ICMP = Internet Compromise Malware Protocol…the end is near!
Bear with me here as I admire the sheer elegance and simplicity of what this latest piece of malware uses as its covert back channel: ICMP. I know…nothing fancy, but that’s why I think its simplicity underscores the bigger problem we have in securing this messy mash-up of Internet connected chewy goodness.
When you think about it, even the dopiest of users knows that when they experience some sort of abnormal network access issue, they can just open their DOS (pun intended) command prompt and type "ping…" and then call the helpdesk when they don’t get the obligatory ‘pong’ response.
It’s a really useful little protocol. Good for all sorts of things like out-of-band notifications for network connectivity, unreachable services and even quenching of overly-anxious network hosts.
Network/security admins like it because it makes troubleshooting easy
and it actually forms some of the glue and crutches that folks depend
upon (unfortunately) to keep their networks running…
It’s had its fair share of negative press, sure. But who amongst us hasn’t? I mean, Smurfs are cute and cuddly, so how can you blame poor old ICMP for merely transporting them? Ping of Death? That’s just not nice! Nuke Attacks!? Floods!?
Really, now. Aren’t we being a bit harsh? Consider the utility of it all..here’s a great example:
When I used to go onsite for customer engagements, my webmail access/POP-3/IMAP and SMTP access was filtered. Outbound SSH and other types of port filtering were also usually blocked but my old friend ICMP was always there for me…so I tunneled my mail over ICMP using Loki and it worked great..and it always worked because ICMP was ALWAYS open. Now, today’s IDS/IPS combos usually detect these sorts of tunelling activities, so some of the fun is over.
The annoying thing is that there is really no reason why the entire range of ICMP types need to be open and it’s not that difficult to mitigate the risk, but people don’t because they officially belong to the LBNaSOAC (Lazy Bastard Network and Security Operators and Administrators Consortium.)
However, back to the topic @ hand. I was admiring the simplicity of this newly-found data-stealer trojan that installs itself as an Internet Exploder (IE) browser helper and ultimately captures keystrokes and screen images when accessing certain banking sites and communicates back to the criminal operators using ICMP and a basic XOR encryption scheme. You can read about it here.
It’s a cool design. Right wrong or indifferent, you have to admire the creativity and ubiquity of the back channel…until, of course, you are compromised.
There are so many opportunities for the creative uses of taken-for-granted infrastructure and supporting communication protocols to suggest that this is going to be one hairy, protracted battle.
Submit your vote for the most "clever" use of common protocols/applications for this sort of thing…