RE: Nimda affecting HP LaserJet / JetDirect devices?

From: Nick FitzGerald (nick@virus-l.demon.co.uk)
Date: Sun Sep 23 2001 - 09:35:38 PDT

Next message: Trevor: "Re: Using NBAR to stop your users from geting Nimda from a web page"

Previous message: Alfred Huger: "New book worth taking a look at"
In reply to: Richard.Grantat_private: "RE: Nimda affecting HP LaserJet / JetDirect devices?"
Next in thread: Florian Weimer: "Re: Nimda affecting HP LaserJet / JetDirect devices?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Richard.Grantat_private wrote:

> We have no less than 20 Lexmark printers that were infected.  ...

**Infected** ???

It seems unlikely that a network interface for any printer would be 
implemented on a 386+ running NT 4.0 or Win2K and with IIS as its web 
management interface.  As those are the platform requirements for 
infection via Nimda's HTTP scanning distribution mecahism, I doubt 
you really mean "infected"...

> ...  In every case
> they did not have up-to-date firmware. This started with Code Red and has
> continued with Nimda. There are some notible differences though, Code Red
> just started the printers sending out large quantities of packets. The Nimda
> infected machines are searching for Web servers.  ...

That does sound weird.

> ...  In both cases upgrading the
> firmware and restarting the printer has solved the problem.  ...

So, how big is a ROM image for these things -- with IIS running on NT 
or Win2K, they can't be small!

> ...  So far we have
> not had any of our HP's infected by Nimda as they were by Code Red.  ...

Isn't that because HP's network interfaces are implemented as Linux 
on PowerPC with Apache for the web management interface?

> ...  This is
> what we have found..

No -- that is what you reported.

We're still in the dark about what you found.

However, I'll hazard a guess about what you found.  Your IDS 
flagged some "odd" traffic coming from your printers as Nimda.  At a 
real stretch, I'll guess this traffic was a variation on the events 
Dave Taylor and Brian Marshall have reported of some Macs "bouncing" 
Nimda HTTP probes back to the originating machines (it could be as 
simple, depending on the IDS and the Nimda signature, as the 
printer's web interface returning a "not found" error page that 
included the requested URL).  Remember, IDSes are fairly blunt and 
broad brush tools at the best of times, and doubly so in 
inexperienced hands.

Please folk -- if you see something odd or weird you are not sure 
about it, post a description of what happened, what you did and what 
you saw then ask if anyone knows what's going on.

For now, rumours of Nimda "infecting" Lexmark printers are 
exaggerated.

Regards,

Nick FitzGerald

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Trevor: "Re: Using NBAR to stop your users from geting Nimda from a web page"
Previous message: Alfred Huger: "New book worth taking a look at"
In reply to: Richard.Grantat_private: "RE: Nimda affecting HP LaserJet / JetDirect devices?"
Next in thread: Florian Weimer: "Re: Nimda affecting HP LaserJet / JetDirect devices?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun Sep 23 2001 - 10:15:49 PDT