Over the past two weeks, an outbreak of Trojan.Milicenso has resulted in multiple reports of massive print jobs being sent to print servers, printing garbage characters until the printer runs out of paper. Our telemetry data has shown the worst hit regions were the US and India followed by regions in Europe and South America. We originally encountered Trojan.Milicenso in 2010 and our initial investigation had shown that this was basically a malware delivery vehicle for hire. The payload that is most commonly associated with this latest version is Adware.Eorezo; an adware targeting French speaking users.
Figure 1. Telemetry data showing the affected areas
Trojan.Milicenso may arrive on a compromised computer by various means, such as malicious email attachments or visiting websites hosting malicious scripts. The latter often unintentionally occurs when a user clicks a link in an unsolicited email. We have also encountered quite a large number of samples that appear to be packaged as a fake codec.
The Trojan creates and executes a dropper executable, which in turn creates a DLL file in the %System% folder. The dropper executable then deletes itself. The following is a list of the file names created:
- %System%\[RANDOM FILE NAME].exe
- %ProgramFiles%\[EXISTING FOLDER NAME]\[RANDOM FILE NAME].exe
- %Temp%\[RANDOM FILE NAME].exe
- %System%\[RANDOM FILE NAME].dll
- %ProgramFiles%\[EXISTING FOLDER NAME]\[RANDOM FILE NAME].dll
- %Temp%\[RANDOM FILE NAME].dll
The main body of the dropped DLL is heavily encrypted and to make analysis more difficult, the decryption key itself is encrypted using a value that is unique to the compromised computer. In this case, the unique value is 16 bytes in length and is generated using the time when the System and System Volume Information folders were created. This unique value is used to encrypt the main DLL decryption key, which is then embedded in the DLL file. The key is used to perform a permutation box in the encrypted executable. In addition to the use of RC4 encryption, what is also noteworthy is that there are several routines that are specifically dedicated to identifying whether the execution environment is related to a virtual machine or known public malware sandbox or black-boxing site such as ThreatExpert
Figure 2. Sandbox and virtual environment checks
The threat also checks for the presence of certain system drivers that are known to be associated with virtual machine installations.
Figure 3. Checks for virtual machine drivers
What is really interesting here is that most sandbox detection/check routines are used as a protection mechanism to enable a threat to hide itself or thwart analysis. However, in this case despite detecting the presence of a sandbox the threat, instead of ceasing all activity, actually performs certain specific activities, such as contacting sites. These actions are associated with Adware.Eorezo and it seems that it is using the adware as a decoy to distract attention from itself, thereby attempting to avoid malware analysis as this would categorize it as low risk and be dismissed.
On execution, the threat retrieves the creation times of the System and System Volume Information folders to generate the unique value, which is the same operation conducted when the Trojan was installed. It then uses the unique value to decrypt the main decryption key, which is subsequently used to decrypt and execute the body of the Trojan.
Figure 4. Example of the unique values used by the threat
The Trojan encrypts the gathered information and sends it to a remote attacker encoded in the file name of an HTTP GET request. The requested file returned by the server is encrypted malicious code.
Figure 5. Encrypted malicious code sent by the server
The Trojan may create the following registry entries, so that it runs every time Windows starts:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\"[RANDOM VALUE]" = "[PATH TO TROJAN EXECUTABLE]"
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"[RANDOM VALUE]" = "[PATH TO TROJAN EXECUTABLE]"
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\"[RANDOM VALUE]" = "[PATH TO TROJAN EXECUTABLE]"
The Trojan stores information in the following registry subkeys:
- HKEY_LOCAL_MACHINE\SOFTWARE\[RANDOM VALUE]
- HKEY_LOCAL_MACHINE\ SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
- HKEY_CURRENT_USER\ Software \Microsoft\Multimedia
One of the dropped files is an executable file identified as Aware.Eorezo and is identical to one of the files downloaded from the following locations:
The file is digitally signed using a certificate belonging to Agence Exclusive. The certificate expired in January 2012 and as such verification of the digital signature fails. At this time, we are unable to find evidence of Agence Exclusive’s existence, indicating that this organization either no longer exists, or never existed. The dropped executable file has only one purpose: decrypt a URL and run ShellExecute command to cause the explorer process to start and open the decrypted URL.
It accesses the following URL:
This domain redirects traffic to another ad-related URL that redirects to a different ad URL and ultimately a random site is opened in the browser. In our investigation, we observed various French sites being displayed at the end of the redirect chain.
After all this, you may be wondering what makes this threat a paper salesman’s dream come true, and here’s why. During the infection phase, a .spl file is created in [DRIVE_LETTER]\system32\Spool\PRINTERS\[RANDOM].spl. Note the Windows’ default print spooler directory is %System%\spool\printers.
The .spl file, while appearing to be a common printer spool file, is actually an executable file and is detected as Adware.Eorezo. Depending on the configuration, any files, including binary files, created in that folder will trigger print jobs. This explains the reports of unwanted printouts observed in some compromised environments. Based on what we have discovered so far, the garbled printouts appear to be a side effect of the infection vector rather an intentional goal of the author.
We continue to analyze new samples related to this threat and will update our protection coverage as needed. Even as we go to press with this report, we have just learned that SANS have posted further information
about a new variant of Trojan.Milcenso. This variant has been modified with garbage padding in the executable designed to help it avoid detection. This goes to show the malware authors are still hard at work trying to spread their warez. Rest assured we are just as determined to stop them. As always, be sure to follow best security practices, and keep your security product updated with the latest definitions.
Symantec currently has the following antivirus signatures to detect the files associated with this threat: