alt.hn

5/17/2025 at 5:44:50 AM

Procolored printer drivers contained malware

 https://www.neowin.net/news/this-printer-company-served-you-malware-for-months-and-dismissed-it-as-false-positives/

by bundie

5/19/2025 at 8:14:20 AM

SnipVex clipjacking wallets is almost beside the point, the real failure is a printer vendor treating software like a side gig. Printer and hardware companies get a pass on basic infosec hygiene that would be unacceptable for open source maintainers.

until that changes, airgap your weird hardware setups I guess

Also this is a perfect storm for lateral movement. USB-borne worms still work frighteningly well in small biz environments, especially ones with no centralized IT and people plugging printers directly into Windows desktops with admin perms. Here SnipVex is just a cherry on top-a nice, opportunistic payload for the growing class of infostealers targeting crypto wallets

by canvascritic

5/19/2025 at 9:03:03 AM

> a printer vendor treating software like a side gig

This is a chronic problem with hardware vendors.

Source: Software developer for hardware companies, for over 30 years.

by ChrisMarshallNY

5/19/2025 at 9:11:14 AM

> basic infosec hygiene that would be unacceptable for open source maintainers

Opensource printer stack is a legacy mess. There is critical vulnerability almost every year. There are not enough money or developers to fix that!

by throw903332

5/19/2025 at 9:41:59 AM

The printer stack as a whole is a legacy mess.. I have an easier time getting a 3D printer to work than any inkjet machine

by juliangmp

5/19/2025 at 9:58:56 AM

Maybe I got lucky, but in 2017 I bought a Brother DCP-L2520DW laser printer. No matter what OS, computer or network I connect it to, it seems to just work for everyone involved, always, and I don't think I've had a single issue with it since I got it nor did anything at all to set it up, basically installed CUPS on my desktop to get it to work and for Windows/macOS it just works.

Not affiliated, just happy user, at least some companies seem to be able to deal with it, regardless if it's open source (my stack) or not (my wife's Apple-stack).

by diggan

5/19/2025 at 10:35:01 AM

I've bought almost the same model but a few years later. I also enjoy how effortless is connecting this printer to Linux. I have to install brlaser driver manually though.

But I did some research before buying (including here on HN) and Brother printers were praised for being reliable and having no problems with Linux drivers.

by anticodon

5/19/2025 at 10:16:55 AM

There has been a strong push by OS makers to unify and simplify printer interfaces to the point that they should not require special drivers.

But this process is still ongoing and lazy hardware vendors will continue to be lazy in their switch, if they have the option.

by Avamander

5/19/2025 at 5:05:08 PM

Brother lasers are the cheat mode for cheap quality prints with no BS.

by Suppafly

5/19/2025 at 9:24:16 AM

> Opensource printer stack is a legacy mess.

I don't necessarily disagree, but isn't this because of extremely bad firm/soft/hardware design by the printer companies that then have to be supported by the open source stack?

by aaviator42

5/19/2025 at 2:19:43 PM

> Opensource printer stack is a legacy mess. There is critical vulnerability almost every year. There are not enough money or developers to fix that!

Maybe true, but no live trojans either, so it's ahead of the game already as I see it.

by ajross

5/19/2025 at 10:12:24 AM

What are we talking about here?

by Avamander

5/19/2025 at 9:57:07 AM

Unintentionally spreading malware is bad enough, but blindly dismissing reports as false positives is really bad. Verify first.

by mcv

5/19/2025 at 10:32:21 AM

No, you do not understand Help Desk Level I Troubleshooting.

The steps are invariably:

- Turn it off then turn it back on again

- Force stop, clear your cache and cookies

- Disable AV and firewall then reinstall

If the user cannot be induced to follow this simple script, then we can never move past the most basic of troubleshooting sessions.

Because everyone knows that troubleshooting is about covering up the symptoms rather than diagnosing the root cause.

by AStonesThrow

5/19/2025 at 2:59:47 PM

Have you worked at a Help Desk? It’s shocking how often those dumb questions reveal what’s really going on. Fake but realistic examples:

- chrome doesn’t work! (It was actually Microsoft word)

- my printer won’t print! (Out of paper)

- your program keeps crashing! (No, that’s the os reminding you of a security update)

by shermantanktop

5/19/2025 at 7:18:21 PM

They do happen all the time, though. One piece of software I work on frequently fails in CI when a dependency updates because it often triggers defender's automated "new threat" detection system some days after it's released. After another week or so it's fine, but it's a pain the neck.

by rcxdude

5/19/2025 at 10:14:01 AM

Verify how?

