I got this off of one of SANS email lists. Most likely the malware is just running a port scan and hits port 9100 on the printer, which triggers a bunch of junk to print out. Well that’s my guess. But I got a kick out of the editors not about this could indirectly be intentional to cause a demand on ink, which would cause a print companies profits to go up (thus stock). Read up about it below
–-Malware Side Effect Causes Printers to Spew Reams of Adware Code (June 22 & 25, 2012) A new strain of malware is launching inadvertent print bomb attacks against Windows computers. The malware, known as Trojan.Milicenso, causes printers connected to infected computers to print out page after page of what appears to be nonsense. Researchers determined that the data are part of an adware program. The malware has been detected most frequently in the US and India, as well as parts of Europe and South America. The printing appears to be a side effect of the infection rather than part of a deliberate payload. The goal of the malware appears to be depositing the adware on the computers. Milicenso has been around since at least 2010 and is a known “malware delivery vehicle for hire.”
Internet Storm Center posts:
https://isc.sans.edu/diary.html?storyid=13405
https://isc.sans.edu/diary.html?storyid=13519
http://news.cnet.com/8301-1009_3-57459098-83/is-your-printer-spewing-gibberish-could-be-malware/
http://www.bbc.co.uk/news/technology-18547935
http://www.theregister.co.uk/2012/06/22/trojan_spews_gibberish_print_runs/
[Editor’s Comment (Northcutt): Inadvertent, side effect, hmmmm. Maybe things have changed, but the old school investigation of cyber crimes had a North Star rule: follow the money; find who benefits? HP printer ink is one of the priciest liquids on planet earth. And those ink jet cartridges are good for only a few hundred pages or perhaps a little more? HPQ sells a lot of ink and it is mostly in volumes of one or two cartridges; really hard to track who bought it, who got hurt. Scenario:
HPQ printer division has a banner quarter that causes the company to beat analyst estimates. This results in the stock going up .35 cents on earnings news. The writers of the worm have an options play that pays in phases. They use each phase to fund the next buy. It is the perfect crime because it is nearly indetectable. . . well unless the malware gets detected and people start thinking about what it can be used for.]