it should be PostScript. Sometimes printers choke on processing jobs like that so if it got queued up late in the day it might have just started processing and didn't get done with it until after hours.
posted by mrg at 12:29 PM on December 3, 2015 [1 favorite]
I could believe the driver mismatch theory. But if you're concerned about what's going on in your network:
If you can add an IDS to the network (Security Onion makes this somewhat painless), you can get insight as to whether there's suspicious activity going on in your network.
If your switch saves netflow (or you can enable it going forward), that might also help you see what systems are communicating the the printers afterhours.
posted by Candleman at 1:17 PM on December 3, 2015 [1 favorite]
If you can add an IDS to the network (Security Onion makes this somewhat painless), you can get insight as to whether there's suspicious activity going on in your network.
If your switch saves netflow (or you can enable it going forward), that might also help you see what systems are communicating the the printers afterhours.
posted by Candleman at 1:17 PM on December 3, 2015 [1 favorite]
Update from the non OP:
The problem has been solved. It was caused by AlienVault, a security application that I deployed recently. It scans the network nightly. It turns out that causing gibberish output is a known side-effect. See:posted by LobsterMitten at 1:42 PM on December 3, 2015
https://www.alienvault.com/forums/discussion/2278/va-triggering-ip-printer-to-print-out-pages-of-random-text
Thanks anyway for the tips.
Glad it was solved!
I came in to add that they've recently begun scanning ports at my workplace and it causes the printers to print pages (ours are mainly "HELP" and non-gibberish protocol names, though). It's irritating, but we just shred the pages as we see them.
posted by bookdragoness at 11:03 AM on December 4, 2015
I came in to add that they've recently begun scanning ports at my workplace and it causes the printers to print pages (ours are mainly "HELP" and non-gibberish protocol names, though). It's irritating, but we just shred the pages as we see them.
posted by bookdragoness at 11:03 AM on December 4, 2015
This thread is closed to new comments.
Check Driver... is it using PCL or PostScript?
posted by bleucube at 12:24 PM on December 3, 2015 [1 favorite]