Symantec has announced the discovery of a new worm, which launches “trash” print jobs. Symantec identifies the worm as W32.Printlove. This malware exploits a vulnerability in Microsoft Windows Print Spooler Service Remote Code Execution (CVE 2010-2729), which was discovered back in 2010.

The worm behave differently on computers with installed update for CVE 2010-2729 vulnerability and on without such update. Symantec Experts have tested this threat in a simple network of two computers and a network printer that is connected through the switch.

• Computer Configuration A: Windows XP Professional. The computer was updated with the CVE 2010-2729 patch and was infected with W32.Printlove. A local or network printer was not connected.
• Computer Configuration B: Windows XP Professional. In the first scenario, the computer runs without update, and in the second, it is updated. A network printer open for public access is connected.

Computer A must have permission to send print jobs to computer B. Guest access to shared printers in Windows XP is enabled by default; in newer operating systems, computer A must be authenticated by the computer B.

There are two scenarios in which the threat may work:

• W32.Printlove running on computer A will look for network print resources. When such discovered, it sends itself to computer B, using the StartDocPrinter query. The vulnerability of the print bufferallows for copying of whatever file a request transmitted to the printer to any folder. The malware successfully runs on your computer, taking advantage of this vulnerability.
• W32.Printlove running on computer A, behaves this way and passes its code to the computer B. Since computer B has the update, the worm can not exploit the vulnerability. The principle of the corrected vulnerability does not allow print queries to transfer files to any folder (that is printing to file). This prevents the worm from copying itself to the system directory and autostarting itself using the exploit. Instead, it is saved in the printer buffer folder on computer B as .spl-file. After that, computer B will start printing the file on a shared printer attached.

W32.Printlove retains the connection to a remote computer, and periodically tries to infect it using the vulnerability of the print buffer. Computers can be infected again,  and there may be multiple “trash” printings that are sent from different computers until the worm is fully removed from the network. Tracking the source of unwanted prints can be much more complicated in the case of multiple infections present on the network. Network administrators can identify infected PCs looking for .shd-files in the printer buffer folder on the computer, which provides connection to a public printer.

SHD files are created by the operating system and contain detailed information about the request to the printer. To view them, you can use SPLViewer. Because the data files are used by the print buffer service, the service must be first stopped. Administrators are able to detect the compromised computer by the Computername field, which allows you to identify the source sending the print job. Trash printing is the side  effect of eliminating CVE 2010-2729 vulnerabilities on a computers attacked by W32.Printlove.

According to experts, there might be a connection between Trojan.Milicenso and W32.Printlove, but at the moment it is not confirmed. A team of specialists in Symantec continues to investigate to determine the possible relationship of these two threats.

Hard times are coming to those who like to abuse copy machines, soon they’ll have to look for workaround. And all because Canon Japan together with Hitachi introduces a new security system for office printers based on biometric human parameters. Simply put, now to scan or print a document, you will need to confirm you identity with a fingerprint.

The creators claim that the technology isneeded to patch the vulnerabilities that are characteristic for access with password or magnetic cards. Indeed, a sheet of paper with a password scribbled on it or a card may be dropped anywhere, but you can hardly leave your thumb on the table.

The company is planning to introduce the technology into operation on the basis of Canon imageRUNNER ADVANCE line of multifunction printers. Estimated cost of the devices is about $1460. Protected printers will be available on the Japanese market any day. Perhaps, the technology will find its place in other markets, in addition to printer access security.

Previously we reported the discovery of yellow dots made by color laser printers and the reaction of European Union Committee on this issue.

A study done by Electronic Frontier Foundation finds that most color laser printers add an identifying code on every page you print. This code is actually microscopic yellow dots printed on each page in a grid pattern. Normally these dots are invisible to the naked eye and can only be seen using a blue LED light.

The information in the yellow dots varies, some have just the serial number of the printer and others also have the date printed. On the picture below you can see the date and time when page was printed and the serial number of the printer.

Originally the technology was implemented to help secret services track and find counterfeiter who use color laser printers to forge money or securities. But now that color laser printers are becoming more affordable and more user gets them home, these tracking dots are making privacy advocates worry.

“There’s nothing about this technology that limits its application to counterfeit investigations,” stated Seth Schoen with the Electronic Frontier Foundation. “Some people who aren’t doing anything wrong may have their privacy threatened.”

You may know that DMCA (Digital Millennium Copyright Act) prohibits your downloading and sharing any copyrighted material – pirated movies, music, book, TV shows, etc. If your computer IP is detected to take part in such activity, your ISP will receive a DMCA takedown notice – a formal message to report infringing content. The ISP will, in turn, warn your or whoever is know to be associated with detected IP to stop illegal activities. Briefly, this is how copyrights holders protect their intellectual property.

What does it have to do with printers, you may ask?

I’ll tell you what. Some guys (two teacher and a student namely) from University of Washington examined BitTorrent file-sharing networks using specially designed BitTorrent clients to monitor the traffic on these networks. They didn’t actually upload or download any files, but somehow the researchers received over 400 takedown requests. Each of those notices was a false positive accusing them of copyright infringement. The results of the study show that virtually any Internet user has a risk of receiving the DMCA takedown notice.

It still has nothing to do with printers, you may remark.

Yes, but we are almost there. The researchers say in the study that of all the numerous takedown notices they received, 13 were issued for 3 laser printers and a wireless access point. Interesting, right?

The results of the study make it clear that being an advanced user you can make your printer download movies for you and come out clean. On the other hand, the study shows how inconclusive is the method used to identify infringing BitTorrent users.

So if your ISP forwards you a takedown notice, cast the blame on your printer.