Go look at the "build log" in your compromised jenkins server and download the (already compromised) build artifact and make sure it matches the mega.co.nz file?

Do you expect the average software engineer to be able to look at a .exe, pull up a disassembler, and know that all the assembly maps back to the source code?

by TheDong

5/19/2025 at 2:36:28 PM

The person who originally reported it was not super technical so if your software engineer can’t reproduce the customers steps to see the same error then you probably need better software engineers.

by hnlmorg

5/19/2025 at 11:02:41 PM

You say "Jenkins server" as if there's a CI setup involved.

I wouldn't be surprised if, in many cases, these companies just have whoever touched the code last run a build on their computer and ship that. (Which probably explains how some of the malware got there.)

by duskwuff

5/19/2025 at 10:26:11 AM

It's not hard to replicate downloading a zip archive from the official location and find someone knowledgeable to look at it if you aren't yourself. A non-software-engineer did just that.

by lores

5/19/2025 at 9:07:09 AM

> While some redditors speculate that the trojan was planted on purpose, there is no evidence to support this claim. Outdated malware with an inactive command-and-control server is not advantageous for any attacker nor does superinfection make sense for this scenario. A far more plausible explanation points to the absence or failure of antivirus scanning on the systems used to compile and distribute the software packages. Procolored promises to improve this process, so that it cannot happen again.

That this system is so insecure as to be hit multiple times, I don't know how much stock anyone should put in "improved processes". This is a company who seems to have gone out of their way to create an insecure environment - probably out of some frustration, but all the same, insecure.

by shakna

5/19/2025 at 2:08:47 PM

> Procolored promises to improve this process, so that it cannot happen again.

Given their lax security posture, can we really trust this promise? I'd demand, at minimum, a pinky swear.

by pavel_lishin

5/19/2025 at 5:59:30 PM

The improved process likely involved legal adding a clause to some sort of EULA that renders them harmless from any of their basic security failures

by sidewndr46

5/19/2025 at 8:23:00 AM

Hosting drivers on mega.co.nz.

Totally fills you with confidence.

by razakel

5/19/2025 at 8:53:00 AM

I’ve seen other hardware companies that host firmware downloads for their products on Google Drive and some Chinese cloud drive. I don’t think doing that, nor Dropbox link, is different really from hosting it on Mega.

by codetrotter

5/19/2025 at 9:02:06 AM

Okay. It still doesn’t fill me with confidence.

by bolognafairy

5/19/2025 at 10:00:24 AM

Trust us, bro. We paid bottom dollar for this software.

by MathMonkeyMan

5/19/2025 at 9:07:06 AM

At least mega.co.nz is a file sharing name I recognise.

My keyboard's drivers are hosted on "egnyte.com"

by jeroenhd

5/19/2025 at 8:57:09 AM

“ It is also worth noting that I contacted Procolored support four times over the course of my testing, for help with figuring out the software and settings. Every single time, the agent requested multiple times that I allow them to connect remotely to my computer”

by djfergus

5/19/2025 at 11:28:36 AM

lol are procolored just a NK hacker unit or something ffs

by tough

5/19/2025 at 6:00:17 PM

If you distribute SHA256 or similar hashes through a secure mechanism, it seems OK to me.

by sidewndr46

5/19/2025 at 8:07:16 PM

Ah yes, it's totally secure for those 5 users who check the hash of the files they download.

by fph

5/19/2025 at 9:17:45 AM

There's nothing wrong with Mega

by Lammy

5/19/2025 at 9:31:14 AM

It implies that the company does not give a shit when they don’t even use their own web server.

by msh

5/19/2025 at 10:14:49 AM

The worst part is that setting up static web content hosting with something like an Azure blob store, or just a NGINX server somewhere is hilariously trivial.

