Symantec researchers have determined that the Milicenso trojan (also known as the Printer Bomb) is downloaded by an .htaccess redirection web attack that has infected at least 4,000 websites.
Symantec researcher Kaoru Hayashi explained that .htaccess is a configuration file for web servers that can be used by administrators to control network traffic. To monitor traffic to legitimate websites, attackers hack into vulnerable servers and modify the .htaccess file.
In the course of performing malicious activity, the Printer Bomb malware can trigger a massive printing job that results in printing garbage characters until the printer runs out of paper.
Hayashi detailed the infection flow of the Printer Bomb malware: 1) When a user clicks the link for the website, the web browser accesses the compromised website; 2) the web server then redirects the access to a malicious website based on the .htaccess file; and 3) the malicious site may then download more threats onto the compromised computer by exploiting certain vulnerabilities.
“Within the last three days, we have identified approximately 4,000 unique, compromised websites that redirect users to malicious websites. Most of the compromised websites are personal or SMB segment websites; but government, telecom, and financial service websites have also been compromised”, he related.