Is it okay to talk about potential security risks in general on this forum? I have a fairly thorough knowledge of how networked printers function, and I don't want to make things worse for everyone than they already are by explaining how this may be happening.
Though the hackers would likely know all that I would be writing here anyway.
We had a total of 5 workstations send out print jobs. We scanned all of them and found nothing it drops it's payload and poof... We found one PC that had the scheduled tasks but had failed to run as the file in my previous post was missing.
The trojan is called Vundo.gen.ft mcafee have now identified it and release a dat edition which does detect and delete it, they have now also released a fix in superdat 6737 and 6738 is now out.
McAfee states the Vundo variant should be caught by DAT 6737 which was released on Saturday. The latest Stinger is detecting the trojan, but unable to clean. Uploaded sample to McAfee and waiting to hear back.
The pc was printing to all printers in domain, we removed from network, could not find anything in startup, task's ect. mcaffe gave us an extra.dat, we ran a scan and it found Vundo.gen.ft and deleted it, we have since updated to superdat 6738 and put the machine back on the network, no problems so far touch wood.
We are having this issue as well here's what we know:
Mcafee's DAT's/Extra's do not appear to be effective (we previously thought they were with extra's provided and new DAT's)
Appears to be enumerating print servers and printers identified on the network (windows print server)
Infected systems are not showing symptoms (we need to trace back to source system using SHD files on the print server)
Appears to have timer mechanism (waits a period of time and then spam's)
For a period of time when our extra's were working we had reporting on when we had the issue and where it was occuring in EPO console as I wrote a report on the detection.
Does anyone know how they think this walked in? Email/Website?????