Home > General Rants & Raves, Information Security, Malware, Security Breaches > ICMP = Internet Compromise Malware Protocol…the end is near!

ICMP = Internet Compromise Malware Protocol…the end is near!

Tinhat
Bear with me here as I admire the sheer elegance and simplicity of what this latest piece of malware uses as its covert back channel: ICMP.  I know…nothing fancy, but that’s why I think its simplicity underscores the bigger problem we have in securing this messy mash-up of Internet connected chewy goodness.

When you think about it, even the dopiest of users knows that when they experience some sort of abnormal network access issue, they can just open their DOS (pun intended) command prompt and type "ping…" and then call the helpdesk when they don’t get the obligatory ‘pong’ response.

It’s a really useful little protocol. Good for all sorts of things like out-of-band notifications for network connectivity, unreachable services and even quenching of overly-anxious network hosts. 

Network/security admins like it because it makes troubleshooting easy
and it actually forms some of the glue and crutches that folks depend
upon (unfortunately) to keep their networks running…

It’s had its fair share of negative press, sure. But who amongst us hasn’t?  I mean, Smurfs are cute and cuddly, so how can you blame poor old ICMP for merely transporting them?  Ping of Death?  That’s just not nice!  Nuke Attacks!?  Floods!?

Really, now.  Aren’t we being a bit harsh?  Consider the utility of it all..here’s a great example:

When I used to go onsite for customer engagements, my webmail access/POP-3/IMAP and SMTP access was filtered. Outbound SSH and other types of port filtering were also usually blocked but my old friend ICMP was always there for me…so I tunneled my mail over ICMP using Loki and it worked great..and it always worked because ICMP was ALWAYS open.  Now, today’s IDS/IPS combos usually detect these sorts of tunelling activities, so some of the fun is over.

The annoying thing is that there is really no reason why the entire range of ICMP types need to be open and it’s not that difficult to mitigate the risk, but people don’t because they officially belong to the LBNaSOAC (Lazy Bastard Network and Security Operators and Administrators Consortium.)

However, back to the topic @ hand.  I was admiring the simplicity of this newly-found data-stealer trojan that installs itself as an Internet Exploder (IE) browser helper and ultimately captures keystrokes and screen images when accessing certain banking sites and communicates back to the criminal operators using ICMP and a basic XOR encryption scheme.  You can read about it here.

It’s a cool design.  Right wrong or indifferent, you have to admire the creativity and ubiquity of the back channel…until, of course, you are compromised.

There are so many opportunities for the creative uses of taken-for-granted infrastructure and supporting communication protocols to suggest that this is going to be one hairy, protracted battle.

Submit your vote for the most "clever" use of common protocols/applications for this sort of thing…

Chris

  1. August 9th, 2006 at 12:09 | #1

    I See Message Pings

    Nice posting on the hidden perils of ICMP – the protocol that everyone uses at some point or other without actually knowing. You pinged a host? You used ICMP (well technically you sent an ICMP type 8 echo request message, but you get the point)
    I recal…

  2. August 9th, 2006 at 17:38 | #2

    Nice post Chris..
    I for one am a fan of tunneling over DNS ;)
    Not sure if IDS/IPS react the same way as to ICMP tunnels though, not having a wealth of experience with them. Do they reac the same way when tunneling over dns?

  3. August 9th, 2006 at 20:56 | #3

    Ah, DNS…another favorite, Christian, and a great illustration which is exactly why one should (at a minimum) implement split DNS (separating internal vs. external DNS connectivity.)
    I remember seeing Dan Kaminsky's DNS Tunneling demo (NSTX) he did @ Blackhat in '04 wherein he actually embedded audio chunks and had DNS servers cache audio!
    In terms of DNS tunneling detection, most IDP solutions today have DNS tunneling detection.
    Snort has threshold-limited DNS request signatures available and NBA(D) functionality shores that up today.
    Check out David Bianco's InfoSecPotpourri post on the matter: http://infosecpotpourri.blogspot.com/2006/05/traf
    Chris

  4. Cd0MaN
    August 16th, 2006 at 21:24 | #4

    I've got the feeling that this again is overhyped. When was the last time you been in a corporate environment where you were allowed to use ICMP, UDP or any other TCP port than 80, 443 or 21? Even my university doesn't allow other traffic. The author of this bot probably was trying to be too smart but shoot himself / herself in the foot. To get the widest possible audience HTTP / HTTPS is perfect (even more so if you take the connection settings from IE or directly host an IE COM object). So please stop running around and chanting "ICMP bad" and start beeing rational :).

  5. August 20th, 2006 at 18:48 | #5

    @Cd0MaN
    To your first point regarding port filtering allowances in Enterprises: TONS…at least 7 out of 10 SMB's I've ever encountered…large enterprises, not so much.
    Secondly, I'm not "…running around (and) chanting "ICMP bad"…if you didn't get it, I was being "sarcastic." Furthermore, I was just illustrating the fact that we take generic protocols for granted.
    Chris

  1. No trackbacks yet.