This is an afternoon's effort for the junior intern, but was "too hard" for these people.

by jiggawatts

5/19/2025 at 1:05:21 PM

That costs money to maintain, even if it's just a few bucks a month. I've seen plenty of Chinese companies using mega/gdrive/etc just because it's free. I used to think it was just cheapness, but depending on the company it can be a huge hassle to set up recurring small bill items. At my current company for example, it's much easier to pay $5-10k once than pay $5/mo.

by eyegor

5/19/2025 at 2:59:11 PM

With Google Drive specifically, scale becomes an issue though. Once too many people download a given shared file, it gets flagged for possibly being a piracy operation. Not sure about MEGA, but they also have some limits (although for normal drivers this shouldn't be an issue).

by perching_aix

5/19/2025 at 2:28:27 PM

Nope azure blob storage hosting can be completely free

by moi2388

5/19/2025 at 3:14:46 PM

CDN? Cloud? What’s the obsession with running your own web server?

by barbazoo

5/19/2025 at 7:38:01 AM

What is it with printers and (pardon the pun) shady practices?

by HPsquared

5/19/2025 at 9:05:45 AM

There's only some printer companies. I'm using Epson inkjet and I never had any problems. Drivers are very good too.

by M95D

5/19/2025 at 10:32:09 AM

Their inktank line is quite scummy tbh…

Catch filter that can be trivially replaced in the field, firmware needs to be reset by an authorised repair center (yes there are workarounds but they aren’t official)

Also on windows their “drivers” install a ton of crap with them, even when you install the most basic version in their installer. When in fact they have go a driver which does exactly what it should and only installs a driver but then they don’t get that sweet spyware installed on your machine.

Never mind their network printer driver just failing to print half the time. Prints fine from my phone, on the same network right next to my PC but from my PC, FU.

Epson are not innocent in the chaos that is printers.

by jpc0

5/20/2025 at 5:11:57 AM

To be frank: every consumer printer "driver" installs bloat.

by stop50

5/19/2025 at 7:41:32 AM

diminishing market and margins call for extreme pressure to monitize whatever is left of the user base.

by gostsamo

5/19/2025 at 8:04:36 AM

These aren’t commodity office printers. They’re UV inkjets, which are used to print artwork onto objects and cost many thousands of dollars.

by bigfatkitten

5/19/2025 at 8:48:59 AM

So it sounds more like TDD (technobro driven development)

by raverbashing

5/19/2025 at 10:13:23 AM

No it's your average hardware vendor wanting to spend the smallest possible amount of money on software.

by Avamander

5/19/2025 at 9:04:13 AM

I assure you that “sneaking spyware into installers” predates “tech bros”

by bolognafairy

5/19/2025 at 8:04:55 AM

If Bitcoin wallets would be designed properly they would ask for a second confirmation before sending 100k USD.

This may be the main thing to fix here, as it's very plausible that hacks happen again and again... by design.

Today it's an infected printer, tomorrow it will be a game on Steam.

by rvnx

5/19/2025 at 9:26:08 AM

> This may be the main thing to fix here

It’s not, because that wasn’t the problem and would not have worked. For one, nothing indicates the $100K were extracted in one go, it looks like it was cumulative. For another, this malware isn’t directly sending coins, it’s just replacing addresses in your clipboard.

by latexr

5/19/2025 at 10:31:04 AM

Right, but the confirmation prompt could say something like,

"You're sending $100k to L33tHaX0R, are you sure?"

But that would require the protocol to also have the ability to set friendly names against public addresses.

You could imagine a wallet that uses certificates for address validation. So a certificate owner could sign that they own a given public key. ( And sign with the public key to show they own that key too. )

Then that could go into a "verified recipients" section of the wallet, and you could set your wallet to only allow sending to verified recipients. ( Or only allow transactions over X to verified ).

by xnorswap

5/19/2025 at 2:51:13 PM

>But that would require the protocol to also have the ability to set friendly names against public addresses.

Most crypto exchanges and merchants generate unique addresses per user/transaction, so this won't work. Moreover having a fixed address is bad for privacy because it makes it obvious what the recipient of a given transaction is.

by gruez

5/19/2025 at 10:37:59 AM

I don’t see how this prevents malware from changing the destination just before the transaction heads out. If it can change addresses, then it can change them at any point in the process, even after human verification.

by jagged-chisel

5/19/2025 at 11:19:13 AM

It doesn't stop specialized malware, but it stops clipjacking.

Security isn't an absolute. You're not trying to stop all vectors, you're just trying to put up a barrier to trip up by far the most common and easy method.

