[Dshield] Known instances of malware using printers as an attack vector?

Open Phugu openphugu at gmail.com
Wed Feb 28 03:48:01 GMT 2007


On 2/27/07, ed.truitt at etee2k.net <ed.truitt at etee2k.net> wrote:
> I have been asked to look into whether our network printers present a
> level of risk to the network that is higher than has been the case in
> previous years.  In order to answer that question, I was wondering if
> anyone has solid evidence of the following:
>
> * Malware (of whatever type) that actually attacks printers, or uses a
> vulnerability found on a network printer to propogate
I have not heard of any malware that exploits printers, but again, i
might be wrong

What I do know, is that their TCP/IP stacks are not very secure, in
the sense that their TCP sequence numbers are not random, and that
their IPIDs are sequential. The fact that they generate sequential
IPIDs can be *very* useful for an attacker to exploit to ``proxy'' a
port scan. Called ``Idle Scanning'', this technique depends on
sequential IPIDs. The net effect is that an attacker can port scan a
computer while making it seem that the printer is scanning the
computer. See http://insecure.org/nmap/idlescan.html for more
information.


More information about the list mailing list