Hey Guyzz... m back with this interesting news...
Symantec announced the discovery of a new worm, which runs the "trash" your print job. Security products company identify this worm as W32.Printlove. This malware exploits a vulnerability in Microsoft Windows Print Spooler Service Remote Code Execution (CVE 2010-2729), which was discovered back in 2010.
A worm is different behavior on computers that have installed an update a vulnerability CVE 2010-2729 and on which it has not yet been established. Symantec Experts have tested this threat in a simple network of two computers and a network printer that is connected through the switch.
Computer Configuration A: Windows XP Professional. You have installed the update fixes CVE 2010-2729, and he is infected W32.Printlove. On a PC not connected to a local printer or printer sharing.
Computer Configuration B: Windows XP Professional. In the first scenario, the computer is no update, and in the second it is installed. To him the network printer is connected, opened for public access.
A computer must have permission to send print jobs to computer B. Guest access to shared printers in Windows XP is enabled by default for the later operating systems, computer A must be authenticated by the computer B.
Here are two scenarios in which the threat may not work:
1. W32.Printlove, running on computer A will look for network print resources. After their discovery, it sends itself to computer B, using a query StartDocPrinter. The vulnerability of the print buffer to copy to any folder whatever file a request transmitted to the printer. The threat of successful runs on your computer in, taking advantage of this vulnerability.
Symantec announced the discovery of a new worm, which runs the "trash" your print job. Security products company identify this worm as W32.Printlove. This malware exploits a vulnerability in Microsoft Windows Print Spooler Service Remote Code Execution (CVE 2010-2729), which was discovered back in 2010.
A worm is different behavior on computers that have installed an update a vulnerability CVE 2010-2729 and on which it has not yet been established. Symantec Experts have tested this threat in a simple network of two computers and a network printer that is connected through the switch.
Computer Configuration A: Windows XP Professional. You have installed the update fixes CVE 2010-2729, and he is infected W32.Printlove. On a PC not connected to a local printer or printer sharing.
Computer Configuration B: Windows XP Professional. In the first scenario, the computer is no update, and in the second it is installed. To him the network printer is connected, opened for public access.
A computer must have permission to send print jobs to computer B. Guest access to shared printers in Windows XP is enabled by default for the later operating systems, computer A must be authenticated by the computer B.
Here are two scenarios in which the threat may not work:
1. W32.Printlove, running on computer A will look for network print resources. After their discovery, it sends itself to computer B, using a query StartDocPrinter. The vulnerability of the print buffer to copy to any folder whatever file a request transmitted to the printer. The threat of successful runs on your computer in, taking advantage of this vulnerability.
2. W32.Printlove, running on computer A, behaves this way, and passes its code to the computer B. Since the computer in the update installed, the worm can exploit the vulnerability. The principle of correcting the vulnerability does not allow the print request to transfer the file to any folder (that is to print to a file). In this connection, the worm can copy itself to the system directory and implement autostart using the exploit. Instead, it is saved in the print buffer B in the form of a computer. Spl-file. After that, computer B will start printing the file on a shared printer attached. In figure 2 shows the scenario 2.
2. The second scenario, the print jobW32.Printlove retains a connection to a remote computer, and periodically tries to infect using the vulnerability of the print buffer. Computers can be infected again, and can occur multiple "trash" prints that are sent from different computers until the worm is fully removed from the network. Tracking the source of unwanted prints can be much more complicated in the case of multiple infections present on the network. Network administrators can identify infected PCs looking. Shd-files in a folder on the computer print buffer, which provides a connection to a public printer.
SHD files are created by the operating system and contains detailed information about the request to the printer. To view them, you can use SPLViewer. Because the data files used by the print buffer, it must first stop. Administrators are able to detect the compromised computer on a field Computername (Figure 3), which allows you to identify the source sending the print job.
3. SPLViewer shows where it came from a print jobRecycle print - side of the coin eliminate vulnerabilities CVE 2010-2729 on computers attacked W32.Printlove. Users of Symantec products are already protected against this threat, if they are using the latest virus definition updates.
Perhaps there is a connection between the Trojan.Milicenso and W32.Printlove, but at the moment it is not confirmed. A team of specialists Symantec continues to investigate to determine the possible relationship of these two threats.
0 comments:
Post a Comment