In a world where everyone leaves their doors open all day, you're asking "Why shut and lock your door when an attacker could just smash your windows?"

by xnorswap

5/19/2025 at 11:29:51 AM

on crypto you have also posioning address attacks (so using your clipboard to paste an addy is already a bad idea)

by tough

5/19/2025 at 12:28:50 PM

> But that would require the protocol to also have the ability to set friendly names against public addresses.

Which it doesn’t, and changing it to do so is not a realistic option. If we’re dreaming up anything, then my suggestion would instead be for no one to be dishonest, or for everyone’s basic needs to be met so they don’t need money and to speculate on cryptocurrencies. I’m pretty confident either of those would happen before every way people routinely get swindled off their cryptocurrencies is solved.

by latexr

5/19/2025 at 8:42:22 AM

Then the malware would provide that confirmation to the wallet too. Defending yourself from malware running on the same (Windows) machine is mostly impossible.

by cjbprime

5/19/2025 at 10:37:33 AM

That's a much harder attack to pull off. Windows actually does a decent job at preventing this kind of thing from being easily achievable.

Clipboard attacks are far easier, as most modern systems treat clipboard as a non-critical resource. Which is mind blowing if you ask me.

An app reading from clipboard must ring all sorts of alarms. Let alone writing to it.

by xnickb

5/19/2025 at 2:56:47 PM

>An app reading from clipboard must ring all sorts of alarms. Let alone writing to it.

You realize any sort of content editing app is going to be reading from clipboard? Most apps used on a daily basis are going to be reading from clipboard.

by gruez

5/19/2025 at 10:30:22 PM

Ok let me clarify:

- An app running in the background listening to clipboard changes;

- An app without a focused/visible window reading clipboard;

- An app reading from clipboard without a corresponding user input (menu/hotkey)

All these should be detectable and controlled by the OS

by xnickb

5/19/2025 at 8:23:38 AM

Steam already had a game with an infostealer a while ago. A pirate game.

But something like that would only be surprising if it was more than an obvious lazy asset flip.

by alpaca128

5/19/2025 at 8:55:33 AM

That kind of confirmation does exist, it’s called using a hardware wallet, such as those made by Trezor and others.

https://trezor.io/

The bigger question is, when they said:

> G Data's research showed that the Bitcoin address linked to SnipVex had received about 9.3 BTC, roughly $100,000

How big was the largest amount stolen?

It could be a few individuals with a lot of money in their unprotected software wallets, or it could be a lot of people with relatively smaller amounts stolen from each of them.

If you only have a couple hundred dollars worth of bitcoin and don’t intend to buy any more of it then it doesn’t make much sense to spend as much on a hardware wallet as those cost. But if you have like $500 of bitcoin then it starts to make more sense. Especially if you plan on buying more of it. And if you have over a $1,000 and are still using a software wallet you should really look into getting a hardware wallet ASAP IMHO.

by codetrotter

5/19/2025 at 8:41:31 AM

The malware doesn’t send all the content of the wallet to itself, it just replaces the recipient address in the clipboard (so you wouldn’t notice unless you checked the address). The 100k I think are cumulatively, though if it is 9btc, it’s more like 1m.

by cm2187

5/19/2025 at 2:47:27 PM

>If Bitcoin wallets would be designed properly they would ask for a second confirmation before sending 100k USD.

They already do? Here's a random screenshot I found:

https://user-images.githubusercontent.com/4597798/33999728-3...

the details are blacked out, but you can make out that it shows the address label along with the full addresse

by gruez

5/19/2025 at 9:01:16 AM

This should be relatively easy to implement.

by johnisgood

5/19/2025 at 9:07:21 AM

Somehow, I was expecting to be about HP.

by M95D

5/19/2025 at 10:17:25 AM

crazy to me that people are still writing malware in delphi

by whimsicalism

5/19/2025 at 7:29:34 AM

The printer company in question is: Procolored

by elmt35

5/19/2025 at 9:06:15 AM

Yup, that clickbait headline should be "Procolored served customers malware for months, dismissed it as false positives" instead.

by yccs27

5/19/2025 at 10:38:10 AM

But that only grabs the attention of people who own a relatively niche Procolored printer. This clickbait headline scares everyone with a printer into clicking.

Absolute shit state we are in.

by kevincox

5/19/2025 at 8:36:14 AM

[flagged]

by jbverschoor